Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 11:44
Behavioral task
behavioral1
Sample
e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe
-
Size
86KB
-
MD5
299858b8db7ae1ab751673b4953185ac
-
SHA1
8630935ba7c234df2fbd6c458e16e25973cd2ad7
-
SHA256
e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd
-
SHA512
d5fc972c2907dae8265aea95887d0747350a2f9367d6169043c8871aa671bf181e4aa3b2998a3b4ad7e311ac0961612c027df0a5cb1c9374dd3b5dfb8e3c4d8d
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzYBbKd+XsWgADSNVQfKPgqA22GU:9hOmTsF93UYfwC6GIoutyaVszyKd+XYg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/2648-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2812-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2204-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2816-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2720-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2572-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2992-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1296-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1244-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1296-89-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2156-102-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2452-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2156-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2412-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1924-167-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/532-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/532-181-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2280-195-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/1924-193-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1996-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2288-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2936-271-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2104-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2104-265-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2936-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1492-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2752-306-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2752-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2832-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2656-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2844-335-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2844-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2560-346-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2560-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1476-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2196-379-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/552-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1800-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2012-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3060-500-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1928-550-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1584-575-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2780-579-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2716-596-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2164-659-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1892-679-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2372-712-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1980-717-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1132-762-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2408-817-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/1588-839-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1432-986-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1676-1003-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2108-1052-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2368-1092-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2664 