Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 20:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe
-
Size
456KB
-
MD5
b8b06189ddbb0454b6b3fd2c8261bd22
-
SHA1
a011dc28a25e5eef6deb7470f087a9a6f63d158b
-
SHA256
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb
-
SHA512
e25cd2652e59b314e54b4920690f697dcec1f66eee3cb7eddeb3934577f6b9afe94ac2f54d16dcce91727f56ef7753bb8106d0d91ba09ae8e62cf44372de4d4b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeSi:q7Tc2NYHUrAwfMp3CDSi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2432-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1376-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1880-293-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1508-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-657-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1512-702-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2928-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-721-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/2956-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/604-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-1168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-1188-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1376-1263-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1224 hho286.exe 2408 xfxfxll.exe 2516 8202880.exe 2684 ddvdj.exe 2736 660800.exe 2904 0046408.exe 2872 llxflrf.exe 2752 bbbnbh.exe 2616 fffflxl.exe 2592 48080.exe 1920 ppjvj.exe 3064 lflrxrf.exe 2284 ppdvv.exe 2028 00682.exe 1188 c688440.exe 1512 202806.exe 1768 20884.exe 1376 642288.exe 2952 rfxxxxf.exe 1584 5pjjj.exe 2132 028444.exe 2092 w44066.exe 1708 1xlrfxf.exe 3000 9xxxffl.exe 696 42484.exe 1780 6688008.exe 2052 rfrxllx.exe 548 7hnntb.exe 1964 dvpjj.exe 1752 204066.exe 2164 4240224.exe 2332 000426.exe 1880 1tbthb.exe 1508 9rxlflr.exe 1736 6080668.exe 2408 q08222.exe 2404 nbhbhb.exe 2444 vvpvd.exe 2552 fxrxffr.exe 2808 3nnhhh.exe 2732 jdppp.exe 2724 pvjvj.exe 2628 xlfflrx.exe 2616 bhnttt.exe 2608 9pdvd.exe 2592 tbhbnn.exe 2032 5vppp.exe 2296 2466224.exe 2840 86884.exe 2816 q86622.exe 2028 860026.exe 1836 3jppp.exe 1124 206628.exe 1116 0888880.exe 1940 lfxfffl.exe 1128 864400.exe 2856 w88400.exe 1804 5bbnbb.exe 2688 020066.exe 2156 pdjpd.exe 2336 3jddj.exe 1868 vpjpd.exe 2116 pjvvd.exe 408 7pjjj.exe -
resource yara_rule behavioral1/memory/1224-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-901-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-983-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-1015-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-1060-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-1085-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-1098-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-1111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-1131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-1168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-1283-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q86622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k46666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxllr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 1224 2432 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 30 PID 2432 wrote to memory of 1224 2432 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 30 PID 2432 wrote to memory of 1224 2432 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 