Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe
-
Size
455KB
-
MD5
132ae24eab364be096189d52cbf94680
-
SHA1
8d2d80b8a8e707cd10663c54a075b4fd077c1e62
-
SHA256
d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77
-
SHA512
aa0d99d8bf4a9ab8261ec9d885502f98abd5fde05f7d27cb94a34826a08487409858886ead19bdd804d6ba7c8ce129a65db8eccc25fd927e86fb75bf7fb5b1c5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2308-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-40-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2836-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1204-99-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1204-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-158-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/1008-176-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1008-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-195-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1324-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-255-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2124-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/904-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-434-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/316-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1320-483-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1952-509-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2224-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-590-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2464-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1212-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1212-681-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2388-689-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2396-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/928-944-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1724-975-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1724-977-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2844-1157-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1844-1242-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2000-1253-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2340 q68888.exe 2992 vjvdd.exe 2524 22440.exe 2920 608800.exe 2836 jjvvv.exe 2900 pdvpj.exe 2732 202288.exe 2760 m0604.exe 2736 rfrfffl.exe 1204 pjvdj.exe 1868 2606224.exe 768 1nbhnn.exe 2448 04224.exe 1676 3rfrxrr.exe 1500 hbhhnt.exe 772 20280.exe 2956 vdpjp.exe 1008 5bnnhn.exe 2208 ttbbnt.exe 2436 pjjjd.exe 2808 3pdpj.exe 1324 a8662.exe 1952 xxxxxfr.exe 2044 rfxrflr.exe 1488 frfflfr.exe 1708 tnhntt.exe 2368 vjppv.exe 2124 8628846.exe 2560 ppvvd.exe 904 ppdpv.exe 2352 6482262.exe 2100 lxfflfl.exe 1668 08628.exe 2040 42062.exe 2892 o260662.exe 2856 llfllfx.exe 2936 60884.exe 2920 860688.exe 2280 82606.exe 2096 vjdjd.exe 2848 jpddv.exe 2752 dpdpv.exe 2384 8202444.exe 2724 hthhhh.exe 808 826460.exe 1908 8640888.exe 1116 60880.exe 2376 4206284.exe 768 jdppv.exe 1684 w44448.exe 1664 w24000.exe 2680 86884.exe 1744 1rrllrr.exe 468 5rxlxrr.exe 316 0800000.exe 2744 42002.exe 2216 vvpvj.exe 3024 604066.exe 2688 thnhnn.exe 1320 420628.exe 1764 86006.exe 1836 nnbnbh.exe 1368 nhtbbh.exe 1952 ppvdp.exe -
resource yara_rule behavioral1/memory/2308-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-136-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1676-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-509-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2224-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-590-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2464-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-689-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/2948-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-738-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2300-