Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 20:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4f424d75b1b06dd5760eca96ca0fbd926ca936f8d0fa9b17175f23cdffff685b.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4f424d75b1b06dd5760eca96ca0fbd926ca936f8d0fa9b17175f23cdffff685b.exe
-
Size
459KB
-
MD5
51032db7aee08ad84b3dc18d6000f85d
-
SHA1
f3ed9d44261d966e08e2992b93252c1b8ab20a76
-
SHA256
4f424d75b1b06dd5760eca96ca0fbd926ca936f8d0fa9b17175f23cdffff685b
-
SHA512
bb779beacd693e48ad3197670ec8a82362b14c33459340c0a45f548f2040a453dae1cb0078da48f5347dc06588038457685d8c9012cd4e204de4ad01a0d63e1b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2420-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/740-45-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/740-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1076-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-189-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1256-204-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1072-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/980-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/272-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1188-464-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1332-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-683-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2844-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-784-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1604-783-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/680-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-855-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2764-919-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/2732-964-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2392-1002-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2700-1177-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2748-1187-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2600-1228-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1680-1313-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/860-1320-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2516 c824668.exe 1660 btbbth.exe 2452 jdvpj.exe 740 e82406.exe 2860 08028.exe 2836 dvppv.exe 2820 lrfxlrl.exe 2124 608024.exe 1144 nthtnt.exe 2684 04802.exe 2092 26424.exe 272 6866824.exe 2952 m0842.exe 1948 g0000.exe 320 04664.exe 1232 frxrlrf.exe 1492 3fflrxl.exe 1212 jdvvd.exe 1928 jjdpp.exe 1916 u868004.exe 1076 rllrxrf.exe 1256 pvpdp.exe 1072 ffrflll.exe 1612 26086.exe 2220 1btbhn.exe 2388 rrxrxrf.exe 1632 3fffrrx.exe 2556 60408.exe 1796 7vjdp.exe 1652 9pjpv.exe 1640 086808.exe 980 9fxxflf.exe 684 2062068.exe 1648 pvpdd.exe 1688 dvpvj.exe 2472 08060.exe 2796 ppdjp.exe 2480 820048.exe 2888 44440.exe 2768 42006.exe 2896 rlflrrf.exe 2064 2640846.exe 2748 48608.exe 2808 820282.exe 2624 w82406.exe 2732 4864068.exe 2084 84840.exe 1996 vjjpv.exe 796 6084668.exe 272 6080286.exe 2672 04284.exe 2804 jdjjv.exe 2976 c262840.exe 1760 42046.exe 1080 482206.exe 2244 jjjpd.exe 2188 lfxfrfx.exe 1188 0046882.exe 3028 vpjpv.exe 1916 nhhntb.exe 948 c422846.exe 1920 1tntht.exe 1860 hbthnn.exe 840 820628.exe -
