Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe
-
Size
454KB
-
MD5
aeb3c190dac5971025d1b8f4a57c12e4
-
SHA1
ad59702b6b3d3173081336020e60cd13247a119b
-
SHA256
55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5
-
SHA512
b56e49646a006fa22e6fde9852c8181c11c972e50ab361a559433804da71c54497d02ce3fd21d3498a770a2cb2693cb79b5ef77313c2f959068272abc9a0ef84
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2916-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-200-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2004-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-243-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2028-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1348-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1384-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-462-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2204-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-646-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1988-671-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-718-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1684-781-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2028-807-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2676-886-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2680-895-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2364-1114-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2772-1157-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2772-1158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-1167-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2640-1289-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2912 5dddd.exe 2124 lfrxflx.exe 2876 hntnht.exe 2772 08402.exe 2680 lffllxx.exe 2500 0400600.exe 332 btbhhn.exe 1988 vjjpd.exe 2228 6466666.exe 2400 5dpvv.exe 2600 9vdjp.exe 2856 5jdpp.exe 760 428448.exe 2864 7xrfflf.exe 2572 jvdpp.exe 3064 048466.exe 1856 1bttbh.exe 1724 08024.exe 2480 0484686.exe 2292 m2028.exe 1420 248422.exe 2004 2028802.exe 1952 nhtbhn.exe 1460 dvjpj.exe 1192 flxlxfl.exe 1888 202240.exe 2028 1bhntb.exe 2528 0888008.exe 568 u800228.exe 2368 82402.exe 1348 dppdp.exe 2036 1dpvj.exe 2968 btnnnn.exe 1612 800628.exe 2792 tntnth.exe 2944 g6060.exe 2956 xrllrxl.exe 2876 jvjpv.exe 2672 426688.exe 2492 20002.exe 2520 rrxlrxl.exe 584 0244046.exe 576 vpdpv.exe 2700 e86688.exe 2756 lfxrxfr.exe 2104 0868008.exe 2400 7vjpv.exe 3004 28488.exe 1764 vdpvp.exe 1452 080288.exe 1432 280066.exe 3028 rlxxlfr.exe 1384 26688.exe 2252 7lrrfff.exe 2432 dvppd.exe 2484 vpdpv.exe 2204 6006246.exe 2096 i282442.exe 1984 rfffxxr.exe 2292 s0440.exe 752 xrrlxxl.exe 1568 02002.exe 1416 4820280.exe 2388 i066666.exe -
resource yara_rule behavioral1/memory/2912-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-462-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2204-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/824-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-646-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1568-768-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-781-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/608-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-909-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-934-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-953-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-972-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-1052-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-1071-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-1158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-1167-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3060-1239-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2484046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6428880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2912 