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/928-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-945-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-1032-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-1064-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-1132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-1158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-1190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-1253-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2252-1278-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4200262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2064440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i800288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c088444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o422062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4868446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o202442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2340 2308 d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe 31 PID 2308 wrote to memory of 2340 2308 d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe 31 PID 2308 wrote to memory of 2340 2308 d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe 31 PID 2308 wrote to memory of 2340 2308 d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe 31 PID 2340 wrote to memory of 2992 2340 q68888.exe 32 PID 2340 wrote to memory of 2992 2340 q68888.exe 32 PID 2340 wrote to memory of 2992 2340 q68888.exe 32 PID 2340 wrote to memory of 2992 2340 q68888.exe 32 PID 2992 wrote to memory of 2524 2992 vjvdd.exe 33 PID 2992 wrote to memory of 2524 2992 vjvdd.exe 33 PID 2992 wrote to memory of 2524 2992 vjvdd.exe 33 PID 2992 wrote to memory of 2524 2992 vjvdd.exe 33 PID 2524 wrote to memory of 2920 2524 22440.exe 34 PID 2524 wrote to memory of 2920 2524 22440.exe 34 PID 2524 wrote to memory of 2920 2524 22440.exe 34 PID 2524 wrote to memory of 2920 2524 22440.exe 34 PID 2920 wrote to memory of 2836 2920 608800.exe 35 PID 2920 wrote to memory of 2836 2920 608800.exe 35 PID 2920 wrote to memory of 2836 2920 608800.exe 35 PID 2920 wrote to memory of 2836 2920 608800.exe 35 PID 2836 wrote to memory of 2900 2836 jjvvv.exe 36 PID 2836 wrote to memory of 2900 2836 jjvvv.exe 36 PID 2836 wrote to memory of 2900 2836 jjvvv.exe 36 PID 2836 wrote to memory of 2900 2836 jjvvv.exe 36 PID 2900 wrote to memory of 2732 2900 pdvpj.exe 37 PID 2900 wrote to memory of 2732 2900 pdvpj.exe 37 PID 2900 wrote to memory of 2732 2900 pdvpj.exe 37 PID 2900 wrote to memory of 2732 2900 pdvpj.exe 37 PID 2732 wrote to memory of 2760 2732 202288.exe 38 PID 2732 wrote to memory of 2760 2732 202288.exe 38 PID 2732 wrote to memory of 2760 2732 202288.exe 38 PID 2732 wrote to memory of 2760 2732 202288.exe 38 PID 2760 wrote to memory of 2736 2760 m0604.exe 39 PID 2760 wrote to memory of 2736 2760 m0604.exe 39 PID 2760 wrote to memory of 2736 2760 m0604.exe 39 PID 2760 wrote to memory of 2736 2760 m0604.exe 39 PID 2736 wrote to memory of 1204 2736 rfrfffl.exe 40 PID 2736 wrote to memory of 1204 2736 rfrfffl.exe 40 PID 2736 wrote to memory of 1204 2736 rfrfffl.exe 40 PID 2736 wrote to memory of 1204 2736 rfrfffl.exe 40 PID 1204 wrote to memory of 1868 1204 pjvdj.exe 41 PID 1204 wrote to memory of 1868 1204 pjvdj.exe 41 PID 1204 wrote to memory of 1868 1204 pjvdj.exe 41 PID 1204 wrote to memory of 1868 1204 pjvdj.exe 41 PID 1868 wrote to memory of 768 1868 2606224.exe 42 PID 1868 wrote to memory of 768 1868 2606224.exe 42 PID 1868 wrote to memory of 768 1868 2606224.exe 42 PID 1868 wrote to memory of 768 1868 2606224.exe 42 PID 768 wrote to memory of 2448 768 1nbhnn.exe 43 PID 768 wrote to memory of 2448 768 1nbhnn.exe 43 PID 768 wrote to memory of 2448 768 1nbhnn.exe 43 PID 768 wrote to memory of 2448 768 1nbhnn.exe 43 PID 2448 wrote to memory of 1676 2448 04224.exe 44 PID 2448 wrote to memory of 1676 2448 04224.exe 44 PID 2448 wrote to memory of 1676 2448 04224.exe 44 PID 2448 wrote to memory of 1676 2448 04224.exe 44 PID 1676 wrote to memory of 1500 1676 3rfrxrr.exe 45 PID 1676 wrote to memory of 1500 1676 3rfrxrr.exe 45 PID 1676 wrote to memory of 1500 1676 3rfrxrr.exe 45 PID 1676 wrote to memory of 1500 1676 3rfrxrr.exe 45 PID 1500 wrote to memory of 772 1500 hbhhnt.exe 46 PID 1500 wrote to memory of 772 1500 hbhhnt.exe 46 PID 1500 wrote to memory of 772 1500 hbhhnt.exe 46 PID 1500 wrote to memory of 772 1500 hbhhnt.