resource yara_rule behavioral1/memory/2420-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-184-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1072-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/272-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-783-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/680-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-855-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2392-1002-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/3032-1051-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-1058-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-1083-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2100-1145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-1158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-1177-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2612-1197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-1228-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1680-1313-0x00000000001B0000-0x00000000001DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6046424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9ffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42024.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2516 2420 4f424d75b1b06dd5760eca96ca0fbd926ca936f8d0fa9b17175f23cdffff685b.exe 31 PID 2420 wrote to memory of 2516 2420 4f424d75b1b06dd5760eca96ca0fbd926ca936f8d0fa9b17175f23cdffff685b.exe 31 PID 2420 wrote to memory of 2516 2420 4f424d75b1b06dd5760eca96ca0fbd926ca936f8d0fa9b17175f23cdffff685b.exe 31 PID 2420 wrote to memory of 2516 2420 4f424d75b1b06dd5760eca96ca0fbd926ca936f8d0fa9b17175f23cdffff685b.exe 31 PID 2516 wrote to memory of 1660 2516 c824668.exe 32 PID 2516 wrote to memory of 1660 2516 c824668.exe 32 PID 2516 wrote to memory of 1660 2516 c824668.exe 32 PID 2516 wrote to memory of 1660 2516 c824668.exe 32 PID 1660 wrote to memory of 2452 1660 btbbth.exe 33 PID 1660 wrote to memory of 2452 1660 btbbth.exe 33 PID 1660 wrote to memory of 2452 1660 btbbth.exe 33 PID 1660 wrote to memory of 2452 1660 btbbth.exe 33 PID 2452 wrote to memory of 740 2452 jdvpj.exe 34 PID 2452 wrote to memory of 740 2452 jdvpj.exe 34 PID 2452 wrote to memory of 740 2452 jdvpj.exe 34 PID 2452 wrote to memory of 740 2452 jdvpj.exe 34 PID 740 wrote to memory of 2860 740 e82406.exe 35 PID 740 wrote to memory of 2860 740 e82406.exe 35 PID 740 wrote to memory of 2860 740 e82406.exe 35 PID 740 wrote to memory of 2860 740 e82406.exe 35 PID 2860 wrote to memory of 2836 2860 08028.exe 36 PID 2860 wrote to memory of 2836 2860 08028.exe 36 PID 2860 wrote to memory of 2836 2860 08028.exe 36 PID 2860 wrote to memory of 2836 2860 08028.exe 36 PID 2836 wrote to memory of 2820 2836 dvppv.exe 37 PID 2836 wrote to memory of 2820 2836 dvppv.exe 37 PID 2836 wrote to memory of 2820 2836 dvppv.exe 37 PID 2836 wrote to memory of 2820 2836 dvppv.exe 37 