Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 06:06
Behavioral task
behavioral1
Sample
a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe
-
Size
376KB
-
MD5
a06c7869f429375d6375bf32e50c8f9d
-
SHA1
cd7b62adeb9128eb0f6b237099ea70837f36c9a1
-
SHA256
a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1
-
SHA512
f14d7f35ba3f5230e5ba1e8e14c3fef54181015ea09d169ed9701e41fadf3b5693bbc9f3e7f85e0259cb5790ff08e41d3aff1356f5ca96bb085228a8430292a0
-
SSDEEP
6144:0cm4FmowdHoSHWVs+QEoD/dL/4oSlCIqbKRs4EkfRDaPRrnVkWHQmQ:C4wFHoS2Vs+IdMoSzqkR5RWVVWmQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/1720-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2632-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2892-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2368-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2080-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2584-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/324-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1240-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1508-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/600-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1140-160-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/1140-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1140-163-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2460-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1448-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2456-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1572-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2248-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2248-221-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/2192-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2184-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2524-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1964-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2528-319-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/1972-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1996-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/788-393-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1508-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1028-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2768-429-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2200-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1692-504-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1328-526-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2352-527-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-534-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/888-554-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/888-555-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2144-575-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2828-619-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/700-671-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/568-684-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-696-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2612-698-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1140-736-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2656-755-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1388-767-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1640-788-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1952-961-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1544-980-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2248-1037-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1312-1055-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2088-1074-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1552-1080-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2632 s0288.exe 2368 rrlxffr.exe 2892 jdpvd.exe 2252 rlxxflr.exe 2080 608806.exe 2584 8206864.exe 2896 2686228.exe 2824 dvjjp.exe 2728 jdvvj.exe 324 00280.exe 1240 262888.exe 840 602246.exe 1508 2084446.exe 1028 nhttbn.exe 2812 q08226.exe 600 hbnhnn.exe 1140 g4280.exe 2032 o462442.exe 2460 4406242.exe 2400 64224.exe 1448 64624.exe 2456 hthnhn.exe 2248 0048004.exe 1572 86406.exe 1312 0806264.exe 2184 602806.exe 2240 pddjp.exe 2192 4862886.exe 2524 dvjvj.exe 1868 jdvvd.exe 2264 vdpdp.exe 2356 hbntbb.exe 1964 7vvdj.exe 1088 2644662.exe 2528 084028.exe 1972 bhhbhb.exe 1996 204088.exe 2816 4664842.exe 2148 a8284.exe 2736 llrxrll.exe 2920 48240.exe 2468 fxrrflr.exe 2724 m0224.exe 2880 1tntbh.exe 2984 8206880.exe 2344 04846.exe 788 rlrrfff.exe 1336 20626.exe 3024 btnnhh.exe 1508 u684484.exe 1028 646282.exe 2768 jjjdv.exe 1940 a6002.exe 2028 7xflfxl.exe 2004 lfflxxf.exe 2200 jdppd.exe 2748 6466846.exe 2392 lrffrrr.exe 2428 xrrxllr.exe 2680 7dppd.exe 1080 82064.exe 1148 q64004.exe 992 40644.exe 1692 vjjpj.exe -
