Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 03:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe
-
Size
454KB
-
MD5
55bdcf0f8161835c7126612f1e14ab45
-
SHA1
b07903c26287a4e4541a940d1246b9fb28cad629
-
SHA256
ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563
-
SHA512
6be4bad5f0003ea20fa7b517d6bc9092e3328440afd26c01f66832d7f0e8ed9bd7ae414b687b57eae5e3ea69a2abf179f47712edfe58f2d3f2ad7ec46206d744
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2404-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-40-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2864-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-57-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/3020-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-96-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2984-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1172-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1172-114-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1444-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-168-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-310-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1264-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-347-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2976-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-443-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1976-461-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1788-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-480-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2448-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-636-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1828-703-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2428-749-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2428-748-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1876-771-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2428-770-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2712-916-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2772-924-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1544-993-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1268 88820.exe 1760 nhbbhh.exe 2216 3frrxff.exe 2120 flffxxl.exe 2864 vvpvj.exe 2828 fxxxlrl.exe 3020 6420886.exe 2764 ffrflrx.exe 2740 260684.exe 2984 vpjvd.exe 1172 9fxfrrx.exe 1444 vpdjp.exe 796 48240.exe 784 04824.exe 1960 080666.exe 1032 82468.exe 2044 vvjpd.exe 2748 04684.exe 2336 vvvdp.exe 2056 04880.exe 2236 c084006.exe 968 7fffxfl.exe 1876 8264064.exe 1564 8200680.exe 1312 8400846.exe 2312 bbhhnt.exe 1980 xlxfllr.exe 2292 i646840.exe 2324 3jdvp.exe 1676 68068.exe 2404 o602064.exe 2432 20440.exe 1736 8222880.exe 1264 826244.exe 2892 48222.exe 2956 o088444.exe 2820 btnbhb.exe 2976 602800.exe 2992 fxrlrrx.exe 2848 vpdjp.exe 2712 2240284.exe 2780 646804.exe 2724 c466222.exe 2140 2606462.exe 772 204444.exe 2888 1jpdd.exe 1444 dvdvj.exe 1508 48664.exe 1716 08242.exe 592 1lffllx.exe 2376 bnbtbb.exe 1976 7jddj.exe 636 q00262.exe 2076 lxlfrlx.exe 2200 624062.exe 2112 dpvpj.exe 1788 nthhtb.exe 2172 rrlrllr.exe 1880 nhttbb.exe 1884 vvppj.exe 1572 xrfxflx.exe 860 rxrfrfx.exe 1564 086626.exe 2448 pdppv.exe -
