Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 15:45
Behavioral task
behavioral1
Sample
7b2b5ca308337dcbe131416471887f763fca1bd5a261575935a341efeec85306N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7b2b5ca308337dcbe131416471887f763fca1bd5a261575935a341efeec85306N.exe
-
Size
71KB
-
MD5
96abf6db8ba955f5e2d59ff949fe8650
-
SHA1
e551dc3ad3ff9549a8e4c5def9648456f3504cbc
-
SHA256
7b2b5ca308337dcbe131416471887f763fca1bd5a261575935a341efeec85306
-
SHA512
52ecba3002b6098f9cab1184a1695153a049196e21a4e86a42b8fb236ba74205d8ba3221998f84fab9a1981ae4bb0094674e09b1ea464fd1d4274605bd4dc130
-
SSDEEP
1536:cvQBeOGtrYS3srx93UBWfwC6Ggnouy8HglW8waWan:chOmTsF93UYfwC6GIout3t7an
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2156-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2360-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1008-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2768-40-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2768-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2928-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2800-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/648-81-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/648-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2836-95-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2668-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2836-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-102-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2072-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2224-132-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2224-134-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2260-139-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2260-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1880-159-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2172-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1828-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1456-190-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1748-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1924-209-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1728-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1120-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1728-229-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/712-270-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1624-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/444-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2476-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1624-331-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2672-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2840-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2840-362-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2880-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2660-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2212-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2340-421-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1676-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/916-493-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2064-506-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1404-582-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2776-589-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2908-592-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2888-616-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2836-641-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2248-684-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2360-818-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2760-843-0x00000000005C0000-0x00000000005E7000-memory.dmp family_blackmoon behavioral1/memory/2892-870-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/448-943-0x00000000001C0000-0x00000000001E7000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2360 