PID 2820 wrote to memory of 2124 2820 lrfxlrl.exe 38 PID 2820 wrote to memory of 2124 2820 lrfxlrl.exe 38 PID 2820 wrote to memory of 2124 2820 lrfxlrl.exe 38 PID 2820 wrote to memory of 2124 2820 lrfxlrl.exe 38 PID 2124 wrote to memory of 1144 2124 608024.exe 39 PID 2124 wrote to memory of 1144 2124 608024.exe 39 PID 2124 wrote to memory of 1144 2124 608024.exe 39 PID 2124 wrote to memory of 1144 2124 608024.exe 39 PID 1144 wrote to memory of 2684 1144 nthtnt.exe 40 PID 1144 wrote to memory of 2684 1144 nthtnt.exe 40 PID 1144 wrote to memory of 2684 1144 nthtnt.exe 40 PID 1144 wrote to memory of 2684 1144 nthtnt.exe 40 PID 2684 wrote to memory of 2092 2684 04802.exe 41 PID 2684 wrote to memory of 2092 2684 04802.exe 41 PID 2684 wrote to memory of 2092 2684 04802.exe 41 PID 2684 wrote to memory of 2092 2684 04802.exe 41 PID 2092 wrote to memory of 272 2092 26424.exe 42 PID 2092 wrote to memory of 272 2092 26424.exe 42 PID 2092 wrote to memory of 272 2092 26424.exe 42 PID 2092 wrote to memory of 272 2092 26424.exe 42 PID 272 wrote to memory of 2952 272 6866824.exe 43 PID 272 wrote to memory of 2952 272 6866824.exe 43 PID 272 wrote to memory of 2952 272 6866824.exe 43 PID 272 wrote to memory of 2952 272 6866824.exe 43 PID 2952 wrote to memory of 1948 2952 m0842.exe 44 PID 2952 wrote to memory of 1948 2952 m0842.exe 44 PID 2952 wrote to memory of 1948 2952 m0842.exe 44 PID 2952 wrote to memory of 1948 2952 m0842.exe 44 PID 1948 wrote to memory of 320 1948 g0000.exe 45 PID 1948 wrote to memory of 320 1948 g0000.exe 45 PID 1948 wrote to memory of 320 1948 g0000.exe 45 PID 1948 wrote to memory of 320 1948 g0000.exe 45 PID 320 wrote to memory of 1232 320 04664.exe 46 PID 320 wrote to memory of 1232 320 04664.exe 46 PID 320 wrote to memory of 1232 320 04664.exe 46 PID 320 wrote to memory of 1232 320 04664.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f424d75b1b06dd5760eca96ca0fbd926ca936f8d0fa9b17175f23cdffff685b.exe"C:\Users\Admin\AppData\Local\Temp\4f424d75b1b06dd5760eca96ca0fbd926ca936f8d0fa9b17175f23cdffff685b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\c824668.exec:\c824668.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\btbbth.exec:\btbbth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\jdvpj.exec:\jdvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\e82406.exec:\e82406.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\08028.exec:\08028.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\dvppv.exec:\dvppv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\lrfxlrl.exec:\lrfxlrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\608024.exec:\608024.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\nthtnt.exec:\nthtnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\04802.exec:\04802.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\26424.exec:\26424.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\6866824.exec:\6866824.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:272 -