resource yara_rule behavioral1/memory/2404-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-395-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/772-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-838-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-909-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-917-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-944-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8202062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q22266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6422884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4480864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpvj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 1268 2404 ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe 30 PID 2404 wrote to memory of 1268 2404 ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe 30 PID 2404 wrote to memory of 1268 2404 ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe 30 PID 2404 wrote to memory of 1268 2404 ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe 30 PID 1268 wrote to memory of 1760 1268 88820.exe 31 PID 1268 wrote to memory of 1760 1268 88820.exe 31 PID 1268 wrote to memory of 1760 1268 88820.exe 31 PID 1268 wrote to memory of 1760 1268 88820.exe 31 PID 1760 wrote to memory of 2216 1760 nhbbhh.exe 32 PID 1760 wrote to memory of 2216 1760 nhbbhh.exe 32 PID 1760 wrote to memory of 2216 1760 nhbbhh.exe 32 PID 1760 wrote to memory of 2216 1760 nhbbhh.exe 32 PID 2216 wrote to memory of 2120 2216 3frrxff.exe 33 PID 2216 wrote to memory of 2120 2216 3frrxff.exe 33 PID 2216 wrote to memory of 2120 2216 3frrxff.exe 33 PID 2216 wrote to memory of 2120 2216 3frrxff.exe 33 PID 2120 wrote to memory of 2864 2120 flffxxl.exe 34 PID 2120 wrote to memory of 2864 2120 flffxxl.exe 34 PID 2120 wrote to memory of 2864 2120 flffxxl.exe 34 PID 2120 wrote to memory of 2864 2120 flffxxl.exe 34 PID 2864 wrote to memory of 2828 2864 vvpvj.exe 35 PID 2864 wrote to memory of 2828 2864 vvpvj.exe 35 PID 2864 wrote to memory of 2828 2864 vvpvj.exe 35 PID 2864 wrote to memory of 2828 2864 vvpvj.exe 35 PID 2828 wrote to memory of 3020 2828 fxxxlrl.exe 36 PID 2828 wrote to memory of 3020 2828 fxxxlrl.exe 36 PID 2828 wrote to memory of 3020 2828 fxxxlrl.exe 36 PID 2828 wrote to memory of 3020 2828 fxxxlrl.exe 36 PID 3020 wrote to memory of 2764 3020 6420886.exe 37 PID 3020 wrote to memory of 2764 3020 6420886.exe 37 PID 3020 wrote to memory of 2764 3020 6420886.exe 37 PID 3020 wrote to memory of 2764 3020 6420886.exe 37 PID 2764 wrote to memory of 2740 2764 ffrflrx.exe 38 PID 2764 wrote to memory of 2740 2764 ffrflrx.exe 38 PID 2764 wrote to memory of 2740 2764 ffrflrx.exe 38 PID 2764 wrote to memory of 2740 2764 ffrflrx.exe 38 PID 2740 wrote to memory of 2984 2740 260684.exe 39 PID 2740 wrote to memory of 2984 2740 260684.exe 39 PID 2740 wrote to memory of 2984 2740 260684.exe 39 PID 2740 wrote to memory of 2984 2740 260684.exe 39 PID 2984 wrote to memory of 1172 2984 vpjvd.exe 40 PID 2984 wrote to memory of 1172 2984 vpjvd.exe 40 PID 2984 wrote to memory of 1172 2984 vpjvd.exe 40 PID 2984 wrote to memory of 1172 2984 vpjvd.exe 40 PID 1172 wrote to memory of 1444 1172 9fxfrrx.exe 41 PID 1172 wrote to memory of 1444 1172 9fxfrrx.exe 41 PID 1172 wrote to memory of 1444 1172 9fxfrrx.exe 41 PID 1172 wrote to memory of 1444 1172 9fxfrrx.exe 41 PID 1444 wrote to memory of 796 1444 vpdjp.exe 42 PID 1444 wrote to memory of 796 1444 vpdjp.exe 42 PID 1444 wrote to memory of 796 1444 vpdjp.exe 42 PID 1444 wrote to memory of 796 1444 vpdjp.exe 42 PID 796 wrote to memory of 784 796 48240.exe 43 PID 796 wrote to memory of 784 796 48240.exe 43 PID 796 wrote to memory of 784 796 48240.exe 43 PID 796 wrote to memory of 784 796 48240.exe 43 PID 784 wrote to memory of 1960 784 04824.exe 44 PID 784 wrote to memory of 1960 784 04824.exe 44 PID 784 wrote to memory of 1960 784 04824.exe 44 PID 784 wrote to memory of 1960 784 04824.exe 44 PID 1960 wrote to memory of 1032 1960 080666.exe 45 PID 1960 wrote to memory of 1032 1960 080666.exe 45 PID 1960 wrote to memory of 1032 1960 080666.exe 45 PID 1960 wrote to memory of 1032 1960 080666.