4200842.exe 1008 8642484.exe 2768 e24400.exe 2748 5jvpp.exe 2772 3vdjp.exe 2928 2684280.exe 2800 5vppv.exe 648 q60022.exe 2836 7djjd.exe 2668 86048.exe 3044 vpdvv.exe 2072 48284.exe 2224 244288.exe 2260 e66682.exe 2172 jdjpv.exe 1880 tbbbbt.exe 1828 42066.exe 1256 bbbnbh.exe 1456 xlxxxrx.exe 1748 042800.exe 1924 m8084.exe 1120 u488446.exe 1728 o628440.exe 1012 648822.exe 1672 hbbhtb.exe 2616 pjdjj.exe 1876 1ddvj.exe 712 e62840.exe 680 jdjpp.exe 1064 e82228.exe 2308 608606.exe 1624 hbnnnh.exe 444 rfrrfxf.exe 2476 htbhnt.exe 2848 840466.exe 2312 tnnnhn.exe 2440 08662.exe 2672 086622.exe 2896 480684.exe 2840 040406.exe 2880 lxlrxxf.exe 2836 424466.exe 2660 88042.exe 2344 fxrxllx.exe 2276 4284666.exe 1952 6424040.exe 2224 k02200.exe 2200 dvvdj.exe 2340 48062.exe 2212 rfxrrxf.exe 844 bbthnn.exe 1928 66402.exe 2456 o262840.exe 1736 ffllrxx.exe 2020 5lrfrrf.exe 1676 264688.exe 2408 xrrlflr.exe 2068 xxrfrxl.exe 1044 tnbbtt.exe 916 vpvdp.exe 2008 8288002.exe 2064 ppjjj.exe 1756 9flrxrx.exe 588 886846.exe -
resource yara_rule behavioral1/memory/2156-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0011000000011c2c-5.dat upx behavioral1/memory/2360-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2156-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2360-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1008-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016650-19.dat upx behavioral1/memory/1008-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016875-29.dat upx behavioral1/memory/2768-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016b47-39.dat upx behavioral1/memory/2768-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016c66-49.dat upx behavioral1/memory/2748-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2772-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c88-59.dat upx behavioral1/files/0x0007000000016cd7-67.dat upx behavioral1/memory/2928-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016cf5-75.dat upx behavioral1/memory/2800-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/648-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017497-87.dat upx behavioral1/memory/648-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2836-95-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2668-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001749c-98.dat upx behavioral1/memory/2836-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001755b-107.dat upx behavioral1/files/0x0005000000018686-117.dat upx behavioral1/memory/2072-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2072-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186e7-125.dat upx behavioral1/files/0x00050000000186ed-136.dat upx behavioral1/files/0x00050000000186f1-145.dat upx behavioral1/memory/2260-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1880-159-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00050000000186f4-156.dat upx behavioral1/memory/2172-155-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2172-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018704-164.dat upx behavioral1/files/0x0005000000018739-174.dat upx behavioral1/memory/1828-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018744-182.dat upx behavioral1/memory/1456-190-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1748-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001878e-192.dat upx behavioral1/files/0x00050000000187a8-201.dat upx behavioral1/files/0x0006000000018b4e-212.dat upx behavioral1/memory/1120-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1728-222-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016332-221.dat upx behavioral1/memory/1120-219-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018c16-231.dat upx behavioral1/files/0x0005000000019246-238.dat