30 PID 2432 wrote to memory of 1224 2432 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 30 PID 1224 wrote to memory of 2408 1224 hho286.exe 31 PID 1224 wrote to memory of 2408 1224 hho286.exe 31 PID 1224 wrote to memory of 2408 1224 hho286.exe 31 PID 1224 wrote to memory of 2408 1224 hho286.exe 31 PID 2408 wrote to memory of 2516 2408 xfxfxll.exe 32 PID 2408 wrote to memory of 2516 2408 xfxfxll.exe 32 PID 2408 wrote to memory of 2516 2408 xfxfxll.exe 32 PID 2408 wrote to memory of 2516 2408 xfxfxll.exe 32 PID 2516 wrote to memory of 2684 2516 8202880.exe 33 PID 2516 wrote to memory of 2684 2516 8202880.exe 33 PID 2516 wrote to memory of 2684 2516 8202880.exe 33 PID 2516 wrote to memory of 2684 2516 8202880.exe 33 PID 2684 wrote to memory of 2736 2684 ddvdj.exe 34 PID 2684 wrote to memory of 2736 2684 ddvdj.exe 34 PID 2684 wrote to memory of 2736 2684 ddvdj.exe 34 PID 2684 wrote to memory of 2736 2684 ddvdj.exe 34 PID 2736 wrote to memory of 2904 2736 660800.exe 35 PID 2736 wrote to memory of 2904 2736 660800.exe 35 PID 2736 wrote to memory of 2904 2736 660800.exe 35 PID 2736 wrote to memory of 2904 2736 660800.exe 35 PID 2904 wrote to memory of 2872 2904 0046408.exe 36 PID 2904 wrote to memory of 2872 2904 0046408.exe 36 PID 2904 wrote to memory of 2872 2904 0046408.exe 36 PID 2904 wrote to memory of 2872 2904 0046408.exe 36 PID 2872 wrote to memory of 2752 2872 llxflrf.exe 37 PID 2872 wrote to memory of 2752 2872 llxflrf.exe 37 PID 2872 wrote to memory of 2752 2872 llxflrf.exe 37 PID 2872 wrote to memory of 2752 2872 llxflrf.exe 37 PID 2752 wrote to memory of 2616 2752 bbbnbh.exe 38 PID 2752 wrote to memory of 2616 2752 bbbnbh.exe 38 PID 2752 wrote to memory of 2616 2752 bbbnbh.exe 38 PID 2752 wrote to memory of 2616 2752 bbbnbh.exe 38 PID 2616 wrote to memory of 2592 2616 fffflxl.exe 39 PID 2616 wrote to memory of 2592 2616 fffflxl.exe 39 PID 2616 wrote to memory of 2592 2616 fffflxl.exe 39 PID 2616 wrote to memory of 2592 2616 fffflxl.exe 39 PID 2592 wrote to memory of 1920 2592 48080.exe 40 PID 2592 wrote to memory of 1920 2592 48080.exe 40 PID 2592 wrote to memory of 1920 2592 48080.exe 40 PID 2592 wrote to memory of 1920 2592 48080.exe 40 PID 1920 wrote to memory of 3064 1920 ppjvj.exe 41 PID 1920 wrote to memory of 3064 1920 ppjvj.exe 41 PID 1920 wrote to memory of 3064 1920 ppjvj.exe 41 PID 1920 wrote to memory of 3064 1920 ppjvj.exe 41 PID 3064 wrote to memory of 2284 3064 lflrxrf.exe 42 PID 3064 wrote to memory of 2284 3064 lflrxrf.exe 42 PID 3064 wrote to memory of 2284 3064 lflrxrf.exe 42 PID 3064 wrote to memory of 2284 3064 lflrxrf.exe 42 PID 2284 wrote to memory of 2028 2284 ppdvv.exe 43 PID 2284 wrote to memory of 2028 2284 ppdvv.exe 43 PID 2284 wrote to memory of 2028 2284 ppdvv.exe 43 PID 2284 wrote to memory of 2028 2284 ppdvv.exe 43 PID 2028 wrote to memory of 1188 2028 00682.exe 44 PID 2028 wrote to memory of 1188 2028 00682.exe 44 PID 2028 wrote to memory of 1188 2028 00682.exe 44 PID 2028 wrote to memory of 1188 2028 00682.exe 44 PID 1188 wrote to memory of 1512 1188 c688440.exe 45 PID 1188 wrote to memory of 1512 1188 c688440.exe 45 PID 1188 wrote to memory of 1512 1188 c688440.exe 45 PID 1188 wrote to memory of 1512 1188 c688440.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe"C:\Users\Admin\AppData\Local\Temp\52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\hho286.exec:\hho286.