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe"C:\Users\Admin\AppData\Local\Temp\ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\88820.exec:\88820.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\nhbbhh.exec:\nhbbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\3frrxff.exec:\3frrxff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\flffxxl.exec:\flffxxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\vvpvj.exec:\vvpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\fxxxlrl.exec:\fxxxlrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\6420886.exec:\6420886.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\ffrflrx.exec:\ffrflrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\260684.exec:\260684.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\vpjvd.exec:\vpjvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\9fxfrrx.exec:\9fxfrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\vpdjp.exec:\vpdjp.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\48240.exec:\48240.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\04824.exec:\04824.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\080666.exec:\080666.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\82468.exec:\82468.exe17⤵
- Executes dropped EXE
PID:1032 -
\??\c:\vvjpd.exec:\vvjpd.exe18⤵
- Executes dropped EXE
PID:2044 -
\??\c:\04684.exec:\04684.exe19⤵
- Executes dropped EXE
PID:2748 -
\??\c:\vvvdp.exec:\vvvdp.exe20⤵
- Executes dropped EXE
PID:2336 -
\??\c:\04880.exec:\04880.exe21⤵
- Executes dropped EXE
PID:2056 -
\??\c:\c084006.exec:\c084006.exe22⤵
- Executes dropped EXE
PID:2236 -
\??\c:\7fffxfl.exec:\7fffxfl.exe23⤵
- Executes dropped EXE
PID:968 -
\??\c:\8264064.exec:\8264064.exe24⤵
- Executes dropped EXE
PID:1876 -
\??\c:\8200680.exec:\8200680.exe25⤵
- Executes dropped EXE
PID:1564 -
\??\c:\8400846.exec:\8400846.exe26⤵
- Executes dropped EXE
PID:1312 -
\??\c:\bbhhnt.exec:\bbhhnt.exe27⤵
- Executes dropped EXE
PID:2312 -
\??\c:\xlxfllr.exec:\xlxfllr.exe28⤵
- Executes dropped EXE
PID:1980 -
\??\c:\i646840.exec:\i646840.exe29⤵
- Executes dropped EXE
PID:2292 -
\??\c:\3jdvp.exec:\3jdvp.exe30⤵
- Executes dropped EXE
PID:2324 -
\??\c:\68068.exec:\68068.exe31⤵
- Executes dropped EXE
PID:1676 -
\??\c:\o602064.exec:\o602064.exe32⤵
- Executes dropped EXE
PID:2404 -
\??\c:\20440.exec:\20440.exe33⤵
- Executes dropped EXE
PID:2432 -
\??\c:\8222880.exec:\8222880.exe34⤵
- Executes dropped EXE
PID:1736 -
\??\c:\826244.exec:\826244.exe35⤵
- Executes dropped EXE
PID:1264 -
\??\c:\48222.exec:\48222.exe36⤵
- Executes dropped EXE
PID:2892 -
\??\c:\o088444.exec:\o088444.exe37⤵
- Executes dropped EXE
PID:2956 -
\??\c:\btnbhb.exec:\btnbhb.exe38⤵
- Executes dropped EXE
PID:2820 -
\??\c:\602800.exec:\602800.exe39⤵
- Executes dropped EXE
PID:2976 -
\??\c:\fxrlrrx.exec:\fxrlrrx.exe40⤵
- Executes dropped EXE
PID:2992 -
\??\c:\vpdjp.exec:\vpdjp.exe41⤵
- Executes dropped EXE
PID:2848 -
\??\c:\2240284.exec:\2240284.exe42⤵
- Executes dropped EXE
PID:2712 -
\??\c:\646804.exec:\646804.exe43⤵
- Executes dropped EXE
PID:2780 -
\??\c:\c466222.exec:\c466222.exe44⤵
- Executes dropped EXE
PID:2724 -
\??\c:\2606462.exec:\2606462.exe45⤵
- Executes dropped EXE
PID:2140 -
\??\c:\204444.exec:\204444.exe46⤵
- Executes dropped EXE
PID:772 -
\??\c:\1jpdd.exec:\1jpdd.exe47⤵
- Executes dropped EXE
PID:2888 -
\??\c:\dvdvj.exec:\dvdvj.exe48⤵
- Executes dropped EXE
PID:1444 -
\??\c:\48664.exec:\48664.exe49⤵
- Executes dropped EXE