upx behavioral1/files/0x0005000000019250-247.dat upx behavioral1/files/0x0005000000019269-254.dat upx behavioral1/files/0x0005000000019278-263.dat upx behavioral1/files/0x0005000000019284-273.dat upx behavioral1/memory/1064-282-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019297-281.dat upx behavioral1/files/0x000500000001933f-289.dat upx behavioral1/files/0x0005000000019360-298.dat upx behavioral1/memory/1624-306-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/444-314-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0468462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i866666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o424224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2360 2156 7b2b5ca308337dcbe131416471887f763fca1bd5a261575935a341efeec85306N.exe 30 PID 2156 wrote to memory of 2360 2156 7b2b5ca308337dcbe131416471887f763fca1bd5a261575935a341efeec85306N.exe 30 PID 2156 wrote to memory of 2360 2156 7b2b5ca308337dcbe131416471887f763fca1bd5a261575935a341efeec85306N.exe 30 PID 2156 wrote to memory of 2360 2156 7b2b5ca308337dcbe131416471887f763fca1bd5a261575935a341efeec85306N.exe 30 PID 2360 wrote to memory of 1008 2360 4200842.exe 31 PID 2360 wrote to memory of 1008 2360 4200842.exe 31 PID 2360 wrote to memory of 1008 2360 4200842.exe 31 PID 2360 wrote to memory of 1008 2360 4200842.exe 31 PID 1008 wrote to memory of 2768 1008 8642484.exe 32 PID 1008 wrote to memory of 2768 1008 8642484.exe 32 PID 1008 wrote to memory of 2768 1008 8642484.exe 32 PID 1008 wrote to memory of 2768 1008 8642484.exe 32 PID 2768 wrote to memory of 2748 2768 e24400.exe 33 PID 2768 wrote to memory of 2748 2768 e24400.exe 33 PID 2768 wrote to memory of 2748 2768 e24400.exe 33 PID 2768 wrote to memory of 2748 2768 e24400.exe 33 PID 2748 wrote to memory of 2772 2748 5jvpp.exe 34 PID 2748 wrote to memory of 2772 2748 5jvpp.exe 34 PID 2748 wrote to memory of 2772 2748 5jvpp.exe 34 PID 2748 wrote to memory of 2772 2748 5jvpp.exe 34 PID 2772 wrote to memory of 2928 2772 3vdjp.exe 35 PID 2772 wrote to memory of 2928 2772 3vdjp.exe 35 PID 2772 wrote to memory of 2928 2772 3vdjp.exe 35 PID 2772 wrote to memory of 2928 2772 3vdjp.exe 35 PID 2928 wrote to memory of 2800 2928 2684280.exe 36 PID 2928 wrote to memory of 2800 2928 2684280.exe 36 PID 2928 wrote to memory of 2800 2928 2684280.exe 36 PID 2928 wrote to memory of 2800 2928 2684280.exe 36 PID 2800 wrote to memory of 648 2800 5vppv.exe 37 PID 2800 wrote to memory of 648 2800 5vppv.exe 37 PID 2800 wrote to memory of 648 2800 5vppv.exe 37 PID 2800 wrote to memory of 648 2800 5vppv.exe 37 PID 648 wrote to memory of 2836 648 q60022.exe 38 PID 648 wrote to memory of 2836 648 q60022.exe 38 PID 648 wrote to memory of 2836 648 q60022.exe 38 PID 648 wrote to memory of 2836 648 q60022.exe 38 PID 2836 wrote to memory of 2668 2836 7djjd.exe 39 PID 2836 wrote to memory of 2668 2836 7djjd.exe 39 PID 2836 wrote to memory of 2668 2836 7djjd.exe 39 PID 2836 wrote to memory of 2668 2836 7djjd.exe 39 PID 2668 wrote to memory of 3044 2668 86048.exe 40 PID 2668 wrote to memory of 3044 2668 86048.exe 40 PID 2668 wrote to memory of 3044 2668 86048.exe 40 PID 2668 wrote to memory of 3044 2668 86048.exe 40 PID 3044 wrote to memory of 2072 3044 vpdvv.exe 41 PID 3044 wrote to memory of 2072 3044 vpdvv.exe 41 PID 3044 wrote to memory of 2072 3044 vpdvv.exe 41 PID 3044 wrote to memory of 2072 3044 vpdvv.exe 41 PID 2072 wrote to memory of 2224 2072 48284.exe 42 PID 2072 wrote to memory of 2224 2072 48284.exe 42 PID 2072 wrote to memory of 2224 2072 48284.exe 42 PID 2072 wrote to memory of 2224 2072 48284.exe 42 PID 2224 wrote to memory of 2260 2224 244288.exe 43 PID 2224 wrote to memory of 2260 2224 244288.exe 43 PID 2224 wrote to memory of 2260 2224 244288.exe 43 PID 2224 wrote to memory of 2260 2224 244288.exe 43 PID 2260 wrote to memory of 2172 