\??\c:\m0842.exec:\m0842.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\g0000.exec:\g0000.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\04664.exec:\04664.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\frxrlrf.exec:\frxrlrf.exe17⤵
- Executes dropped EXE
PID:1232 -
\??\c:\3fflrxl.exec:\3fflrxl.exe18⤵
- Executes dropped EXE
PID:1492 -
\??\c:\jdvvd.exec:\jdvvd.exe19⤵
- Executes dropped EXE
PID:1212 -
\??\c:\jjdpp.exec:\jjdpp.exe20⤵
- Executes dropped EXE
PID:1928 -
\??\c:\u868004.exec:\u868004.exe21⤵
- Executes dropped EXE
PID:1916 -
\??\c:\rllrxrf.exec:\rllrxrf.exe22⤵
- Executes dropped EXE
PID:1076 -
\??\c:\pvpdp.exec:\pvpdp.exe23⤵
- Executes dropped EXE
PID:1256 -
\??\c:\ffrflll.exec:\ffrflll.exe24⤵
- Executes dropped EXE
PID:1072 -
\??\c:\26086.exec:\26086.exe25⤵
- Executes dropped EXE
PID:1612 -
\??\c:\1btbhn.exec:\1btbhn.exe26⤵
- Executes dropped EXE
PID:2220 -
\??\c:\rrxrxrf.exec:\rrxrxrf.exe27⤵
- Executes dropped EXE
PID:2388 -
\??\c:\3fffrrx.exec:\3fffrrx.exe28⤵
- Executes dropped EXE
PID:1632 -
\??\c:\60408.exec:\60408.exe29⤵
- Executes dropped EXE
PID:2556 -
\??\c:\7vjdp.exec:\7vjdp.exe30⤵
- Executes dropped EXE
PID:1796 -
\??\c:\9pjpv.exec:\9pjpv.exe31⤵
- Executes dropped EXE
PID:1652 -
\??\c:\086808.exec:\086808.exe32⤵
- Executes dropped EXE
PID:1640 -
\??\c:\9fxxflf.exec:\9fxxflf.exe33⤵
- Executes dropped EXE
PID:980 -
\??\c:\2062068.exec:\2062068.exe34⤵
- Executes dropped EXE
PID:684 -
\??\c:\pvpdd.exec:\pvpdd.exe35⤵
- Executes dropped EXE
PID:1648 -
\??\c:\dvpvj.exec:\dvpvj.exe36⤵
- Executes dropped EXE
PID:1688 -
\??\c:\08060.exec:\08060.exe37⤵
- Executes dropped EXE
PID:2472 -
\??\c:\ppdjp.exec:\ppdjp.exe38⤵
- Executes dropped EXE
PID:2796 -
\??\c:\820048.exec:\820048.exe39⤵
- Executes dropped EXE
PID:2480 -
\??\c:\44440.exec:\44440.exe40⤵
- Executes dropped EXE
PID:2888 -
\??\c:\42006.exec:\42006.exe41⤵
- Executes dropped EXE
PID:2768 -
\??\c:\rlflrrf.exec:\rlflrrf.exe42⤵
- Executes dropped EXE
PID:2896 -
\??\c:\2640846.exec:\2640846.exe43⤵
- Executes dropped EXE
PID:2064 -
\??\c:\48608.exec:\48608.exe44⤵
- Executes dropped EXE
PID:2748 -
\??\c:\820282.exec:\820282.exe45⤵
- Executes dropped EXE
PID:2808 -
\??\c:\w82406.exec:\w82406.exe46⤵
- Executes dropped EXE
PID:2624 -
\??\c:\4864068.exec:\4864068.exe47⤵
- Executes dropped EXE
PID:2732 -
\??\c:\84840.exec:\84840.exe48⤵
- Executes dropped EXE
PID:2084 -
\??\c:\vjjpv.exec:\vjjpv.exe49⤵
- Executes dropped EXE
PID:1996 -
\??\c:\6084668.exec:\6084668.exe50⤵
- Executes dropped EXE
PID:796 -
\??\c:\6080286.exec:\6080286.exe51⤵
- Executes dropped EXE
PID:272 -
\??\c:\04284.exec:\04284.exe52⤵
- Executes dropped EXE
PID:2672 -
\??\c:\jdjjv.exec:\jdjjv.exe53⤵
- Executes dropped EXE
PID:2804 -
\??\c:\c262840.exec:\c262840.exe54⤵
- Executes dropped EXE
PID:2976 -
\??\c:\42046.exec:\42046.exe55⤵
- Executes dropped EXE
PID:1760 -
\??\c:\482206.exec:\482206.exe56⤵
- Executes dropped EXE
PID:1080 -
\??\c:\jjjpd.exec:\jjjpd.exe57⤵
- Executes dropped EXE
PID:2244 -
\??\c:\lfxfrfx.exec:\lfxfrfx.exe58⤵
- Executes dropped EXE
PID:2188 -
\??\c:\0046882.exec:\0046882.exe59⤵
