Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19/11/2024, 13:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2b169163c395f2e3302d9dec10b9bc34cfadbd911f2601b69271ae52d67beb4.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d2b169163c395f2e3302d9dec10b9bc34cfadbd911f2601b69271ae52d67beb4.exe
-
Size
453KB
-
MD5
fb4503b07f4cf2e3daddf1e1091a78ed
-
SHA1
a8871af6f317601ada255c5ae0d5a74e5cb60641
-
SHA256
d2b169163c395f2e3302d9dec10b9bc34cfadbd911f2601b69271ae52d67beb4
-
SHA512
cc5ca8d73ab7de160fd659935d7c65dfe832d7b86d8bc1bd8602228d2dbb41358ba2fa48dc23029a7f01377635248bc5cecd51f1b62545fbbdd2d2198522d363
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1628-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1204-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-26-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2152-44-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2152-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-61-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2960-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-415-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3012-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1388-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1388-387-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2380-350-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2828-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-297-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1520-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-202-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2656-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-184-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2096-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-149-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2004-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-97-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2848-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1020-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-1079-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2568-1098-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1776-1213-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1204 ntthht.exe 1396 xxrffll.exe 2012 fllfrrl.exe 2152 lfrrlrf.exe 2844 fflfxxr.exe 2848 22648.exe 2960 i264608.exe 2716 htbtht.exe 2928 2622048.exe 2772 40464.exe 2340 86686.exe 920 rffrlxr.exe 2976 48002.exe 2004 6662002.exe 1300 0468602.exe 3036 xxrxrfx.exe 2368 0086842.exe 1432 ppvdp.exe 2096 5djdd.exe 2128 tbtnhn.exe 2656 nttnnh.exe 2384 dpvvv.exe 680 4886044.exe 1644 886822.exe 1944 28208.exe 1820 rlrxlrr.exe 2576 0486868.exe 1308 djjjv.exe 2064 i028446.exe 2168 82680.exe 1520 thntnb.exe 2000 88026.exe 2056 flfrfxl.exe 2596 vdpdv.exe 2172 q64882.exe 1984 vjpjd.exe 2800 vjdjd.exe 2904 rlfxrfr.exe 788 ntnbtn.exe 2828 g6060.exe 2380 2660408.exe 2832 jvjdp.exe 1392 06402.exe 2816 40402.exe 1804 s0042.exe 2984 fxxffxf.exe 1388 bbtnbh.exe 1696 dvpjp.exe 2992 s4442.exe 1928 0664288.exe 2784 26064.exe 2204 flrrlfr.exe 1952 bnnttt.exe 3012 bbbnhb.exe 2308 608646.exe 2312 22084.exe 1020 282880.exe 1944 u008826.exe 2352 i040464.exe 1348 jjddv.exe 2576 nhnhht.exe 1808 dpdjv.exe 3032 2446088.exe 3052 e60684.exe -