2260 e66682.exe 44 PID 2260 wrote to memory of 2172 2260 e66682.exe 44 PID 2260 wrote to memory of 2172 2260 e66682.exe 44 PID 2260 wrote to memory of 2172 2260 e66682.exe 44 PID 2172 wrote to memory of 1880 2172 jdjpv.exe 45 PID 2172 wrote to memory of 1880 2172 jdjpv.exe 45 PID 2172 wrote to memory of 1880 2172 jdjpv.exe 45 PID 2172 wrote to memory of 1880 2172 jdjpv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b2b5ca308337dcbe131416471887f763fca1bd5a261575935a341efeec85306N.exe"C:\Users\Admin\AppData\Local\Temp\7b2b5ca308337dcbe131416471887f763fca1bd5a261575935a341efeec85306N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\4200842.exec:\4200842.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\8642484.exec:\8642484.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\e24400.exec:\e24400.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\5jvpp.exec:\5jvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\3vdjp.exec:\3vdjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\2684280.exec:\2684280.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\5vppv.exec:\5vppv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\q60022.exec:\q60022.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\7djjd.exec:\7djjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\86048.exec:\86048.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\vpdvv.exec:\vpdvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\48284.exec:\48284.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\244288.exec:\244288.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\e66682.exec:\e66682.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\jdjpv.exec:\jdjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\tbbbbt.exec:\tbbbbt.exe17⤵
- Executes dropped EXE
PID:1880 -
\??\c:\42066.exec:\42066.exe18⤵
- Executes dropped EXE
PID:1828 -
\??\c:\bbbnbh.exec:\bbbnbh.exe19⤵
- Executes dropped EXE
PID:1256 -
\??\c:\xlxxxrx.exec:\xlxxxrx.exe20⤵
- Executes dropped EXE
PID:1456 -
\??\c:\042800.exec:\042800.exe21⤵
- Executes dropped EXE
PID:1748 -
\??\c:\m8084.exec:\m8084.exe22⤵
- Executes dropped EXE
PID:1924 -
\??\c:\u488446.exec:\u488446.exe23⤵
- Executes dropped EXE
PID:1120 -
\??\c:\o628440.exec:\o628440.exe24⤵
- Executes dropped EXE
PID:1728 -
\??\c:\648822.exec:\648822.exe25⤵
- Executes dropped EXE
PID:1012 -
\??\c:\hbbhtb.exec:\hbbhtb.exe26⤵
- Executes dropped EXE
PID:1672 -
\??\c:\pjdjj.exec:\pjdjj.exe27⤵
- Executes dropped EXE
PID:2616 -
\??\c:\1ddvj.exec:\1ddvj.exe28⤵
- Executes dropped EXE
PID:1876 -
\??\c:\e62840.exec:\e62840.exe29⤵
- Executes dropped EXE
PID:712 -
\??\c:\jdjpp.exec:\jdjpp.exe30⤵
- Executes dropped EXE
PID:680 -
\??\c:\e82228.exec:\e82228.exe31⤵
- Executes dropped EXE
PID:1064 -
\??\c:\608606.exec:\608606.exe32⤵
- Executes dropped EXE
PID:2308 -
\??\c:\hbnnnh.exec:\hbnnnh.exe33⤵
- Executes dropped EXE
PID:1624 -
\??\c:\rfrrfxf.exec:\rfrrfxf.exe34⤵
- Executes dropped EXE
PID:444 -
\??\c:\htbhnt.exec:\htbhnt.exe35⤵
- Executes dropped EXE
PID:2476 -
\??\c:\840466.exec:\840466.exe36⤵
- Executes dropped EXE
PID:2848 -
\??\c:\tnnnhn.exec:\tnnnhn.exe37⤵
- Executes dropped EXE
PID:2312 -
\??\c:\08662.exec:\08662.exe38⤵
- Executes dropped EXE
PID:2440 -
\??\c:\086622.exec:\086622.exe39⤵
- Executes dropped EXE
PID:2672 -
\??\c:\480684.exec:\480684.exe40⤵
- Executes dropped EXE
PID:2896 -
\??\c:\040406.exec:\040406.exe41⤵
- Executes dropped EXE
PID:2840 -
\??\c:\lxlrxxf.exec:\lxlrxxf.exe42⤵
- Executes dropped EXE
PID:2880 -
\??\c:\424466.exec:\424466.exe43⤵
- Executes dropped EXE
PID:2836 -
\??\c:\88042.exec:\88042.exe44⤵
- Executes dropped EXE
PID:2660 -
\??\c:\fxrxllx.exec:\fxrxllx.exe45⤵
- Executes dropped EXE
PID:2344 -
\??\c:\4284666.exec:\4284666.exe46⤵
- Executes dropped EXE
PID:2276 -
\??\c:\6424040.exec:\6424040.exe47⤵
- Executes dropped EXE
PID:1952 -
\??\c:\k02200.exec:\k02200.exe48⤵
