Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 19:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe
Resource
win7-20250207-en
windows7-x64
7 signatures
150 seconds
General
-
Target
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe
-
Size
456KB
-
MD5
aa11e7d4cfcd5c995438fa4704ece465
-
SHA1
014c94e41baabb3f428f36c2d502bfde3607f73b
-
SHA256
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01
-
SHA512
9d1dc841aa7c01670ab0982c2ee00575bf97114b99704bb906319e28a37e38bd5ea631f6f15d820b7377a0681b3ed289a064a2654ceed3331cac3235a20740e5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2864-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-44-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3024-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-59-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2916-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-117-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2008-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-372-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-345-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/2920-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-258-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/776-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-240-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1396-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-204-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/668-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-164-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2548-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-678-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2000-1204-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2608-1224-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1576-1233-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2540 3djdj.exe 900 thntnh.exe 2448 xxlllfl.exe 2232 6422822.exe 3024 82664.exe 2916 k42204.exe 2788 2026222.exe 2688 82488.exe 2772 424822.exe 2744 0844446.exe 536 6060604.exe 2004 nhnnnh.exe 2008 7jppp.exe 2068 lxxxrlr.exe 2548 c840444.exe 2144 428622.exe 3052 8682262.exe 1980 pjpvv.exe 2368 i088448.exe 1260 xfrrfxx.exe 668 jvdvj.exe 1672 0844006.exe 1396 9rffxxx.exe 1316 7dvpp.exe 1644 ppdvd.exe 1552 thbbnh.exe 776 vdvvv.exe 2384 vpddd.exe 1144 864426.exe 2900 02440.exe 2204 s4484.exe 1600 9bnthh.exe 1096 4688822.exe 2980 46884.exe 3028 0044444.exe 2800 nbhbnh.exe 2944 244444.exe 2820 lxfxllr.exe 2920 c804006.exe 3012 nbhthh.exe 872 dvjvj.exe 2844 3vddd.exe 2808 020000.exe 2740 488284.exe 1492 86266.exe 1640 jdjdj.exe 1116 htbbnh.exe 2004 lxfflff.exe 2580 htbttn.exe 1984 bththn.exe 2460 nbhtbt.exe 2084 o244828.exe 2196 dpvvp.exe 1308 dpjdd.exe 2588 s8668.exe 2036 82006.exe 320 46488.exe 2040 6426622.exe 1396 s8000.exe 1860 9vjvv.exe 2484 086622.exe 1912 1rffrrr.exe 1908 c648862.exe 2104 thnbtn.exe -
resource yara_rule behavioral1/memory/2540-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/668-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-813-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-839-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-846-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-1095-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-1217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-1233-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2388-1292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-1353-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c840444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlllfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fllllr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2540 