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe"C:\Users\Admin\AppData\Local\Temp\d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\q68888.exec:\q68888.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\vjvdd.exec:\vjvdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\22440.exec:\22440.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\608800.exec:\608800.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\jjvvv.exec:\jjvvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\pdvpj.exec:\pdvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\202288.exec:\202288.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\m0604.exec:\m0604.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\rfrfffl.exec:\rfrfffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\pjvdj.exec:\pjvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\2606224.exec:\2606224.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\1nbhnn.exec:\1nbhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\04224.exec:\04224.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\3rfrxrr.exec:\3rfrxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\hbhhnt.exec:\hbhhnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\20280.exec:\20280.exe17⤵
- Executes dropped EXE
PID:772 -
\??\c:\vdpjp.exec:\vdpjp.exe18⤵
- Executes dropped EXE
PID:2956 -
\??\c:\5bnnhn.exec:\5bnnhn.exe19⤵
- Executes dropped EXE
PID:1008 -
\??\c:\ttbbnt.exec:\ttbbnt.exe20⤵
- Executes dropped EXE
PID:2208 -
\??\c:\pjjjd.exec:\pjjjd.exe21⤵
- Executes dropped EXE
PID:2436 -
\??\c:\3pdpj.exec:\3pdpj.exe22⤵
- Executes dropped EXE
PID:2808 -
\??\c:\a8662.exec:\a8662.exe23⤵
- Executes dropped EXE
PID:1324 -
\??\c:\xxxxxfr.exec:\xxxxxfr.exe24⤵
- Executes dropped EXE
PID:1952 -
\??\c:\rfxrflr.exec:\rfxrflr.exe25⤵
- Executes dropped EXE
PID:2044 -
\??\c:\frfflfr.exec:\frfflfr.exe26⤵
- Executes dropped EXE
PID:1488 -
\??\c:\tnhntt.exec:\tnhntt.exe27⤵
- Executes dropped EXE
PID:1708 -
\??\c:\vjppv.exec:\vjppv.exe28⤵
- Executes dropped EXE
PID:2368 -
\??\c:\8628846.exec:\8628846.exe29⤵
- Executes dropped EXE
PID:2124 -
\??\c:\ppvvd.exec:\ppvvd.exe30⤵
- Executes dropped EXE
PID:2560 -
\??\c:\ppdpv.exec:\ppdpv.exe31⤵
- Executes dropped EXE
PID:904 -
\??\c:\6482262.exec:\6482262.exe32⤵
- Executes dropped EXE
PID:2352 -
\??\c:\lxfflfl.exec:\lxfflfl.exe33⤵
- Executes dropped EXE
PID:2100 -
\??\c:\08628.exec:\08628.exe34⤵
- Executes dropped EXE
PID:1668 -
\??\c:\42062.exec:\42062.exe35⤵
- Executes dropped EXE
PID:2040 -
\??\c:\o260662.exec:\o260662.exe36⤵
- Executes dropped EXE
PID:2892 -
\??\c:\llfllfx.exec:\llfllfx.exe37⤵
- Executes dropped EXE
PID:2856 -
\??\c:\60884.exec:\60884.exe38⤵
- Executes dropped EXE
PID:2936 -
\??\c:\860688.exec:\860688.exe39⤵
- Executes dropped EXE
PID:2920 -
\??\c:\82606.exec:\82606.exe40⤵
- Executes dropped EXE
PID:2280 -
\??\c:\vjdjd.exec:\vjdjd.exe41⤵
- Executes dropped EXE
PID:2096 -
\??\c:\jpddv.exec:\jpddv.exe42⤵
- Executes dropped EXE
PID:2848 -
\??\c:\dpdpv.exec:\dpdpv.exe43⤵
- Executes dropped EXE
PID:2752 -
\??\c:\8202444.exec:\8202444.exe44⤵
- Executes dropped EXE
PID:2384 -
\??\c:\hthhhh.exec:\hthhhh.exe45⤵
- Executes dropped EXE
PID:2724 -
\??\c:\826460.exec:\826460.exe46⤵
- Executes dropped EXE
PID:808 -
\??\c:\8640888.exec:\8640888.exe47⤵