- Executes dropped EXE
PID:2224 -
\??\c:\dvvdj.exec:\dvvdj.exe49⤵
- Executes dropped EXE
PID:2200 -
\??\c:\48062.exec:\48062.exe50⤵
- Executes dropped EXE
PID:2340 -
\??\c:\rfxrrxf.exec:\rfxrrxf.exe51⤵
- Executes dropped EXE
PID:2212 -
\??\c:\bbthnn.exec:\bbthnn.exe52⤵
- Executes dropped EXE
PID:844 -
\??\c:\66402.exec:\66402.exe53⤵
- Executes dropped EXE
PID:1928 -
\??\c:\o262840.exec:\o262840.exe54⤵
- Executes dropped EXE
PID:2456 -
\??\c:\ffllrxx.exec:\ffllrxx.exe55⤵
- Executes dropped EXE
PID:1736 -
\??\c:\5lrfrrf.exec:\5lrfrrf.exe56⤵
- Executes dropped EXE
PID:2020 -
\??\c:\264688.exec:\264688.exe57⤵
- Executes dropped EXE
PID:1676 -
\??\c:\xrrlflr.exec:\xrrlflr.exe58⤵
- Executes dropped EXE
PID:2408 -
\??\c:\xxrfrxl.exec:\xxrfrxl.exe59⤵
- Executes dropped EXE
PID:2068 -
\??\c:\tnbbtt.exec:\tnbbtt.exe60⤵
- Executes dropped EXE
PID:1044 -
\??\c:\vpvdp.exec:\vpvdp.exe61⤵
- Executes dropped EXE
PID:916 -
\??\c:\8288002.exec:\8288002.exe62⤵
- Executes dropped EXE
PID:2008 -
\??\c:\ppjjj.exec:\ppjjj.exe63⤵
- Executes dropped EXE
PID:2064 -
\??\c:\9flrxrx.exec:\9flrxrx.exe64⤵
- Executes dropped EXE
PID:1756 -
\??\c:\886846.exec:\886846.exe65⤵
- Executes dropped EXE
PID:588 -
\??\c:\thbhhn.exec:\thbhhn.exe66⤵PID:1656
-
\??\c:\1dddj.exec:\1dddj.exe67⤵PID:1016
-
\??\c:\vpvvv.exec:\vpvvv.exe68⤵PID:320
-
\??\c:\3btttt.exec:\3btttt.exe69⤵PID:2316
-
\??\c:\lflrllr.exec:\lflrllr.exe70⤵PID:2360
-
\??\c:\04802.exec:\04802.exe71⤵PID:2948
-
\??\c:\k24040.exec:\k24040.exe72⤵PID:1620
-
\??\c:\tnthnn.exec:\tnthnn.exe73⤵PID:3036
-
\??\c:\042866.exec:\042866.exe74⤵PID:2552
-
\??\c:\hbtttt.exec:\hbtttt.exe75⤵PID:1404
-
\??\c:\ffrxxfl.exec:\ffrxxfl.exe76⤵
- System Location Discovery: System Language Discovery
PID:2776 -
\??\c:\btnnhh.exec:\btnnhh.exe77⤵PID:2908
-
\??\c:\7jdpd.exec:\7jdpd.exe78⤵PID:2312
-
\??\c:\7xrfrxl.exec:\7xrfrxl.exe79⤵
- System Location Discovery: System Language Discovery
PID:2820 -
\??\c:\c022884.exec:\c022884.exe80⤵PID:2888
-
\??\c:\u200224.exec:\u200224.exe81⤵PID:2800
-
\??\c:\nnntbb.exec:\nnntbb.exe82⤵PID:2732
-
\??\c:\602440.exec:\602440.exe83⤵PID:2880
-
\??\c:\264088.exec:\264088.exe84⤵PID:2836
-
\??\c:\a6440.exec:\a6440.exe85⤵PID:2256
-
\??\c:\1fflxff.exec:\1fflxff.exe86⤵PID:112
-
\??\c:\rlflffr.exec:\rlflffr.exe87⤵PID:2204
-
\??\c:\5tbhtb.exec:\5tbhtb.exe88⤵PID:2592
-
\??\c:\s4662.exec:\s4662.exe89⤵PID:2264
-
\??\c:\thhnnh.exec:\thhnnh.exe90⤵PID:2248
-
\??\c:\hbnnbb.exec:\hbnnbb.exe91⤵PID:2232
-
\??\c:\9xrrfll.exec:\9xrrfll.exe92⤵PID:2452
-
\??\c:\tnthnh.exec:\tnthnh.exe93⤵PID:2304
-
\??\c:\hhbthh.exec:\hhbthh.exe94⤵PID:1152
-
\??\c:\3lxxxfl.exec:\3lxxxfl.exe95⤵PID:2456
-
\??\c:\w42840.exec:\w42840.exe96⤵PID:1456
-
\??\c:\c844664.exec:\c844664.exe97⤵PID:2412
-
\??\c:\640684.exec:\640684.exe98⤵PID:1964
-
\??\c:\42008.exec:\42008.exe99⤵PID:2408
-
\??\c:\htnhhb.exec:\htnhhb.exe100⤵PID:2068
-
\??\c:\jdddd.exec:\jdddd.exe101⤵PID:1120
-
\??\c:\pjjjv.exec:\pjjjv.exe102⤵PID:916
-
\??\c:\20284.exec:\20284.exe103⤵PID:2008
-
\??\c:\1frlrlr.exec:\1frlrlr.exe104⤵PID:2064
-
\??\c:\5frlrfl.exec:\5frlrfl.exe105⤵PID:568
-
\??\c:\3jpvp.exec:\3jpvp.exe106⤵PID:592
-
\??\c:\0800668.exec:\0800668.exe107⤵PID:1876
-
\??\c:\nhbhnh.exec:\nhbhnh.exe108⤵PID:2228
-
\??\c:\08664.exec:\08664.exe109⤵PID:2156
-
\??\c:\20628.exec:\20628.exe110⤵PID:2968
-
\??\c:\3pdjd.exec:\3pdjd.exe111⤵PID:2996
-
\??\c:\btttbh.exec:\btttbh.exe112⤵PID:2360
-
\??\c:\u462668.exec:\u462668.exe113⤵PID:1708
-
\??\c:\tthnhh.exec:\tthnhh.exe114⤵PID:1740
-
\??\c:\i866824.exec:\i866824.exe115⤵PID:3052
-
\??\c:\82224.exec:\82224.exe116⤵PID:2760
-
\??\c:\42884.exec:\42884.exe117⤵PID:3048
-
\??\c:\i440668.exec:\i440668.exe118⤵PID:2940
-
\??\c:\jjddp.exec:\jjddp.exe119⤵PID:3056
-
\??\c:\jjvdp.exec:\jjvdp.exe120⤵PID:2824
-
\??\c:\202228.exec:\202228.exe121⤵PID:2892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-