g6842.exe 2812 86624.exe 2204 tnhbht.exe 2816 bttbhb.exe 2720 pdvpv.exe 2572 lfflrxf.exe 2992 nbhntb.exe 1244 g0082.exe 1296 dvdjp.exe 2156 a8224.exe 2452 86288.exe 2868 c868068.exe 2396 q24066.exe 2528 3rfrrfr.exe 2772 824088.exe 2412 4862244.exe 1924 btbttt.exe 1912 i642400.exe 532 rrllrrx.exe 2280 u688046.exe 2516 tnhbbb.exe 3052 26464.exe 2540 w82860.exe 2288 xrflffr.exe 1996 86828.exe 1692 s2600.exe 1312 820800.exe 2104 lffrxfr.exe 2936 46284.exe 1492 046844.exe 2508 jdjdp.exe 2760 jvppv.exe 2752 a2246.exe 2708 26842.exe 2832 5rffxff.exe 2656 tnbhhn.exe 2844 5frrrrr.exe 2560 vjddp.exe 2632 xllfllr.exe 2608 82846.exe 1476 5vvvd.exe 1184 htnbnn.exe 2196 642848.exe 552 w08404.exe 2524 6024062.exe 2856 o640828.exe 1800 2628800.exe 2868 480688.exe 2396 3jppp.exe 2544 a8004.exe 2528 q20448.exe 2424 dvpdj.exe 1960 206062.exe 2344 jpjjj.exe 2912 2022828.exe 1912 1btntt.exe 2088 xrflrll.exe 2012 htttbt.exe 2748 6080684.exe 1132 frflxrx.exe 2536 tnbhnn.exe 948 3tntbh.exe 3060 bntttb.exe 1328 868840.exe -
resource yara_rule behavioral1/memory/2648-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a0000000120d6-5.dat upx behavioral1/memory/2648-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2664-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016dd5-19.dat upx behavioral1/files/0x0007000000016dd9-29.dat upx behavioral1/memory/2812-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016de9-38.dat upx behavioral1/memory/2204-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2816-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2720-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016df5-45.dat upx behavioral1/memory/2720-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016df8-57.dat upx behavioral1/files/0x0009000000016f02-67.dat upx behavioral1/memory/2572-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2992-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000018be7-75.dat upx behavioral1/files/0x0006000000018d7b-82.dat upx behavioral1/memory/1296-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1244-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018d83-94.dat upx behavioral1/memory/2452-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018fdf-105.dat upx behavioral1/memory/2156-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019056-115.dat upx behavioral1/files/0x0005000000019203-122.dat upx behavioral1/files/0x0005000000019237-132.dat upx behavioral1/files/0x000500000001924f-139.dat upx behavioral1/files/0x0005000000019261-150.dat upx behavioral1/memory/2772-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2412-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019274-159.dat upx behavioral1/files/0x000500000001927a-168.dat upx behavioral1/files/0x0032000000016d68-176.dat upx behavioral1/memory/532-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019299-186.dat upx behavioral1/files/0x00050000000192a1-196.dat upx behavioral1/memory/2516-204-0x00000000002D0000-0x00000000002F7000-memory.dmp upx behavioral1/files/0x0005000000019354-205.dat upx behavioral1/files/0x0005000000019358-212.dat upx behavioral1/files/0x000500000001938e-222.dat upx behavioral1/memory/2540-221-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1996-234-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001939f-232.dat upx behavioral1/memory/2288-231-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193cc-241.dat upx behavioral1/files/0x00050000000193d0-248.dat upx behavioral1/files/0x00050000000193dc-256.dat upx behavioral1/files/0x00050000000193f9-268.dat upx behavioral1/memory/2104-266-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2104-263-0x0000000000230000-0x0000000000257000-memory.dmp upx behavioral1/files/0x0005000000019426-276.dat