2916 55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe 30 PID 2916 wrote to memory of 2912 2916 55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe 30 PID 2916 wrote to memory of 2912 2916 55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe 30 PID 2916 wrote to memory of 2912 2916 55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe 30 PID 2912 wrote to memory of 2124 2912 5dddd.exe 31 PID 2912 wrote to memory of 2124 2912 5dddd.exe 31 PID 2912 wrote to memory of 2124 2912 5dddd.exe 31 PID 2912 wrote to memory of 2124 2912 5dddd.exe 31 PID 2124 wrote to memory of 2876 2124 lfrxflx.exe 32 PID 2124 wrote to memory of 2876 2124 lfrxflx.exe 32 PID 2124 wrote to memory of 2876 2124 lfrxflx.exe 32 PID 2124 wrote to memory of 2876 2124 lfrxflx.exe 32 PID 2876 wrote to memory of 2772 2876 hntnht.exe 33 PID 2876 wrote to memory of 2772 2876 hntnht.exe 33 PID 2876 wrote to memory of 2772 2876 hntnht.exe 33 PID 2876 wrote to memory of 2772 2876 hntnht.exe 33 PID 2772 wrote to memory of 2680 2772 08402.exe 34 PID 2772 wrote to memory of 2680 2772 08402.exe 34 PID 2772 wrote to memory of 2680 2772 08402.exe 34 PID 2772 wrote to memory of 2680 2772 08402.exe 34 PID 2680 wrote to memory of 2500 2680 lffllxx.exe 35 PID 2680 wrote to memory of 2500 2680 lffllxx.exe 35 PID 2680 wrote to memory of 2500 2680 lffllxx.exe 35 PID 2680 wrote to memory of 2500 2680 lffllxx.exe 35 PID 2500 wrote to memory of 332 2500 0400600.exe 36 PID 2500 wrote to memory of 332 2500 0400600.exe 36 PID 2500 wrote to memory of 332 2500 0400600.exe 36 PID 2500 wrote to memory of 332 2500 0400600.exe 36 PID 332 wrote to memory of 1988 332 btbhhn.exe 37 PID 332 wrote to memory of 1988 332 btbhhn.exe 37 PID 332 wrote to memory of 1988 332 btbhhn.exe 37 PID 332 wrote to memory of 1988 332 btbhhn.exe 37 PID 1988 wrote to memory of 2228 1988 vjjpd.exe 38 PID 1988 wrote to memory of 2228 1988 vjjpd.exe 38 PID 1988 wrote to memory of 2228 1988 vjjpd.exe 38 PID 1988 wrote to memory of 2228 1988 vjjpd.exe 38 PID 2228 wrote to memory of 2400 2228 6466666.exe 39 PID 2228 wrote to memory of 2400 2228 6466666.exe 39 PID 2228 wrote to memory of 2400 2228 6466666.exe 39 PID 2228 wrote to memory of 2400 2228 6466666.exe 39 PID 2400 wrote to memory of 2600 2400 5dpvv.exe 40 PID 2400 wrote to memory of 2600 2400 5dpvv.exe 40 PID 2400 wrote to memory of 2600 2400 5dpvv.exe 40 PID 2400 wrote to memory of 2600 2400 5dpvv.exe 40 PID 2600 wrote to memory of 2856 2600 9vdjp.exe 41 PID 2600 wrote to memory of 2856 2600 9vdjp.exe 41 PID 2600 wrote to memory of 2856 2600 9vdjp.exe 41 PID 2600 wrote to memory of 2856 2600 9vdjp.exe 41 PID 2856 wrote to memory of 760 2856 5jdpp.exe 42 PID 2856 wrote to memory of 760 2856 5jdpp.exe 42 PID 2856 wrote to memory of 760 2856 5jdpp.exe 42 PID 2856 wrote to memory of 760 2856 5jdpp.exe 42 PID 760 wrote to memory of 2864 760 428448.exe 43 PID 760 wrote to memory of 2864 760 428448.exe 43 PID 760 wrote to memory of 2864 760 428448.exe 43 PID 760 wrote to memory of 2864 760 428448.exe 43 PID 2864 wrote to memory of 2572 2864 7xrfflf.exe 44 PID 2864 wrote to memory of 2572 2864 7xrfflf.exe 44 PID 2864 wrote to memory of 2572 2864 7xrfflf.exe 44 PID 2864 wrote to memory of 2572 2864 7xrfflf.exe 44 PID 2572 wrote to memory of 3064 2572 jvdpp.exe 45 PID 2572 wrote to memory of 3064 2572 jvdpp.exe 45 PID 2572 wrote to memory of 3064 2572 jvdpp.exe 45 PID 2572 wrote to memory of 3064 2572 jvdpp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe"C:\Users\Admin\AppData\Local\Temp\55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\5dddd.exec:\5dddd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\lfrxflx.exec:\lfrxflx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\hntnht.exec:\hntnht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\08402.exec:\08402.