resource yara_rule behavioral1/memory/1628-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-297-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1520-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-768-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-966-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-985-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-1125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-1198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-1213-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1628-1327-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2b169163c395f2e3302d9dec10b9bc34cfadbd911f2601b69271ae52d67beb4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o602020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u668242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6242062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0288866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1204 1628 d2b169163c395f2e3302d9dec10b9bc34cfadbd911f2601b69271ae52d67beb4.exe 31 PID 1628 wrote to memory of 1204 1628 d2b169163c395f2e3302d9dec10b9bc34cfadbd911f2601b69271ae52d67beb4.exe 31 PID 1628 wrote to memory of 1204 1628 d2b169163c395f2e3302d9dec10b9bc34cfadbd911f2601b69271ae52d67beb4.exe 31 PID 1628 wrote to memory of 1204 1628 d2b169163c395f2e3302d9dec10b9bc34cfadbd911f2601b69271ae52d67beb4.exe 31 PID 1204 wrote to memory of 1396 1204 ntthht.exe 32 PID 1204 wrote to memory of 1396 1204 ntthht.exe 32 PID 1204 wrote to memory of 1396 1204 ntthht.exe 32 PID 1204 wrote to memory of 1396 1204 ntthht.exe 32 PID 1396 wrote to memory of 2012 1396 xxrffll.exe 33 PID 1396 wrote to memory of 2012 1396 xxrffll.exe 33 PID 1396 wrote to memory of 2012 1396 xxrffll.exe 33 PID 1396 wrote to memory of 2012 1396 xxrffll.exe 33 PID 2012 wrote to memory of 2152 2012 fllfrrl.exe 34 PID 2012 wrote to memory of 2152 2012 fllfrrl.exe 34 PID 2012 wrote to memory of 2152 2012 fllfrrl.exe 34 PID 2012 wrote to memory of 2152 2012 fllfrrl.exe 34 PID 2152 wrote to memory of 2844 2152 lfrrlrf.exe 35 PID 2152 wrote to memory of 2844 2152 lfrrlrf.exe 35 PID 2152 wrote to memory of 2844 2152 lfrrlrf.exe 35 PID 2152 wrote to memory of 2844 2152 lfrrlrf.exe 35 PID 2844 wrote to memory of 2848 2844 fflfxxr.exe 36 PID 2844 wrote to memory of 2848 2844 fflfxxr.exe 36 PID 2844 wrote to memory of 2848 2844 fflfxxr.exe 36 PID 2844 wrote to memory of 2848 2844 fflfxxr.exe 36 PID 2848 wrote to memory of 2960 2848 22648.exe 37 PID 2848 wrote to memory of 2960 2848 22648.exe 37 PID 2848 wrote to memory of 2960 2848 22648.exe 37 PID 2848 wrote to memory of 2960 2848 22648.exe 37 PID 2960 wrote to memory of 2716 2960 i264608.exe 38 PID 2960 wrote to memory of 2716 2960 i264608.exe 38 PID 2960 wrote to memory of 2716 2960 i264608.exe 38 PID 2960 wrote to memory of 2716 2960 i264608.exe 38 PID 2716 wrote to memory of 2928 2716 htbtht.exe 39 PID 2716 wrote to memory of 2928 2716 htbtht.exe 39 PID 2716 wrote to memory of 2928 2716 htbtht.exe 39 PID 2716 wrote to memory of 2928 2716 htbtht.exe 39 PID 2928 wrote to memory of 2772 2928 2622048.exe 40 PID 2928 wrote to memory of 2772 2928 2622048.exe 40 PID 2928 wrote to memory of 2772 2928 2622048.exe 40 PID 2928 wrote to memory of 2772 2928 2622048.exe 40 PID 2772 wrote to memory of 2340 2772 40464.exe 41 PID 2772 wrote to memory of 2340 2772 40464.exe 41 PID 2772 wrote to memory of 2340 2772 40464.exe 41 PID 2772 wrote to memory of 2340 2772 40464.exe 41 PID 2340 wrote to memory of 920 2340 86686.exe 42 PID 2340 wrote to memory of 920 2340 86686.exe 42 PID 2340 wrote to memory of 920 2340 86686.exe 42 PID 2340 wrote to memory of 920 2340 86686.exe 42 PID 920 wrote to memory of 2976 920 rffrlxr.exe 43 PID 920 wrote to memory of 2976 920 rffrlxr.exe 43 PID 920 wrote to memory of 2976 920 rffrlxr.exe 43 PID 920 wrote to memory of 2976 920 rffrlxr.exe 43 PID 2976 wrote to memory of 2004 2976 48002.exe 44 PID 2976 wrote to memory of 2004 2976 48002.exe 44 PID 2976 wrote to memory of 2004 2976 48002.exe 44 PID 2976 wrote to memory of 2004 2976 48002.exe 44 PID 2004 wrote to memory of 1300 2004 6662002.exe 45 PID 2004 wrote to memory of 1300 2004 6662002.exe 45 PID 2004 wrote to memory of 1300 2004 6662002.exe 45 PID 2004 wrote to memory of 1300 2004 6662002.exe 45 PID 1300 wrote to memory of 3036 1300 0468602.exe 46 PID 1300 wrote to memory of 3036 1300 0468602.exe 46 PID 1300 wrote to memory of 3036 1300 0468602.exe 46 PID 1300 wrote to memory of 3036 1300 0468602.