PID:1508 -
\??\c:\08242.exec:\08242.exe50⤵
- Executes dropped EXE
PID:1716 -
\??\c:\1lffllx.exec:\1lffllx.exe51⤵
- Executes dropped EXE
PID:592 -
\??\c:\bnbtbb.exec:\bnbtbb.exe52⤵
- Executes dropped EXE
PID:2376 -
\??\c:\7jddj.exec:\7jddj.exe53⤵
- Executes dropped EXE
PID:1976 -
\??\c:\q00262.exec:\q00262.exe54⤵
- Executes dropped EXE
PID:636 -
\??\c:\lxlfrlx.exec:\lxlfrlx.exe55⤵
- Executes dropped EXE
PID:2076 -
\??\c:\624062.exec:\624062.exe56⤵
- Executes dropped EXE
PID:2200 -
\??\c:\dpvpj.exec:\dpvpj.exe57⤵
- Executes dropped EXE
PID:2112 -
\??\c:\nthhtb.exec:\nthhtb.exe58⤵
- Executes dropped EXE
PID:1788 -
\??\c:\rrlrllr.exec:\rrlrllr.exe59⤵
- Executes dropped EXE
PID:2172 -
\??\c:\nhttbb.exec:\nhttbb.exe60⤵
- Executes dropped EXE
PID:1880 -
\??\c:\vvppj.exec:\vvppj.exe61⤵
- Executes dropped EXE
PID:1884 -
\??\c:\xrfxflx.exec:\xrfxflx.exe62⤵
- Executes dropped EXE
PID:1572 -
\??\c:\rxrfrfx.exec:\rxrfrfx.exe63⤵
- Executes dropped EXE
PID:860 -
\??\c:\086626.exec:\086626.exe64⤵
- Executes dropped EXE
PID:1564 -
\??\c:\pdppv.exec:\pdppv.exe65⤵
- Executes dropped EXE
PID:2448 -
\??\c:\ttnthn.exec:\ttnthn.exe66⤵PID:1984
-
\??\c:\42844.exec:\42844.exe67⤵PID:2088
-
\??\c:\fxrrflx.exec:\fxrrflx.exe68⤵PID:1700
-
\??\c:\60224.exec:\60224.exe69⤵PID:2292
-
\??\c:\5pvdj.exec:\5pvdj.exe70⤵PID:1728
-
\??\c:\202844.exec:\202844.exe71⤵PID:1296
-
\??\c:\4804040.exec:\4804040.exe72⤵PID:1512
-
\??\c:\tnbbhh.exec:\tnbbhh.exe73⤵PID:2548
-
\??\c:\864028.exec:\864028.exe74⤵PID:1040
-
\??\c:\s4228.exec:\s4228.exe75⤵PID:2660
-
\??\c:\424628.exec:\424628.exe76⤵PID:2368
-
\??\c:\5dvpv.exec:\5dvpv.exe77⤵PID:1264
-
\??\c:\2684002.exec:\2684002.exe78⤵PID:2960
-
\??\c:\0006426.exec:\0006426.exe79⤵PID:2968
-
\??\c:\ffxlrxl.exec:\ffxlrxl.exe80⤵PID:2868
-
\??\c:\pvjdp.exec:\pvjdp.exe81⤵PID:2136
-
\??\c:\hbtttb.exec:\hbtttb.exe82⤵PID:2732
-
\??\c:\240460.exec:\240460.exe83⤵PID:2896
-
\??\c:\9xlxffr.exec:\9xlxffr.exe84⤵PID:2884
-
\??\c:\nhnnbb.exec:\nhnnbb.exe85⤵PID:2752
-
\??\c:\jvjpv.exec:\jvjpv.exe86⤵PID:2740
-
\??\c:\5xffffl.exec:\5xffffl.exe87⤵PID:2984
-
\??\c:\bthhhh.exec:\bthhhh.exe88⤵PID:1956
-
\??\c:\7thtbt.exec:\7thtbt.exe89⤵PID:700
-
\??\c:\42062.exec:\42062.exe90⤵PID:1336
-
\??\c:\vvjjp.exec:\vvjjp.exe91⤵PID:292
-
\??\c:\q80440.exec:\q80440.exe92⤵PID:1732
-
\??\c:\8084402.exec:\8084402.exe93⤵PID:1500
-
\??\c:\dvppv.exec:\dvppv.exe94⤵PID:1828
-
\??\c:\9pjjv.exec:\9pjjv.exe95⤵PID:1744
-
\??\c:\rfrlfxx.exec:\rfrlfxx.exe96⤵PID:3040
-
\??\c:\646660.exec:\646660.exe97⤵PID:1724
-
\??\c:\xrflxrr.exec:\xrflxrr.exe98⤵PID:2460
-
\??\c:\nhbhtn.exec:\nhbhtn.exe99⤵PID:964
-
\??\c:\660204.exec:\660204.exe100⤵PID:2392
-
\??\c:\1djdp.exec:\1djdp.exe101⤵PID:2428
-
\??\c:\82002.exec:\82002.exe102⤵PID:2692
-
\??\c:\646244.exec:\646244.exe103⤵PID:356
-
\??\c:\k82844.exec:\k82844.exe104⤵PID:968
-
\??\c:\1pddj.exec:\1pddj.exe105⤵PID:1876
-
\??\c:\488244.exec:\488244.exe106⤵PID:1572
-
\??\c:\8244440.exec:\8244440.exe107⤵PID:864
-
\??\c:\6462440.exec:\6462440.exe108⤵PID:1792
-
\??\c:\hbhhhh.exec:\hbhhhh.exe109⤵PID:2312
-
\??\c:\5pvpp.exec:\5pvpp.exe110⤵PID:2352
-
\??\c:\4240006.exec:\4240006.exe111⤵PID:1776
-
\??\c:\btnnbb.exec:\btnnbb.exe112⤵PID:920
-
\??\c:\w04686.exec:\w04686.exe113⤵PID:1892
-
\??\c:\5ddvp.exec:\5ddvp.exe114⤵PID:1948
-
\??\c:\3vjvv.exec:\3vjvv.exe115⤵PID:2420
-
\??\c:\i688484.exec:\i688484.exe116⤵PID:2404
-
\??\c:\rfrxxll.exec:\rfrxxll.exe117⤵PID:2280
-
\??\c:\xrlrflf.exec:\xrlrflf.exe118⤵PID:2528
-
\??\c:\pvvvd.exec:\pvvvd.exe119⤵PID:1964
-
\??\c:\4800006.exec:\4800006.exe120⤵PID:2800
-
\??\c:\3dvvd.exec:\3dvvd.exe121⤵PID:2952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-