2864 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 31 PID 2864 wrote to memory of 2540 2864 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 31 PID 2864 wrote to memory of 2540 2864 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 31 PID 2864 wrote to memory of 2540 2864 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 31 PID 2540 wrote to memory of 900 2540 3djdj.exe 32 PID 2540 wrote to memory of 900 2540 3djdj.exe 32 PID 2540 wrote to memory of 900 2540 3djdj.exe 32 PID 2540 wrote to memory of 900 2540 3djdj.exe 32 PID 900 wrote to memory of 2448 900 thntnh.exe 33 PID 900 wrote to memory of 2448 900 thntnh.exe 33 PID 900 wrote to memory of 2448 900 thntnh.exe 33 PID 900 wrote to memory of 2448 900 thntnh.exe 33 PID 2448 wrote to memory of 2232 2448 xxlllfl.exe 34 PID 2448 wrote to memory of 2232 2448 xxlllfl.exe 34 PID 2448 wrote to memory of 2232 2448 xxlllfl.exe 34 PID 2448 wrote to memory of 2232 2448 xxlllfl.exe 34 PID 2232 wrote to memory of 3024 2232 6422822.exe 35 PID 2232 wrote to memory of 3024 2232 6422822.exe 35 PID 2232 wrote to memory of 3024 2232 6422822.exe 35 PID 2232 wrote to memory of 3024 2232 6422822.exe 35 PID 3024 wrote to memory of 2916 3024 82664.exe 36 PID 3024 wrote to memory of 2916 3024 82664.exe 36 PID 3024 wrote to memory of 2916 3024 82664.exe 36 PID 3024 wrote to memory of 2916 3024 82664.exe 36 PID 2916 wrote to memory of 2788 2916 k42204.exe 37 PID 2916 wrote to memory of 2788 2916 k42204.exe 37 PID 2916 wrote to memory of 2788 2916 k42204.exe 37 PID 2916 wrote to memory of 2788 2916 k42204.exe 37 PID 2788 wrote to memory of 2688 2788 2026222.exe 38 PID 2788 wrote to memory of 2688 2788 2026222.exe 38 PID 2788 wrote to memory of 2688 2788 2026222.exe 38 PID 2788 wrote to memory of 2688 2788 2026222.exe 38 PID 2688 wrote to memory of 2772 2688 82488.exe 39 PID 2688 wrote to memory of 2772 2688 82488.exe 39 PID 2688 wrote to memory of 2772 2688 82488.exe 39 PID 2688 wrote to memory of 2772 2688 82488.exe 39 PID 2772 wrote to memory of 2744 2772 424822.exe 40 PID 2772 wrote to memory of 2744 2772 424822.exe 40 PID 2772 wrote to memory of 2744 2772 424822.exe 40 PID 2772 wrote to memory of 2744 2772 424822.exe 40 PID 2744 wrote to memory of 536 2744 0844446.exe 41 PID 2744 wrote to memory of 536 2744 0844446.exe 41 PID 2744 wrote to memory of 536 2744 0844446.exe 41 PID 2744 wrote to memory of 536 2744 0844446.exe 41 PID 536 wrote to memory of 2004 536 6060604.exe 42 PID 536 wrote to memory of 2004 536 6060604.exe 42 PID 536 wrote to memory of 2004 536 6060604.exe 42 PID 536 wrote to memory of 2004 536 6060604.exe 42 PID 2004 wrote to memory of 2008 2004 nhnnnh.exe 43 PID 2004 wrote to memory of 2008 2004 nhnnnh.exe 43 PID 2004 wrote to memory of 2008 2004 nhnnnh.exe 43 PID 2004 wrote to memory of 2008 2004 nhnnnh.exe 43 PID 2008 wrote to memory of 2068 2008 7jppp.exe 44 PID 2008 wrote to memory of 2068 2008 7jppp.exe 44 PID 2008 wrote to memory of 2068 2008 7jppp.exe 44 PID 2008 wrote to memory of 2068 2008 7jppp.exe 44 PID 2068 wrote to memory of 2548 2068 lxxxrlr.exe 45 PID 2068 wrote to memory of 2548 2068 lxxxrlr.exe 45 PID 2068 wrote to memory of 2548 2068 lxxxrlr.exe 45 PID 2068 wrote to memory of 2548 2068 lxxxrlr.exe 45 PID 2548 wrote to memory of 2144 2548 c840444.exe 46 PID 2548 wrote to memory of 2144 2548 c840444.exe 46 PID 2548 wrote to memory of 2144 2548 c840444.exe 46 PID 2548 wrote to memory of 2144 2548 c840444.