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2b169163c395f2e3302d9dec10b9bc34cfadbd911f2601b69271ae52d67beb4.exe"C:\Users\Admin\AppData\Local\Temp\d2b169163c395f2e3302d9dec10b9bc34cfadbd911f2601b69271ae52d67beb4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\ntthht.exec:\ntthht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\xxrffll.exec:\xxrffll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\fllfrrl.exec:\fllfrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\lfrrlrf.exec:\lfrrlrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\fflfxxr.exec:\fflfxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\22648.exec:\22648.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\i264608.exec:\i264608.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\htbtht.exec:\htbtht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\2622048.exec:\2622048.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\40464.exec:\40464.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\86686.exec:\86686.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\rffrlxr.exec:\rffrlxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\48002.exec:\48002.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\6662002.exec:\6662002.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\0468602.exec:\0468602.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\xxrxrfx.exec:\xxrxrfx.exe17⤵
- Executes dropped EXE
PID:3036 -
\??\c:\0086842.exec:\0086842.exe18⤵
- Executes dropped EXE
PID:2368 -
\??\c:\ppvdp.exec:\ppvdp.exe19⤵
- Executes dropped EXE
PID:1432 -
\??\c:\5djdd.exec:\5djdd.exe20⤵
- Executes dropped EXE
PID:2096 -
\??\c:\tbtnhn.exec:\tbtnhn.exe21⤵
- Executes dropped EXE
PID:2128 -
\??\c:\nttnnh.exec:\nttnnh.exe22⤵
- Executes dropped EXE
PID:2656 -
\??\c:\dpvvv.exec:\dpvvv.exe23⤵
- Executes dropped EXE
PID:2384 -
\??\c:\4886044.exec:\4886044.exe24⤵
- Executes dropped EXE
PID:680 -
\??\c:\886822.exec:\886822.exe25⤵
- Executes dropped EXE
PID:1644 -
\??\c:\28208.exec:\28208.exe26⤵
- Executes dropped EXE
PID:1944 -
\??\c:\rlrxlrr.exec:\rlrxlrr.exe27⤵
- Executes dropped EXE
PID:1820 -
\??\c:\0486868.exec:\0486868.exe28⤵
- Executes dropped EXE
PID:2576 -
\??\c:\djjjv.exec:\djjjv.exe29⤵
- Executes dropped EXE
PID:1308 -
\??\c:\i028446.exec:\i028446.exe30⤵
- Executes dropped EXE
PID:2064 -
\??\c:\82680.exec:\82680.exe31⤵
- Executes dropped EXE
PID:2168 -
\??\c:\thntnb.exec:\thntnb.exe32⤵
- Executes dropped EXE
PID:1520 -
\??\c:\88026.exec:\88026.exe33⤵
- Executes dropped EXE
PID:2000 -
\??\c:\88846.exec:\88846.exe34⤵PID:1580
-
\??\c:\flfrfxl.exec:\flfrfxl.exe35⤵
- Executes dropped EXE
PID:2056 -
\??\c:\vdpdv.exec:\vdpdv.exe36⤵
- Executes dropped EXE
PID:2596 -
\??\c:\q64882.exec:\q64882.exe37⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vjpjd.exec:\vjpjd.exe38⤵
- Executes dropped EXE
PID:1984 -
\??\c:\vjdjd.exec:\vjdjd.exe39⤵
- Executes dropped EXE
PID:2800 -
\??\c:\rlfxrfr.exec:\rlfxrfr.exe40⤵
- Executes dropped EXE
PID:2904 -
\??\c:\ntnbtn.exec:\ntnbtn.exe41⤵
- Executes dropped EXE
PID:788 -
\??\c:\g6060.exec:\g6060.exe42⤵
- Executes dropped EXE
PID:2828 -
\??\c:\2660408.exec:\2660408.exe43⤵
- Executes dropped EXE
PID:2380 -
\??\c:\jvjdp.exec:\jvjdp.exe44⤵
- Executes dropped EXE
PID:2832 -
\??\c:\06402.exec:\06402.exe45⤵
- Executes dropped EXE
PID:1392 -
\??\c:\40402.exec:\40402.exe46⤵
- Executes dropped EXE
PID:2816 -
\??\c:\s0042.exec:\s0042.exe47⤵
- Executes dropped EXE
PID:1804 -
\??\c:\fxxffxf.exec:\fxxffxf.exe48⤵