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\lffllxx.exec:\lffllxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\0400600.exec:\0400600.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\btbhhn.exec:\btbhhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
\??\c:\vjjpd.exec:\vjjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\6466666.exec:\6466666.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\5dpvv.exec:\5dpvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\9vdjp.exec:\9vdjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\5jdpp.exec:\5jdpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\428448.exec:\428448.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\7xrfflf.exec:\7xrfflf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\jvdpp.exec:\jvdpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\048466.exec:\048466.exe17⤵
- Executes dropped EXE
PID:3064 -
\??\c:\1bttbh.exec:\1bttbh.exe18⤵
- Executes dropped EXE
PID:1856 -
\??\c:\08024.exec:\08024.exe19⤵
- Executes dropped EXE
PID:1724 -
\??\c:\0484686.exec:\0484686.exe20⤵
- Executes dropped EXE
PID:2480 -
\??\c:\m2028.exec:\m2028.exe21⤵
- Executes dropped EXE
PID:2292 -
\??\c:\248422.exec:\248422.exe22⤵
- Executes dropped EXE
PID:1420 -
\??\c:\2028802.exec:\2028802.exe23⤵
- Executes dropped EXE
PID:2004 -
\??\c:\nhtbhn.exec:\nhtbhn.exe24⤵
- Executes dropped EXE
PID:1952 -
\??\c:\dvjpj.exec:\dvjpj.exe25⤵
- Executes dropped EXE
PID:1460 -
\??\c:\flxlxfl.exec:\flxlxfl.exe26⤵
- Executes dropped EXE
PID:1192 -
\??\c:\202240.exec:\202240.exe27⤵
- Executes dropped EXE
PID:1888 -
\??\c:\1bhntb.exec:\1bhntb.exe28⤵
- Executes dropped EXE
PID:2028 -
\??\c:\0888008.exec:\0888008.exe29⤵
- Executes dropped EXE
PID:2528 -
\??\c:\u800228.exec:\u800228.exe30⤵
- Executes dropped EXE
PID:568 -
\??\c:\82402.exec:\82402.exe31⤵
- Executes dropped EXE
PID:2368 -
\??\c:\dppdp.exec:\dppdp.exe32⤵
- Executes dropped EXE
PID:1348 -
\??\c:\1dpvj.exec:\1dpvj.exe33⤵
- Executes dropped EXE
PID:2036 -
\??\c:\btnnnn.exec:\btnnnn.exe34⤵
- Executes dropped EXE
PID:2968 -
\??\c:\800628.exec:\800628.exe35⤵
- Executes dropped EXE
PID:1612 -
\??\c:\tntnth.exec:\tntnth.exe36⤵
- Executes dropped EXE
PID:2792 -
\??\c:\g6060.exec:\g6060.exe37⤵
- Executes dropped EXE
PID:2944 -
\??\c:\xrllrxl.exec:\xrllrxl.exe38⤵
- Executes dropped EXE
PID:2956 -
\??\c:\jvjpv.exec:\jvjpv.exe39⤵
- Executes dropped EXE
PID:2876 -
\??\c:\426688.exec:\426688.exe40⤵
- Executes dropped EXE
PID:2672 -
\??\c:\20002.exec:\20002.exe41⤵
- Executes dropped EXE
PID:2492 -
\??\c:\rrxlrxl.exec:\rrxlrxl.exe42⤵
- Executes dropped EXE
PID:2520 -
\??\c:\0244046.exec:\0244046.exe43⤵
- Executes dropped EXE
PID:584 -
\??\c:\vpdpv.exec:\vpdpv.exe44⤵
- Executes dropped EXE
PID:576 -
\??\c:\e86688.exec:\e86688.exe45⤵
- Executes dropped EXE
PID:2700 -
\??\c:\lfxrxfr.exec:\lfxrxfr.exe46⤵
- Executes dropped EXE
PID:2756 -
\??\c:\0868008.exec:\0868008.exe47⤵
- Executes dropped EXE
PID:2104 -
\??\c:\7vjpv.exec:\7vjpv.exe48⤵
- Executes dropped EXE
PID:2400 -
\??\c:\28488.exec:\28488.exe49⤵
- Executes dropped EXE
PID:3004 -
\??\c:\vdpvp.exec:\vdpvp.exe50⤵
- Executes dropped EXE
PID:1764 -