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe"C:\Users\Admin\AppData\Local\Temp\49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\3djdj.exec:\3djdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\thntnh.exec:\thntnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\xxlllfl.exec:\xxlllfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\6422822.exec:\6422822.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\82664.exec:\82664.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\k42204.exec:\k42204.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\2026222.exec:\2026222.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\82488.exec:\82488.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\424822.exec:\424822.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\0844446.exec:\0844446.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\6060604.exec:\6060604.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\nhnnnh.exec:\nhnnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\7jppp.exec:\7jppp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\lxxxrlr.exec:\lxxxrlr.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\c840444.exec:\c840444.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\428622.exec:\428622.exe17⤵
- Executes dropped EXE
PID:2144 -
\??\c:\8682262.exec:\8682262.exe18⤵
- Executes dropped EXE
PID:3052 -
\??\c:\pjpvv.exec:\pjpvv.exe19⤵
- Executes dropped EXE
PID:1980 -
\??\c:\i088448.exec:\i088448.exe20⤵
- Executes dropped EXE
PID:2368 -
\??\c:\xfrrfxx.exec:\xfrrfxx.exe21⤵
- Executes dropped EXE
PID:1260 -
\??\c:\jvdvj.exec:\jvdvj.exe22⤵
- Executes dropped EXE
PID:668 -
\??\c:\0844006.exec:\0844006.exe23⤵
- Executes dropped EXE
PID:1672 -
\??\c:\9rffxxx.exec:\9rffxxx.exe24⤵
- Executes dropped EXE
PID:1396 -
\??\c:\7dvpp.exec:\7dvpp.exe25⤵
- Executes dropped EXE
PID:1316 -
\??\c:\ppdvd.exec:\ppdvd.exe26⤵
- Executes dropped EXE
PID:1644 -
\??\c:\thbbnh.exec:\thbbnh.exe27⤵
- Executes dropped EXE
PID:1552 -
\??\c:\vdvvv.exec:\vdvvv.exe28⤵
- Executes dropped EXE
PID:776 -
\??\c:\vpddd.exec:\vpddd.exe29⤵
- Executes dropped EXE
PID:2384 -
\??\c:\864426.exec:\864426.exe30⤵
- Executes dropped EXE
PID:1144 -
\??\c:\02440.exec:\02440.exe31⤵
- Executes dropped EXE
PID:2900 -
\??\c:\s4484.exec:\s4484.exe32⤵
- Executes dropped EXE
PID:2204 -
\??\c:\9bnthh.exec:\9bnthh.exe33⤵
- Executes dropped EXE
PID:1600 -
\??\c:\4688822.exec:\4688822.exe34⤵
- Executes dropped EXE
PID:1096 -
\??\c:\46884.exec:\46884.exe35⤵
- Executes dropped EXE
PID:2980 -
\??\c:\0044444.exec:\0044444.exe36⤵
- Executes dropped EXE
PID:3028 -
\??\c:\nbhbnh.exec:\nbhbnh.exe37⤵
- Executes dropped EXE
PID:2800 -
\??\c:\244444.exec:\244444.exe38⤵
- Executes dropped EXE
PID:2944 -
\??\c:\lxfxllr.exec:\lxfxllr.exe39⤵
- Executes dropped EXE
PID:2820 -
\??\c:\c804006.exec:\c804006.exe40⤵
- Executes dropped EXE
PID:2920 -
\??\c:\nbhthh.exec:\nbhthh.exe41⤵
- Executes dropped EXE
PID:3012 -
\??\c:\dvjvj.exec:\dvjvj.exe42⤵
- Executes dropped EXE
PID:872 -
\??\c:\3vddd.exec:\3vddd.exe43⤵
- Executes dropped EXE
PID:2844 -
\??\c:\020000.exec:\020000.exe44⤵
- Executes dropped EXE
PID:2808 -
\??\c:\488284.exec:\488284.exe45⤵
- Executes dropped EXE
PID:2740 -
\??\c:\86266.exec:\86266.exe46⤵
- Executes dropped EXE
PID:1492 -
\??\c:\jdjdj.exec:\jdjdj.exe47⤵
- Executes dropped EXE
PID:1640 -
\??\c:\htbbnh.exec:\htbbnh.exe48⤵
- Executes dropped EXE
PID:1116 -
\??\c:\lxfflff.exec:\lxfflff.exe49⤵
- Executes dropped EXE
PID:2004 -
\??\c:\htbttn.exec:\htbttn.exe50⤵
- Executes dropped EXE