- Executes dropped EXE
PID:1188 -
\??\c:\vpjpv.exec:\vpjpv.exe60⤵
- Executes dropped EXE
PID:3028 -
\??\c:\nhhntb.exec:\nhhntb.exe61⤵
- Executes dropped EXE
PID:1916 -
\??\c:\c422846.exec:\c422846.exe62⤵
- Executes dropped EXE
PID:948 -
\??\c:\1tntht.exec:\1tntht.exe63⤵
- Executes dropped EXE
PID:1920 -
\??\c:\hbthnn.exec:\hbthnn.exe64⤵
- Executes dropped EXE
PID:1860 -
\??\c:\820628.exec:\820628.exe65⤵
- Executes dropped EXE
PID:840 -
\??\c:\i484880.exec:\i484880.exe66⤵PID:1032
-
\??\c:\xrfrffl.exec:\xrfrffl.exe67⤵PID:1524
-
\??\c:\868484.exec:\868484.exe68⤵PID:1332
-
\??\c:\482244.exec:\482244.exe69⤵PID:2448
-
\??\c:\dvppj.exec:\dvppj.exe70⤵PID:976
-
\??\c:\9hbntt.exec:\9hbntt.exe71⤵PID:2176
-
\??\c:\s6084.exec:\s6084.exe72⤵PID:496
-
\??\c:\jdpvj.exec:\jdpvj.exe73⤵PID:1500
-
\??\c:\48680.exec:\48680.exe74⤵PID:2596
-
\??\c:\llllxfx.exec:\llllxfx.exe75⤵PID:1580
-
\??\c:\dpdvd.exec:\dpdvd.exe76⤵PID:2432
-
\??\c:\3ntbnb.exec:\3ntbnb.exe77⤵PID:1824
-
\??\c:\7jdjd.exec:\7jdjd.exe78⤵PID:1576
-
\??\c:\xfrxrxf.exec:\xfrxrxf.exe79⤵PID:2488
-
\??\c:\0480624.exec:\0480624.exe80⤵PID:1660
-
\??\c:\04246.exec:\04246.exe81⤵PID:2252
-
\??\c:\nbbbtb.exec:\nbbbtb.exe82⤵PID:2452
-
\??\c:\g8684.exec:\g8684.exe83⤵PID:2832
-
\??\c:\jpjjv.exec:\jpjjv.exe84⤵PID:2888
-
\??\c:\m6806.exec:\m6806.exe85⤵PID:2768
-
\??\c:\rlrxllx.exec:\rlrxllx.exe86⤵PID:2640
-
\??\c:\lrffrrx.exec:\lrffrrx.exe87⤵PID:2776
-
\??\c:\60408.exec:\60408.exe88⤵PID:2660
-
\??\c:\s0464.exec:\s0464.exe89⤵PID:2668
-
\??\c:\a4280.exec:\a4280.exe90⤵PID:2088
-
\??\c:\608028.exec:\608028.exe91⤵PID:824
-
\??\c:\ntnhnh.exec:\ntnhnh.exe92⤵PID:1616
-
\??\c:\8240284.exec:\8240284.exe93⤵PID:2924
-
\??\c:\3rflrrl.exec:\3rflrrl.exe94⤵PID:2844
-
\??\c:\rllllfl.exec:\rllllfl.exe95⤵PID:2840
-
\??\c:\820404.exec:\820404.exe96⤵PID:1948
-
\??\c:\424684.exec:\424684.exe97⤵PID:1984
-
\??\c:\jdjpd.exec:\jdjpd.exe98⤵PID:1904
-
\??\c:\2062400.exec:\2062400.exe99⤵PID:1792
-
\??\c:\3pdjd.exec:\3pdjd.exe100⤵PID:1492
-
\??\c:\thhbbt.exec:\thhbbt.exe101⤵PID:2708
-
\??\c:\86840.exec:\86840.exe102⤵PID:2580
-
\??\c:\0428280.exec:\0428280.exe103⤵PID:2224
-
\??\c:\42066.exec:\42066.exe104⤵PID:1812
-
\??\c:\608468.exec:\608468.exe105⤵PID:2548
-
\??\c:\ntnthn.exec:\ntnthn.exe106⤵PID:2544
-
\??\c:\ffxrlfl.exec:\ffxrlfl.exe107⤵
- System Location Discovery: System Language Discovery
PID:1696 -
\??\c:\246648.exec:\246648.exe108⤵PID:1248
-
\??\c:\020868.exec:\020868.exe109⤵PID:1704
-
\??\c:\u688424.exec:\u688424.exe110⤵PID:1604
-
\??\c:\llxlfrr.exec:\llxlfrr.exe111⤵PID:1772
-
\??\c:\7bnhht.exec:\7bnhht.exe112⤵PID:680
-
\??\c:\c006480.exec:\c006480.exe113⤵PID:1632
-
\??\c:\xxrxlfr.exec:\xxrxlfr.exe114⤵PID:1620
-
\??\c:\2268602.exec:\2268602.exe115⤵PID:1980
-
\??\c:\nnbbnt.exec:\nnbbnt.exe116⤵PID:2160
-
\??\c:\486806.exec:\486806.exe117⤵PID:292
-
\??\c:\vvdpv.exec:\vvdpv.exe118⤵PID:2280
-
\??\c:\604606.exec:\604606.exe119⤵PID:2320
-
\??\c:\lxllrrr.exec:\lxllrrr.exe120⤵PID:1784
-
\??\c:\6428688.exec:\6428688.exe121⤵PID:2456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-