\??\c:\080288.exec:\080288.exe51⤵
- Executes dropped EXE
PID:1452 -
\??\c:\280066.exec:\280066.exe52⤵
- Executes dropped EXE
PID:1432 -
\??\c:\rlxxlfr.exec:\rlxxlfr.exe53⤵
- Executes dropped EXE
PID:3028 -
\??\c:\26688.exec:\26688.exe54⤵
- Executes dropped EXE
PID:1384 -
\??\c:\7lrrfff.exec:\7lrrfff.exe55⤵
- Executes dropped EXE
PID:2252 -
\??\c:\dvppd.exec:\dvppd.exe56⤵
- Executes dropped EXE
PID:2432 -
\??\c:\vpdpv.exec:\vpdpv.exe57⤵
- Executes dropped EXE
PID:2484 -
\??\c:\6006246.exec:\6006246.exe58⤵
- Executes dropped EXE
PID:2204 -
\??\c:\i282442.exec:\i282442.exe59⤵
- Executes dropped EXE
PID:2096 -
\??\c:\rfffxxr.exec:\rfffxxr.exe60⤵
- Executes dropped EXE
PID:1984 -
\??\c:\s0440.exec:\s0440.exe61⤵
- Executes dropped EXE
PID:2292 -
\??\c:\xrrlxxl.exec:\xrrlxxl.exe62⤵
- Executes dropped EXE
PID:752 -
\??\c:\02002.exec:\02002.exe63⤵
- Executes dropped EXE
PID:1568 -
\??\c:\4820280.exec:\4820280.exe64⤵
- Executes dropped EXE
PID:1416 -
\??\c:\i066666.exec:\i066666.exe65⤵
- Executes dropped EXE
PID:2388 -
\??\c:\jdddd.exec:\jdddd.exe66⤵PID:1448
-
\??\c:\2024220.exec:\2024220.exe67⤵PID:1892
-
\??\c:\824444.exec:\824444.exe68⤵PID:928
-
\??\c:\5rffrlf.exec:\5rffrlf.exe69⤵PID:1500
-
\??\c:\002064.exec:\002064.exe70⤵PID:848
-
\??\c:\c004444.exec:\c004444.exe71⤵PID:1552
-
\??\c:\3llrxfx.exec:\3llrxfx.exe72⤵PID:824
-
\??\c:\242868.exec:\242868.exe73⤵PID:1960
-
\??\c:\c802446.exec:\c802446.exe74⤵PID:2444
-
\??\c:\642804.exec:\642804.exe75⤵PID:1356
-
\??\c:\002080.exec:\002080.exe76⤵PID:2808
-
\??\c:\dvjjd.exec:\dvjjd.exe77⤵PID:2972
-
\??\c:\7frrxxf.exec:\7frrxxf.exe78⤵PID:2632
-
\??\c:\tnbhtt.exec:\tnbhtt.exe79⤵PID:2024
-
\??\c:\xrxlxff.exec:\xrxlxff.exe80⤵PID:2540
-
\??\c:\rxrlrxx.exec:\rxrlrxx.exe81⤵PID:3024
-
\??\c:\7jpjd.exec:\7jpjd.exe82⤵PID:2708
-
\??\c:\fxrlfff.exec:\fxrlfff.exe83⤵PID:2712
-
\??\c:\nntbnh.exec:\nntbnh.exe84⤵PID:2780
-
\??\c:\1jvdj.exec:\1jvdj.exe85⤵PID:2500
-
\??\c:\826446.exec:\826446.exe86⤵PID:332
-
\??\c:\60880.exec:\60880.exe87⤵PID:1072
-
\??\c:\1nhnnb.exec:\1nhnnb.exe88⤵PID:1988
-
\??\c:\bthnnn.exec:\bthnnn.exe89⤵PID:2148
-
\??\c:\9bhbbb.exec:\9bhbbb.exe90⤵PID:804
-
\??\c:\2662046.exec:\2662046.exe91⤵PID:2104
-
\??\c:\nbtbbh.exec:\nbtbbh.exe92⤵PID:2400
-
\??\c:\22204.exec:\22204.exe93⤵PID:1752
-
\??\c:\5pvrx.exec:\5pvrx.exe94⤵PID:2648
-
\??\c:\1rlfxxl.exec:\1rlfxxl.exe95⤵PID:2884
-
\??\c:\5flrxff.exec:\5flrxff.exe96⤵PID:760
-
\??\c:\ffrxlrx.exec:\ffrxlrx.exe97⤵PID:3028
-
\??\c:\lfrrxrx.exec:\lfrrxrx.exe98⤵PID:1440
-
\??\c:\2022880.exec:\2022880.exe99⤵PID:3052
-
\??\c:\824648.exec:\824648.exe100⤵PID:2432
-
\??\c:\tnbbhn.exec:\tnbbhn.exe101⤵PID:2484
-
\??\c:\u020640.exec:\u020640.exe102⤵PID:2624
-
\??\c:\k20064.exec:\k20064.exe103⤵PID:1608
-
\??\c:\dvpdd.exec:\dvpdd.exe104⤵PID:1660
-
\??\c:\666424.exec:\666424.exe105⤵PID:2292
-
\??\c:\hthhbt.exec:\hthhbt.exe106⤵PID:2404
-
\??\c:\jdppd.exec:\jdppd.exe107⤵PID:1568
-
\??\c:\nhtthn.exec:\nhtthn.exe108⤵PID:1684
-
\??\c:\6422284.exec:\6422284.exe109⤵PID:1444
-
\??\c:\264628.exec:\264628.exe110⤵PID:656
-
\??\c:\7flrrxl.exec:\7flrrxl.exe111⤵PID:608
-
\??\c:\hbnntt.exec:\hbnntt.exe112⤵PID:2028
-
\??\c:\vjvpv.exec:\vjvpv.exe113⤵PID:1648
-
\??\c:\flrlrfx.exec:\flrlrfx.exe114⤵PID:328
-
\??\c:\602626.exec:\602626.exe115⤵PID:1924
-
\??\c:\q40428.exec:\q40428.exe116⤵PID:1188
-
\??\c:\5bnnnt.exec:\5bnnnt.exe117⤵PID:1348
-
\??\c:\06682.exec:\06682.exe118⤵PID:2384
-
\??\c:\3jvvv.exec:\3jvvv.exe119⤵PID:1356
-
\??\c:\ffrxxff.exec:\ffrxxff.exe120⤵PID:2392
-
\??\c:\w04462.exec:\w04462.exe121⤵PID:2972
-
\??\c:\486662.exec:\486662.exe122⤵PID:2776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-