upx behavioral1/memory/2936-277-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1492-285-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019428-286.dat upx behavioral1/files/0x00050000000194ad-295.dat upx behavioral1/memory/2752-311-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2832-324-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2844-332-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2656-331-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2844-340-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2560-347-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1476-360-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 444622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w82860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0466606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3btbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0424628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2664 2648 e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe 30 PID 2648 wrote to memory of 2664 2648 e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe 30 PID 2648 wrote to memory of 2664 2648 e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe 30 PID 2648 wrote to memory of 2664 2648 e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe 30 PID 2664 wrote to memory of 2812 2664 g6842.exe 31 PID 2664 wrote to memory of 2812 2664 g6842.exe 31 PID 2664 wrote to memory of 2812 2664 g6842.exe 31 PID 2664 wrote to memory of 2812 2664 g6842.exe 31 PID 2812 wrote to memory of 2204 2812 86624.exe 32 PID 2812 wrote to memory of 2204 2812 86624.exe 32 PID 2812 wrote to memory of 2204 2812 86624.exe 32 PID 2812 wrote to memory of 2204 2812 86624.exe 32 PID 2204 wrote to memory of 2816 2204 tnhbht.exe 33 PID 2204 wrote to memory of 2816 2204 tnhbht.exe 33 PID 2204 wrote to memory of 2816 2204 tnhbht.exe 33 PID 2204 wrote to memory of 2816 2204 tnhbht.exe 33 PID 2816 wrote to memory of 2720 2816 bttbhb.exe 34 PID 2816 wrote to memory of 2720 2816 bttbhb.exe 34 PID 2816 wrote to memory of 2720 2816 bttbhb.exe 34 PID 2816 wrote to memory of 2720 2816 bttbhb.exe 34 PID 2720 wrote to memory of 2572 2720 pdvpv.exe 35 PID 2720 wrote to memory of 2572 2720 pdvpv.exe 35 PID 2720 wrote to memory of 2572 2720 pdvpv.exe 35 PID 2720 wrote to memory of 2572 2720 pdvpv.exe 35 PID 2572 wrote to memory of 2992 2572 lfflrxf.exe 36 PID 2572 wrote to memory of 2992 2572 lfflrxf.exe 36 PID 2572 wrote to memory of 2992 2572 lfflrxf.exe 36 PID 2572 wrote to memory of 2992 2572 lfflrxf.exe 36 PID 2992 wrote to memory of 1244 2992 nbhntb.exe 37 PID 2992 wrote to memory of 1244 2992 nbhntb.exe 37 PID 2992 wrote to memory of 1244 2992 nbhntb.exe 37 PID 2992 wrote to memory of 1244 2992 nbhntb.exe 37 PID 1244 wrote to memory of 1296 1244 g0082.exe 38 PID 1244 wrote to memory of 1296 1244 g0082.exe 38 PID 1244 wrote to memory of 1296 1244 g0082.exe 38 PID 1244 wrote to memory of 1296 1244 g0082.exe 38 PID 1296 wrote to memory of 2156 1296 dvdjp.exe 39 PID 1296 wrote to memory of 2156 1296 dvdjp.exe 39 PID 1296 wrote to memory of 2156 1296 dvdjp.exe 39 PID 1296 wrote to memory of 2156 1296 dvdjp.exe 39 PID 2156 wrote to memory of 2452 2156 a8224.exe 40 PID 2156 wrote to memory of 2452 2156 a8224.exe 40 PID 2156 wrote to memory of 2452 2156 a8224.exe 40 PID 2156 wrote to memory of 2452 2156 a8224.exe 40 PID 2452 wrote to memory of 2868 2452 86288.exe 41 PID 2452 wrote to memory of 2868 2452 86288.exe 41 PID 2452 wrote to memory of 2868 2452 86288.exe 41 PID 2452 wrote to memory of 2868 2452 86288.exe 41 PID 2868 wrote to memory of 2396 2868 c868068.exe 42 PID 2868 wrote to memory of 2396 2868 c868068.exe 42 PID 2868 wrote to memory of 2396 2868 c868068.exe 42 PID 2868 wrote to memory of 2396 2868 c868068.exe 42 PID 2396 wrote to memory of 2528 2396 