- Executes dropped EXE
PID:2984 -
\??\c:\bbtnbh.exec:\bbtnbh.exe49⤵
- Executes dropped EXE
PID:1388 -
\??\c:\dvpjp.exec:\dvpjp.exe50⤵
- Executes dropped EXE
PID:1696 -
\??\c:\s4442.exec:\s4442.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
\??\c:\0664288.exec:\0664288.exe52⤵
- Executes dropped EXE
PID:1928 -
\??\c:\26064.exec:\26064.exe53⤵
- Executes dropped EXE
PID:2784 -
\??\c:\flrrlfr.exec:\flrrlfr.exe54⤵
- Executes dropped EXE
PID:2204 -
\??\c:\bnnttt.exec:\bnnttt.exe55⤵
- Executes dropped EXE
PID:1952 -
\??\c:\bbbnhb.exec:\bbbnhb.exe56⤵
- Executes dropped EXE
PID:3012 -
\??\c:\608646.exec:\608646.exe57⤵
- Executes dropped EXE
PID:2308 -
\??\c:\22084.exec:\22084.exe58⤵
- Executes dropped EXE
PID:2312 -
\??\c:\282880.exec:\282880.exe59⤵
- Executes dropped EXE
PID:1020 -
\??\c:\u008826.exec:\u008826.exe60⤵
- Executes dropped EXE
PID:1944 -
\??\c:\i040464.exec:\i040464.exe61⤵
- Executes dropped EXE
PID:2352 -
\??\c:\jjddv.exec:\jjddv.exe62⤵
- Executes dropped EXE
PID:1348 -
\??\c:\nhnhht.exec:\nhnhht.exe63⤵
- Executes dropped EXE
PID:2576 -
\??\c:\dpdjv.exec:\dpdjv.exe64⤵
- Executes dropped EXE
PID:1808 -
\??\c:\2446088.exec:\2446088.exe65⤵
- Executes dropped EXE
PID:3032 -
\??\c:\e60684.exec:\e60684.exe66⤵
- Executes dropped EXE
PID:3052 -
\??\c:\28428.exec:\28428.exe67⤵PID:2356
-
\??\c:\88868.exec:\88868.exe68⤵PID:1604
-
\??\c:\2608664.exec:\2608664.exe69⤵PID:1716
-
\??\c:\22686.exec:\22686.exe70⤵PID:3048
-
\??\c:\00808.exec:\00808.exe71⤵PID:1268
-
\??\c:\44422.exec:\44422.exe72⤵PID:1740
-
\??\c:\60280.exec:\60280.exe73⤵PID:2520
-
\??\c:\840888.exec:\840888.exe74⤵PID:2612
-
\??\c:\5llffxr.exec:\5llffxr.exe75⤵PID:1036
-
\??\c:\hhbthn.exec:\hhbthn.exe76⤵PID:596
-
\??\c:\0608426.exec:\0608426.exe77⤵PID:2700
-
\??\c:\bttnth.exec:\bttnth.exe78⤵PID:2888
-
\??\c:\rrlllxl.exec:\rrlllxl.exe79⤵PID:2380
-
\??\c:\880200.exec:\880200.exe80⤵PID:2728
-
\??\c:\8628608.exec:\8628608.exe81⤵PID:2796
-
\??\c:\9bthtt.exec:\9bthtt.exe82⤵PID:2224
-
\??\c:\i224220.exec:\i224220.exe83⤵PID:2072
-
\??\c:\6882484.exec:\6882484.exe84⤵PID:2928
-
\??\c:\vvpvj.exec:\vvpvj.exe85⤵PID:3064
-
\??\c:\04862.exec:\04862.exe86⤵PID:864
-
\??\c:\lflllll.exec:\lflllll.exe87⤵PID:1948
-
\??\c:\jjjjd.exec:\jjjjd.exe88⤵PID:2244
-
\??\c:\48648.exec:\48648.exe89⤵PID:2428
-
\??\c:\a0226.exec:\a0226.exe90⤵PID:3068
-
\??\c:\vdvdd.exec:\vdvdd.exe91⤵PID:2116
-
\??\c:\rllxlll.exec:\rllxlll.exe92⤵PID:2996
-
\??\c:\9nbbtt.exec:\9nbbtt.exe93⤵PID:3024
-
\??\c:\826862.exec:\826862.exe94⤵PID:2136
-
\??\c:\7lxlfff.exec:\7lxlfff.exe95⤵PID:1912
-
\??\c:\dddpd.exec:\dddpd.exe96⤵PID:2260
-
\??\c:\bnhtnt.exec:\bnhtnt.exe97⤵PID:1764
-
\??\c:\808288.exec:\808288.exe98⤵PID:2384
-
\??\c:\8268664.exec:\8268664.exe99⤵PID:2500
-
\??\c:\22082.exec:\22082.exe100⤵PID:2312
-
\??\c:\0620604.exec:\0620604.exe101⤵PID:2272
-
\??\c:\2624202.exec:\2624202.exe102⤵PID:3016
-
\??\c:\240464.exec:\240464.exe103⤵PID:1976
-
\??\c:\pvdpj.exec:\pvdpj.exe104⤵PID:1636
-
\??\c:\20468.exec:\20468.exe105⤵PID:1712
-
\??\c:\ddpvd.exec:\ddpvd.exe106⤵PID:1348
-
\??\c:\0244668.exec:\0244668.exe107⤵PID:1344
-
\??\c:\828804.exec:\828804.exe108⤵PID:820
-
\??\c:\48860.exec:\48860.exe109⤵PID:1520
-
\??\c:\thhbhn.exec:\thhbhn.exe110⤵PID:2000
-
\??\c:\4260466.exec:\4260466.exe111⤵PID:1792
-
\??\c:\9nnthn.exec:\9nnthn.exe112⤵PID:2316
-
\??\c:\884642.exec:\884642.exe113⤵PID:1648
-
\??\c:\jvvdp.exec:\jvvdp.exe114⤵PID:1608
-
\??\c:\m4808.exec:\m4808.exe115⤵PID:2596
-
\??\c:\rxxrlff.exec:\rxxrlff.exe116⤵PID:1204
-
\??\c:\jvdvp.exec:\jvdvp.exe117⤵PID:2332
-
\??\c:\822206.exec:\822206.exe118⤵PID:320
-
\??\c:\ttbnbb.exec:\ttbnbb.exe119⤵PID:1028
-
\??\c:\2460682.exec:\2460682.exe120⤵PID:2404
-
\??\c:\8442648.exec:\8442648.exe121⤵PID:1680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-