PID:2580 -
\??\c:\bththn.exec:\bththn.exe51⤵
- Executes dropped EXE
PID:1984 -
\??\c:\nbhtbt.exec:\nbhtbt.exe52⤵
- Executes dropped EXE
PID:2460 -
\??\c:\o244828.exec:\o244828.exe53⤵
- Executes dropped EXE
PID:2084 -
\??\c:\dpvvp.exec:\dpvvp.exe54⤵
- Executes dropped EXE
PID:2196 -
\??\c:\dpjdd.exec:\dpjdd.exe55⤵
- Executes dropped EXE
PID:1308 -
\??\c:\s8668.exec:\s8668.exe56⤵
- Executes dropped EXE
PID:2588 -
\??\c:\82006.exec:\82006.exe57⤵
- Executes dropped EXE
PID:2036 -
\??\c:\46488.exec:\46488.exe58⤵
- Executes dropped EXE
PID:320 -
\??\c:\6426622.exec:\6426622.exe59⤵
- Executes dropped EXE
PID:2040 -
\??\c:\s8000.exec:\s8000.exe60⤵
- Executes dropped EXE
PID:1396 -
\??\c:\9vjvv.exec:\9vjvv.exe61⤵
- Executes dropped EXE
PID:1860 -
\??\c:\086622.exec:\086622.exe62⤵
- Executes dropped EXE
PID:2484 -
\??\c:\1rffrrr.exec:\1rffrrr.exe63⤵
- Executes dropped EXE
PID:1912 -
\??\c:\c648862.exec:\c648862.exe64⤵
- Executes dropped EXE
PID:1908 -
\??\c:\thnbtn.exec:\thnbtn.exe65⤵
- Executes dropped EXE
PID:2104 -
\??\c:\tnbbbh.exec:\tnbbbh.exe66⤵PID:2268
-
\??\c:\tbhtnh.exec:\tbhtnh.exe67⤵PID:2564
-
\??\c:\lxfflfx.exec:\lxfflfx.exe68⤵PID:2200
-
\??\c:\4606606.exec:\4606606.exe69⤵PID:1836
-
\??\c:\vjppp.exec:\vjppp.exe70⤵PID:2516
-
\??\c:\44228.exec:\44228.exe71⤵PID:620
-
\??\c:\024882.exec:\024882.exe72⤵PID:2476
-
\??\c:\820484.exec:\820484.exe73⤵PID:2632
-
\??\c:\1bhbnn.exec:\1bhbnn.exe74⤵PID:2800
-
\??\c:\68048.exec:\68048.exe75⤵PID:2968
-
\??\c:\4282480.exec:\4282480.exe76⤵PID:2820
-
\??\c:\4248888.exec:\4248888.exe77⤵PID:2932
-
\??\c:\ntbttn.exec:\ntbttn.exe78⤵PID:2576
-
\??\c:\k20626.exec:\k20626.exe79⤵PID:2776
-
\??\c:\frfxxxx.exec:\frfxxxx.exe80⤵PID:2364
-
\??\c:\4666660.exec:\4666660.exe81⤵PID:2212
-
\??\c:\2400606.exec:\2400606.exe82⤵PID:2916
-
\??\c:\7tnhhh.exec:\7tnhhh.exe83⤵PID:2912
-
\??\c:\xrllfff.exec:\xrllfff.exe84⤵PID:2720
-
\??\c:\42482.exec:\42482.exe85⤵PID:2984
-
\??\c:\1tnhbt.exec:\1tnhbt.exe86⤵PID:2732
-
\??\c:\u260006.exec:\u260006.exe87⤵PID:2432
-
\??\c:\0466622.exec:\0466622.exe88⤵PID:1488
-
\??\c:\1xxxfxx.exec:\1xxxfxx.exe89⤵PID:2304
-
\??\c:\o688828.exec:\o688828.exe90⤵PID:1020
-
\??\c:\4646260.exec:\4646260.exe91⤵PID:2708
-
\??\c:\208266.exec:\208266.exe92⤵PID:2428
-
\??\c:\c660044.exec:\c660044.exe93⤵PID:2532
-
\??\c:\64448.exec:\64448.exe94⤵PID:3068
-
\??\c:\9bbbhb.exec:\9bbbhb.exe95⤵PID:1336
-
\??\c:\3pddj.exec:\3pddj.exe96⤵PID:1980
-
\??\c:\206226.exec:\206226.exe97⤵PID:2308
-
\??\c:\thnbhh.exec:\thnbhh.exe98⤵PID:1892
-
\??\c:\tbnbbh.exec:\tbnbbh.exe99⤵PID:1328
-
\??\c:\1tnhht.exec:\1tnhht.exe100⤵PID:2552
-
\??\c:\42004.exec:\42004.exe101⤵PID:2556
-
\??\c:\thttnh.exec:\thttnh.exe102⤵PID:1164
-
\??\c:\868226.exec:\868226.exe103⤵PID:496
-
\??\c:\0204006.exec:\0204006.exe104⤵PID:1684
-
\??\c:\64668.exec:\64668.exe105⤵PID:1932
-
\??\c:\446244.exec:\446244.exe106⤵PID:1376
-
\??\c:\9ppjj.exec:\9ppjj.exe107⤵PID:2388
-
\??\c:\g8422.exec:\g8422.exe108⤵PID:2404
-
\??\c:\pdjjj.exec:\pdjjj.exe109⤵PID:2648
-
\??\c:\48484.exec:\48484.exe110⤵PID:2900
-
\??\c:\7bbtnn.exec:\7bbtnn.exe111⤵PID:2044
-
\??\c:\hbhtbb.exec:\hbhtbb.exe112⤵PID:1600
-
\??\c:\9rllllx.exec:\9rllllx.exe113⤵PID:1836
-
\??\c:\rlxflrf.exec:\rlxflrf.exe114⤵PID:816
-
\??\c:\6466828.exec:\6466828.exe115⤵PID:2020
-
\??\c:\42824.exec:\42824.exe116⤵PID:2476
-
\??\c:\jdppp.exec:\jdppp.exe117⤵PID:2760
-
\??\c:\820400.exec:\820400.exe118⤵PID:1824
-
\??\c:\ffxxfll.exec:\ffxxfll.exe119⤵PID:2480
-
\??\c:\c066222.exec:\c066222.exe120⤵PID:2816
-
\??\c:\60684.exec:\60684.exe121⤵PID:872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-