q24066.exe 43 PID 2396 wrote to memory of 2528 2396 q24066.exe 43 PID 2396 wrote to memory of 2528 2396 q24066.exe 43 PID 2396 wrote to memory of 2528 2396 q24066.exe 43 PID 2528 wrote to memory of 2772 2528 3rfrrfr.exe 44 PID 2528 wrote to memory of 2772 2528 3rfrrfr.exe 44 PID 2528 wrote to memory of 2772 2528 3rfrrfr.exe 44 PID 2528 wrote to memory of 2772 2528 3rfrrfr.exe 44 PID 2772 wrote to memory of 2412 2772 824088.exe 45 PID 2772 wrote to memory of 2412 2772 824088.exe 45 PID 2772 wrote to memory of 2412 2772 824088.exe 45 PID 2772 wrote to memory of 2412 2772 824088.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe"C:\Users\Admin\AppData\Local\Temp\e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\g6842.exec:\g6842.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\86624.exec:\86624.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\tnhbht.exec:\tnhbht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\bttbhb.exec:\bttbhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\pdvpv.exec:\pdvpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\lfflrxf.exec:\lfflrxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\nbhntb.exec:\nbhntb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\g0082.exec:\g0082.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\dvdjp.exec:\dvdjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\a8224.exec:\a8224.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\86288.exec:\86288.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\c868068.exec:\c868068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\q24066.exec:\q24066.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\3rfrrfr.exec:\3rfrrfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\824088.exec:\824088.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\4862244.exec:\4862244.exe17⤵
- Executes dropped EXE
PID:2412 -
\??\c:\btbttt.exec:\btbttt.exe18⤵
- Executes dropped EXE
PID:1924 -
\??\c:\i642400.exec:\i642400.exe19⤵
- Executes dropped EXE
PID:1912 -
\??\c:\rrllrrx.exec:\rrllrrx.exe20⤵
- Executes dropped EXE
PID:532 -
\??\c:\u688046.exec:\u688046.exe21⤵
- Executes dropped EXE
PID:2280 -
\??\c:\tnhbbb.exec:\tnhbbb.exe22⤵
- Executes dropped EXE
PID:2516 -
\??\c:\26464.exec:\26464.exe23⤵
- Executes dropped EXE
PID:3052 -
\??\c:\w82860.exec:\w82860.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540 -
\??\c:\xrflffr.exec:\xrflffr.exe25⤵
- Executes dropped EXE
PID:2288 -
\??\c:\86828.exec:\86828.exe26⤵
- Executes dropped EXE
PID:1996 -
\??\c:\s2600.exec:\s2600.exe27⤵
- Executes dropped EXE
PID:1692 -
\??\c:\820800.exec:\820800.exe28⤵
- Executes dropped EXE
PID:1312 -
\??\c:\lffrxfr.exec:\lffrxfr.exe29⤵
- Executes dropped EXE
PID:2104 -
\??\c:\46284.exec:\46284.exe30⤵
- Executes dropped EXE
PID:2936 -
\??\c:\046844.exec:\046844.exe31⤵
- Executes dropped EXE
PID:1492 -
\??\c:\jdjdp.exec:\jdjdp.exe32⤵
- Executes dropped EXE
PID:2508 -
\??\c:\jvppv.exec:\jvppv.exe33⤵
- Executes dropped EXE
PID:2760 -
\??\c:\a2246.exec:\a2246.exe34⤵
- Executes dropped EXE
PID:2752 -
\??\c:\26842.exec:\26842.exe35⤵
- Executes dropped EXE
PID:2708 -
\??\c:\5rffxff.exec:\5rffxff.exe36⤵
- Executes dropped EXE
PID:2832 -
\??\c:\tnbhhn.exec:\tnbhhn.exe37⤵
- Executes dropped EXE
PID:2656 -
\??\c:\5frrrrr.exec:\5frrrrr.exe38⤵
- Executes dropped EXE
PID:2844 -
\??\c:\vjddp.exec:\vjddp.exe39⤵
- Executes dropped EXE
PID:2560 -
\??\c:\xllfllr.exec:\xllfllr.exe40⤵
- Executes dropped EXE
PID:2632 -
\??\c:\82846.exec:\82846.exe41⤵
- Executes dropped EXE
PID:2608 -
\??\c:\5vvvd.exec:\5vvvd.exe42⤵
- Executes dropped EXE
PID:1476 -
\??\c:\htnbnn.exec:\htnbnn.exe43⤵
- Executes dropped EXE
PID:1184 -
\??\c:\642848.exec:\642848.exe44⤵
- Executes dropped EXE
PID:2196 -
\??\c:\w08404.exec:\w08404.exe45⤵
- Executes dropped EXE
PID:552 -
\??\c:\6024062.exec:\6024062.exe46⤵
- Executes dropped EXE