- Executes dropped EXE
PID:1908 -
\??\c:\60880.exec:\60880.exe48⤵
- Executes dropped EXE
PID:1116 -
\??\c:\4206284.exec:\4206284.exe49⤵
- Executes dropped EXE
PID:2376 -
\??\c:\jdppv.exec:\jdppv.exe50⤵
- Executes dropped EXE
PID:768 -
\??\c:\w44448.exec:\w44448.exe51⤵
- Executes dropped EXE
PID:1684 -
\??\c:\w24000.exec:\w24000.exe52⤵
- Executes dropped EXE
PID:1664 -
\??\c:\86884.exec:\86884.exe53⤵
- Executes dropped EXE
PID:2680 -
\??\c:\1rrllrr.exec:\1rrllrr.exe54⤵
- Executes dropped EXE
PID:1744 -
\??\c:\5rxlxrr.exec:\5rxlxrr.exe55⤵
- Executes dropped EXE
PID:468 -
\??\c:\0800000.exec:\0800000.exe56⤵
- Executes dropped EXE
PID:316 -
\??\c:\42002.exec:\42002.exe57⤵
- Executes dropped EXE
PID:2744 -
\??\c:\vvpvj.exec:\vvpvj.exe58⤵
- Executes dropped EXE
PID:2216 -
\??\c:\604066.exec:\604066.exe59⤵
- Executes dropped EXE
PID:3024 -
\??\c:\thnhnn.exec:\thnhnn.exe60⤵
- Executes dropped EXE
PID:2688 -
\??\c:\420628.exec:\420628.exe61⤵
- Executes dropped EXE
PID:1320 -
\??\c:\86006.exec:\86006.exe62⤵
- Executes dropped EXE
PID:1764 -
\??\c:\nnbnbh.exec:\nnbnbh.exe63⤵
- Executes dropped EXE
PID:1836 -
\??\c:\nhtbbh.exec:\nhtbbh.exe64⤵
- Executes dropped EXE
PID:1368 -
\??\c:\ppvdp.exec:\ppvdp.exe65⤵
- Executes dropped EXE
PID:1952 -
\??\c:\26002.exec:\26002.exe66⤵PID:1152
-
\??\c:\e46000.exec:\e46000.exe67⤵PID:848
-
\??\c:\jjvvj.exec:\jjvvj.exe68⤵
- System Location Discovery: System Language Discovery
PID:2224 -
\??\c:\dvvpd.exec:\dvvpd.exe69⤵PID:2408
-
\??\c:\042244.exec:\042244.exe70⤵PID:2368
-
\??\c:\btnnnh.exec:\btnnnh.exe71⤵PID:2332
-
\??\c:\042882.exec:\042882.exe72⤵PID:2188
-
\??\c:\nthhbt.exec:\nthhbt.exe73⤵PID:1944
-
\??\c:\0806888.exec:\0806888.exe74⤵PID:904
-
\??\c:\vjvvv.exec:\vjvvv.exe75⤵PID:2568
-
\??\c:\tntnbt.exec:\tntnbt.exe76⤵PID:1652
-
\??\c:\ttnthh.exec:\ttnthh.exe77⤵PID:2788
-
\??\c:\pdppp.exec:\pdppp.exe78⤵PID:1540
-
\??\c:\dpdpp.exec:\dpdpp.exe79⤵PID:2464
-
\??\c:\3xlfffl.exec:\3xlfffl.exe80⤵PID:2664
-
\??\c:\9vjjj.exec:\9vjjj.exe81⤵PID:2976
-
\??\c:\k48888.exec:\k48888.exe82⤵PID:2860
-
\??\c:\k68844.exec:\k68844.exe83⤵PID:2740
-
\??\c:\6084606.exec:\6084606.exe84⤵PID:2964
-
\??\c:\1frrxxx.exec:\1frrxxx.exe85⤵PID:2728
-
\??\c:\thnnnt.exec:\thnnnt.exe86⤵PID:2700
-
\??\c:\82002.exec:\82002.exe87⤵PID:2772
-
\??\c:\jvdjv.exec:\jvdjv.exe88⤵PID:2136
-
\??\c:\9fxxxxr.exec:\9fxxxxr.exe89⤵PID:1212
-
\??\c:\288024.exec:\288024.exe90⤵PID:892
-
\??\c:\k46626.exec:\k46626.exe91⤵PID:2076
-
\??\c:\k02842.exec:\k02842.exe92⤵PID:1292
-
\??\c:\u026666.exec:\u026666.exe93⤵PID:2388
-
\??\c:\i822442.exec:\i822442.exe94⤵PID:1360
-
\??\c:\pvpjp.exec:\pvpjp.exe95⤵
- System Location Discovery: System Language Discovery
PID:1676 -
\??\c:\jvdjp.exec:\jvdjp.exe96⤵PID:2016
-
\??\c:\btnhnn.exec:\btnhnn.exe97⤵PID:2948
-
\??\c:\thnnbt.exec:\thnnbt.exe98⤵PID:2940
-
\??\c:\pdpvd.exec:\pdpvd.exe99⤵PID:2576
-
\??\c:\42406.exec:\42406.exe100⤵PID:2252
-
\??\c:\5dpvd.exec:\5dpvd.exe101⤵PID:3044
-
\??\c:\44664.exec:\44664.exe102⤵PID:2208
-
\??\c:\s6406.exec:\s6406.exe103⤵PID:328
-
\??\c:\48068.exec:\48068.exe104⤵PID:2300
-
\??\c:\htbttt.exec:\htbttt.exe105⤵PID:1320
-
\??\c:\8228206.exec:\8228206.exe106⤵PID:788
-
\??\c:\lfflflx.exec:\lfflflx.exe107⤵PID:1576
-
\??\c:\5ntttt.exec:\5ntttt.exe108⤵PID:2052
-
\??\c:\2684402.exec:\2684402.exe109⤵PID:2512
-
\??\c:\nhbbbb.exec:\nhbbbb.exe110⤵PID:1492
-
\??\c:\pdvvd.exec:\pdvvd.exe111⤵PID:1604
-
\??\c:\20262.exec:\20262.exe112⤵PID:1696
-
\??\c:\5vdvv.exec:\5vdvv.exe113⤵PID:2556
-
\??\c:\jjpvd.exec:\jjpvd.exe114⤵PID:2496
-
\??\c:\bnbbhb.exec:\bnbbhb.exe115⤵PID:1976
-
\??\c:\864806.exec:\864806.exe116⤵PID:2132
-
\??\c:\9lfxffl.exec:\9lfxffl.exe117⤵PID:2416
-
\??\c:\pjdjp.exec:\pjdjp.exe118⤵PID:2468
-
\??\c:\lxllrrx.exec:\lxllrrx.exe119⤵PID:2396
-
\??\c:\dpdjp.exec:\dpdjp.exe120⤵PID:2296
-
\??\c:\6422284.exec:\6422284.exe121⤵PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-