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\xfxfxll.exec:\xfxfxll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\8202880.exec:\8202880.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\ddvdj.exec:\ddvdj.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\660800.exec:\660800.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\0046408.exec:\0046408.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\llxflrf.exec:\llxflrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\bbbnbh.exec:\bbbnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\fffflxl.exec:\fffflxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\48080.exec:\48080.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\ppjvj.exec:\ppjvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\lflrxrf.exec:\lflrxrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\ppdvv.exec:\ppdvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\00682.exec:\00682.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\c688440.exec:\c688440.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\202806.exec:\202806.exe17⤵
- Executes dropped EXE
PID:1512 -
\??\c:\20884.exec:\20884.exe18⤵
- Executes dropped EXE
PID:1768 -
\??\c:\642288.exec:\642288.exe19⤵
- Executes dropped EXE
PID:1376 -
\??\c:\rfxxxxf.exec:\rfxxxxf.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952 -
\??\c:\5pjjj.exec:\5pjjj.exe21⤵
- Executes dropped EXE
PID:1584 -
\??\c:\028444.exec:\028444.exe22⤵
- Executes dropped EXE
PID:2132 -
\??\c:\w44066.exec:\w44066.exe23⤵
- Executes dropped EXE
PID:2092 -
\??\c:\1xlrfxf.exec:\1xlrfxf.exe24⤵
- Executes dropped EXE
PID:1708 -
\??\c:\9xxxffl.exec:\9xxxffl.exe25⤵
- Executes dropped EXE
PID:3000 -
\??\c:\42484.exec:\42484.exe26⤵
- Executes dropped EXE
PID:696 -
\??\c:\6688008.exec:\6688008.exe27⤵
- Executes dropped EXE
PID:1780 -
\??\c:\rfrxllx.exec:\rfrxllx.exe28⤵
- Executes dropped EXE
PID:2052 -
\??\c:\7hnntb.exec:\7hnntb.exe29⤵
- Executes dropped EXE
PID:548 -
\??\c:\dvpjj.exec:\dvpjj.exe30⤵
- Executes dropped EXE
PID:1964 -
\??\c:\204066.exec:\204066.exe31⤵
- Executes dropped EXE
PID:1752 -
\??\c:\4240224.exec:\4240224.exe32⤵
- Executes dropped EXE
PID:2164 -
\??\c:\000426.exec:\000426.exe33⤵
- Executes dropped EXE
PID:2332 -
\??\c:\1tbthb.exec:\1tbthb.exe34⤵
- Executes dropped EXE
PID:1880 -
\??\c:\9rxlflr.exec:\9rxlflr.exe35⤵
- Executes dropped EXE
PID:1508 -
\??\c:\6080668.exec:\6080668.exe36⤵
- Executes dropped EXE
PID:1736 -
\??\c:\q08222.exec:\q08222.exe37⤵
- Executes dropped EXE
PID:2408 -
\??\c:\nbhbhb.exec:\nbhbhb.exe38⤵
- Executes dropped EXE
PID:2404 -
\??\c:\vvpvd.exec:\vvpvd.exe39⤵
- Executes dropped EXE
PID:2444 -
\??\c:\fxrxffr.exec:\fxrxffr.exe40⤵
- Executes dropped EXE
PID:2552 -
\??\c:\3nnhhh.exec:\3nnhhh.exe41⤵
- Executes dropped EXE
PID:2808 -
\??\c:\jdppp.exec:\jdppp.exe42⤵
- Executes dropped EXE
PID:2732 -
\??\c:\pvjvj.exec:\pvjvj.exe43⤵
- Executes dropped EXE
PID:2724 -
\??\c:\xlfflrx.exec:\xlfflrx.exe44⤵
- Executes dropped EXE
PID:2628 -
\??\c:\bhnttt.exec:\bhnttt.exe45⤵
- Executes dropped EXE
PID:2616 -
\??\c:\9pdvd.exec:\9pdvd.exe46⤵
- Executes dropped EXE
PID:2608 -
\??\c:\tbhbnn.exec:\tbhbnn.exe47⤵
- Executes dropped EXE
PID:2592 -
\??\c:\5vppp.exec:\5vppp.exe48⤵
- Executes dropped EXE
PID:2032 -
\??\c:\2466224.exec:\2466224.exe49⤵
- Executes dropped EXE
PID:2296 -
\??\c:\86884.exec:\86884.exe50⤵
- Executes dropped EXE
PID:2840 -
\??\c:\q86622.exec:\q86622.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