PID:2524 -
\??\c:\o640828.exec:\o640828.exe47⤵
- Executes dropped EXE
PID:2856 -
\??\c:\2628800.exec:\2628800.exe48⤵
- Executes dropped EXE
PID:1800 -
\??\c:\480688.exec:\480688.exe49⤵
- Executes dropped EXE
PID:2868 -
\??\c:\3jppp.exec:\3jppp.exe50⤵
- Executes dropped EXE
PID:2396 -
\??\c:\a8004.exec:\a8004.exe51⤵
- Executes dropped EXE
PID:2544 -
\??\c:\q20448.exec:\q20448.exe52⤵
- Executes dropped EXE
PID:2528 -
\??\c:\dvpdj.exec:\dvpdj.exe53⤵
- Executes dropped EXE
PID:2424 -
\??\c:\206062.exec:\206062.exe54⤵
- Executes dropped EXE
PID:1960 -
\??\c:\jpjjj.exec:\jpjjj.exe55⤵
- Executes dropped EXE
PID:2344 -
\??\c:\2022828.exec:\2022828.exe56⤵
- Executes dropped EXE
PID:2912 -
\??\c:\1btntt.exec:\1btntt.exe57⤵
- Executes dropped EXE
PID:1912 -
\??\c:\xrflrll.exec:\xrflrll.exe58⤵
- Executes dropped EXE
PID:2088 -
\??\c:\htttbt.exec:\htttbt.exe59⤵
- Executes dropped EXE
PID:2012 -
\??\c:\6080684.exec:\6080684.exe60⤵
- Executes dropped EXE
PID:2748 -
\??\c:\frflxrx.exec:\frflxrx.exe61⤵
- Executes dropped EXE
PID:1132 -
\??\c:\tnbhnn.exec:\tnbhnn.exe62⤵
- Executes dropped EXE
PID:2536 -
\??\c:\3tntbh.exec:\3tntbh.exe63⤵
- Executes dropped EXE
PID:948 -
\??\c:\bntttb.exec:\bntttb.exe64⤵
- Executes dropped EXE
PID:3060 -
\??\c:\868840.exec:\868840.exe65⤵
- Executes dropped EXE
PID:1328 -
\??\c:\64206.exec:\64206.exe66⤵PID:1984
-
\??\c:\264628.exec:\264628.exe67⤵PID:1600
-
\??\c:\m4228.exec:\m4228.exe68⤵PID:2212
-
\??\c:\20840.exec:\20840.exe69⤵PID:2640
-
\??\c:\m4666.exec:\m4666.exe70⤵PID:2104
-
\??\c:\2066662.exec:\2066662.exe71⤵PID:1928
-
\??\c:\frfrxxf.exec:\frfrxxf.exe72⤵PID:2884
-
\??\c:\82468.exec:\82468.exe73⤵PID:1496
-
\??\c:\vjpvj.exec:\vjpvj.exe74⤵PID:2660
-
\??\c:\0884602.exec:\0884602.exe75⤵PID:1584
-
\??\c:\428848.exec:\428848.exe76⤵PID:2780
-
\??\c:\426666.exec:\426666.exe77⤵PID:2564
-
\??\c:\9lxfllf.exec:\9lxfllf.exe78⤵PID:2716
-
\??\c:\5fxxffl.exec:\5fxxffl.exe79⤵PID:2988
-
\??\c:\08464.exec:\08464.exe80⤵PID:2824
-
\??\c:\s8222.exec:\s8222.exe81⤵PID:2568
-
\??\c:\w28888.exec:\w28888.exe82⤵PID:1624
-
\??\c:\i200228.exec:\i200228.exe83⤵PID:2276
-
\??\c:\3flfrlr.exec:\3flfrlr.exe84⤵PID:1480
-
\??\c:\dvdjp.exec:\dvdjp.exe85⤵PID:880
-
\??\c:\828406.exec:\828406.exe86⤵PID:2456
-
\??\c:\602844.exec:\602844.exe87⤵PID:1792
-
\??\c:\5hbhnh.exec:\5hbhnh.exe88⤵PID:2164
-
\??\c:\9vpdj.exec:\9vpdj.exe89⤵PID:2460
-
\??\c:\g8062.exec:\g8062.exe90⤵PID:2400
-
\??\c:\5btnbt.exec:\5btnbt.exe91⤵PID:1892
-
\??\c:\o800040.exec:\o800040.exe92⤵PID:2248
-
\??\c:\5nhnnb.exec:\5nhnnb.exe93⤵PID:2616
-
\??\c:\o806626.exec:\o806626.exe94⤵PID:1280
-
\??\c:\s6402.exec:\s6402.exe95⤵PID:1972
-
\??\c:\9xllrrl.exec:\9xllrrl.exe96⤵PID:2372
-
\??\c:\4868880.exec:\4868880.exe97⤵PID:1980
-
\??\c:\hntbnh.exec:\hntbnh.exe98⤵PID:1968
-
\??\c:\c080284.exec:\c080284.exe99⤵PID:1976
-
\??\c:\xlxllff.exec:\xlxllff.exe100⤵PID:2388
-
\??\c:\04628.exec:\04628.exe101⤵PID:1316
-
\??\c:\pdjjd.exec:\pdjjd.exe102⤵PID:2012
-
\??\c:\dpvdp.exec:\dpvdp.exe103⤵PID:1804
-
\??\c:\nbnbhh.exec:\nbnbhh.exe104⤵PID:1132
-
\??\c:\httbhb.exec:\httbhb.exe105⤵PID:548
-
\??\c:\1dppj.exec:\1dppj.exe106⤵PID:2108
-
\??\c:\86284.exec:\86284.exe107⤵PID:1716
-
\??\c:\0866288.exec:\0866288.exe108⤵PID:764
-
\??\c:\frxlrxf.exec:\frxlrxf.exe109⤵PID:2380
-
\??\c:\lfrxxxf.exec:\lfrxxxf.exe110⤵PID:1312
-
\??\c:\64624.exec:\64624.exe111⤵PID:1736
-
\??\c:\thtttt.exec:\thtttt.exe112⤵PID:2408
-
\??\c:\bnttbb.exec:\bnttbb.exe113⤵PID:976
-
\??\c:\ntnnnn.exec:\ntnnnn.exe114⤵PID:1264
-
\??\c:\hthnnn.exec:\hthnnn.exe115⤵PID:2128
-
\??\c:\9jpjj.exec:\9jpjj.exe116⤵PID:1588
-
\??\c:\42446.exec:\42446.exe117⤵PID:2704
-
\??\c:\60800.exec:\60800.exe118⤵PID:2900
-
\??\c:\pdddj.exec:\pdddj.exe119⤵PID:2812
-
\??\c:\o200600.exec:\o200600.exe120⤵PID:2264
-
\??\c:\8684628.exec:\8684628.exe121⤵PID:2740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-