\??\c:\860026.exec:\860026.exe52⤵
- Executes dropped EXE
PID:2028 -
\??\c:\3jppp.exec:\3jppp.exe53⤵
- Executes dropped EXE
PID:1836 -
\??\c:\206628.exec:\206628.exe54⤵
- Executes dropped EXE
PID:1124 -
\??\c:\0888880.exec:\0888880.exe55⤵
- Executes dropped EXE
PID:1116 -
\??\c:\lfxfffl.exec:\lfxfffl.exe56⤵
- Executes dropped EXE
PID:1940 -
\??\c:\864400.exec:\864400.exe57⤵
- Executes dropped EXE
PID:1128 -
\??\c:\w88400.exec:\w88400.exe58⤵
- Executes dropped EXE
PID:2856 -
\??\c:\5bbnbb.exec:\5bbnbb.exe59⤵
- Executes dropped EXE
PID:1804 -
\??\c:\020066.exec:\020066.exe60⤵
- Executes dropped EXE
PID:2688 -
\??\c:\pdjpd.exec:\pdjpd.exe61⤵
- Executes dropped EXE
PID:2156 -
\??\c:\3jddj.exec:\3jddj.exe62⤵
- Executes dropped EXE
PID:2336 -
\??\c:\vpjpd.exec:\vpjpd.exe63⤵
- Executes dropped EXE
PID:1868 -
\??\c:\pjvvd.exec:\pjvvd.exe64⤵
- Executes dropped EXE
PID:2116 -
\??\c:\7pjjj.exec:\7pjjj.exe65⤵
- Executes dropped EXE
PID:408 -
\??\c:\6024002.exec:\6024002.exe66⤵PID:2152
-
\??\c:\fxlrffl.exec:\fxlrffl.exe67⤵PID:1968
-
\??\c:\2088664.exec:\2088664.exe68⤵PID:888
-
\??\c:\jjvjv.exec:\jjvjv.exe69⤵PID:1716
-
\??\c:\bthtnt.exec:\bthtnt.exe70⤵PID:2476
-
\??\c:\e08800.exec:\e08800.exe71⤵PID:1028
-
\??\c:\3lxxfrr.exec:\3lxxfrr.exe72⤵PID:1572
-
\??\c:\86484.exec:\86484.exe73⤵PID:2140
-
\??\c:\4260000.exec:\4260000.exe74⤵PID:1420
-
\??\c:\pjvjp.exec:\pjvjp.exe75⤵PID:1444
-
\??\c:\ddpjv.exec:\ddpjv.exe76⤵PID:2332
-
\??\c:\2202440.exec:\2202440.exe77⤵PID:2220
-
\??\c:\3xrlrrx.exec:\3xrlrrx.exe78⤵PID:1532
-
\??\c:\604400.exec:\604400.exe79⤵PID:2484
-
\??\c:\q64804.exec:\q64804.exe80⤵PID:2512
-
\??\c:\e04200.exec:\e04200.exe81⤵PID:2060
-
\??\c:\046868.exec:\046868.exe82⤵PID:2348
-
\??\c:\a2040.exec:\a2040.exe83⤵PID:2796
-
\??\c:\c866620.exec:\c866620.exe84⤵PID:2792
-
\??\c:\ddpjp.exec:\ddpjp.exe85⤵PID:2980
-
\??\c:\nbhhhh.exec:\nbhhhh.exe86⤵PID:2380
-
\??\c:\08000.exec:\08000.exe87⤵PID:2908
-
\??\c:\5lfrxxl.exec:\5lfrxxl.exe88⤵PID:3060
-
\??\c:\04280.exec:\04280.exe89⤵PID:2704
-
\??\c:\6268060.exec:\6268060.exe90⤵PID:2780
-
\??\c:\hhnnbh.exec:\hhnnbh.exe91⤵PID:1172
-
\??\c:\6068002.exec:\6068002.exe92⤵PID:2396
-
\??\c:\22662.exec:\22662.exe93⤵PID:2664
-
\??\c:\pdppv.exec:\pdppv.exe94⤵PID:1556
-
\??\c:\7htbnh.exec:\7htbnh.exe95⤵PID:1544
-
\??\c:\a6000.exec:\a6000.exe96⤵PID:668
-
\??\c:\k42462.exec:\k42462.exe97⤵PID:1512
-
\??\c:\vpdjv.exec:\vpdjv.exe98⤵PID:1768
-
\??\c:\fffxrlf.exec:\fffxrlf.exe99⤵PID:1408
-
\??\c:\ddvjv.exec:\ddvjv.exe100⤵PID:2928
-
\??\c:\vjvvp.exec:\vjvvp.exe101⤵PID:2188
-
\??\c:\tthbhb.exec:\tthbhb.exe102⤵PID:2068
-
\??\c:\608806.exec:\608806.exe103⤵PID:2224
-
\??\c:\hbhnnt.exec:\hbhnnt.exe104⤵PID:536
-
\??\c:\m2006.exec:\m2006.exe105⤵PID:2956
-
\??\c:\5llllrl.exec:\5llllrl.exe106⤵PID:2104
-
\??\c:\4828480.exec:\4828480.exe107⤵PID:3000
-
\??\c:\26222.exec:\26222.exe108⤵PID:316
-
\??\c:\xlfrxfr.exec:\xlfrxfr.exe109⤵PID:1832
-
\??\c:\jvppv.exec:\jvppv.exe110⤵PID:1968
-
\??\c:\226024.exec:\226024.exe111⤵PID:1688
-
\??\c:\jjppp.exec:\jjppp.exe112⤵PID:604
-
\??\c:\xlxfllx.exec:\xlxfllx.exe113⤵PID:3024
-
\??\c:\826800.exec:\826800.exe114⤵PID:1028
-
\??\c:\08000.exec:\08000.exe115⤵PID:636
-
\??\c:\42400.exec:\42400.exe116⤵PID:1924
-
\??\c:\04662.exec:\04662.exe117⤵PID:2972
-
\??\c:\824022.exec:\824022.exe118⤵PID:1608
-
\??\c:\22062.exec:\22062.exe119⤵PID:3044
-
\??\c:\608406.exec:\608406.exe120⤵PID:2372
-
\??\c:\ppdjv.exec:\ppdjv.exe121⤵PID:2212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-