resource yara_rule behavioral1/memory/1720-1-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c00000001202c-5.dat upx behavioral1/memory/1720-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d4b-17.dat upx behavioral1/memory/2632-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d54-24.dat upx behavioral1/memory/2892-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2368-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d67-36.dat upx behavioral1/memory/2252-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2252-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d6b-46.dat upx behavioral1/files/0x0007000000016d6f-56.dat upx behavioral1/memory/2080-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d77-65.dat upx behavioral1/memory/2584-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d9f-73.dat upx behavioral1/memory/2896-72-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0006000000018739-82.dat upx behavioral1/files/0x0005000000018744-90.dat upx behavioral1/memory/2728-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001878e-100.dat upx behavioral1/memory/324-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000187a8-108.dat upx behavioral1/memory/1240-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018b4e-118.dat upx behavioral1/memory/1508-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018c16-129.dat upx behavioral1/files/0x0009000000016cf5-136.dat upx behavioral1/files/0x0005000000019246-144.dat upx behavioral1/files/0x0005000000019250-153.dat upx behavioral1/memory/600-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1140-160-0x00000000002A0000-0x00000000002C7000-memory.dmp upx behavioral1/files/0x0005000000019269-166.dat upx behavioral1/memory/1140-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019278-173.dat upx behavioral1/memory/2460-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019284-184.dat upx behavioral1/memory/2460-182-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000019297-192.dat upx behavioral1/files/0x000500000001933f-203.dat upx behavioral1/memory/1448-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2456-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019360-211.dat upx behavioral1/files/0x00050000000193b6-233.dat upx behavioral1/memory/1572-225-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193a6-224.dat upx behavioral1/memory/2248-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193df-250.dat upx behavioral1/memory/2192-259-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019451-258.dat upx behavioral1/memory/2184-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193c4-241.dat upx behavioral1/files/0x0005000000019458-266.dat upx behavioral1/memory/2524-268-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194a9-275.dat upx behavioral1/files/0x00050000000194b9-283.dat upx behavioral1/files/0x00050000000194c9-292.dat upx behavioral1/memory/1964-306-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1972-320-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1972-327-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1996-334-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1508-415-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1028-422-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q60688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k82806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2632 1720 a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe 30 PID 1720 wrote to memory of 2632 1720 a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe 30 PID 1720 wrote to memory of 2632 1720 a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe 30 PID 1720 wrote to memory of 2632 1720 a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe 30 PID 2632 wrote to memory of 2368 2632 s0288.exe 31 PID 2632 wrote to memory of 2368 2632 s0288.exe 31 PID 2632 wrote to memory of 2368 2632 s0288.exe 31 PID 2632 wrote to memory of 2368 2632 s0288.exe 31 PID 2368 wrote to memory of 2892 2368 rrlxffr.exe 32 PID 2368 wrote to memory of 2892 2368 rrlxffr.exe 32 PID 2368 wrote to memory of 2892 2368 rrlxffr.exe 32 PID 2368 wrote to memory of 2892 2368 rrlxffr.exe 32 PID 2892 wrote to memory of 2252 2892 jdpvd.exe 33 PID 2892 wrote to memory of 2252 2892 jdpvd.exe 33 PID 2892 wrote to memory of 2252 2892 jdpvd.exe 33 PID 2892 wrote to memory of 2252 2892 jdpvd.exe 33 PID 2252 wrote to memory of 2080 2252 rlxxflr.exe 34 PID 2252 wrote to memory of 2080 2252 rlxxflr.exe 34 PID 2252 wrote to memory of 2080 2252 rlxxflr.exe 34 PID 2252 wrote to memory of 2080 2252 rlxxflr.exe 34 PID 2080 wrote to memory of 2584 2080 608806.exe 35 PID 2080 wrote to memory of 2584 2080 608806.exe 35 PID 2080 wrote to memory of 2584 2080 608806.exe 35 PID 2080 wrote to memory of 2584 2080 608806.exe 35 PID 2584 wrote to memory of 2896 2584 8206864.exe 36 PID 2584 wrote to memory of 2896 2584 8206864.exe 36 PID 2584 wrote to memory of 2896 2584 8206864.exe 36 PID 2584 wrote to memory of 2896 2584 8206864.exe 36 PID 2896 wrote to memory of 2824 2896 2686228.exe 37 PID 2896 wrote to memory of 2824 2896 2686228.exe 37 PID 2896 wrote to memory of 2824 2896 2686228.exe 37 PID 2896 wrote to memory of 2824 2896 2686228.exe 37 PID 2824 wrote to memory of 2728 2824 dvjjp.exe 38 PID 2824 wrote to memory of 2728 2824 dvjjp.exe 38 PID 2824 wrote to memory of 2728 2824 dvjjp.exe 38 PID 2824 wrote to memory of 2728 2824 dvjjp.exe 38 PID 2728 wrote to memory of 324 2728 jdvvj.exe 39 PID 2728 wrote to memory of 324 2728 jdvvj.exe 39 PID 2728 wrote to memory of 324 2728 jdvvj.exe 39 PID 2728 wrote to memory of 324 2728 jdvvj.exe 39 PID 324 wrote to memory of 1240 324 00280.exe 40 PID 324 wrote to memory of 1240 324 00280.exe 40 PID 324 wrote to memory of 1240 324 00280.exe 40 PID 324 wrote to memory of 1240 324 00280.exe 40 PID 1240 wrote to memory of 840 1240 262888.exe 41 PID 1240 wrote to memory of 840 1240 262888.exe 41 PID 1240 wrote to memory of 840 1240 262888.exe 41 PID 1240 wrote to memory of 840 1240 262888.exe 41 PID 840 wrote to memory of 1508 840 602246.exe 42 PID 840 wrote to memory of 1508 840 602246.exe 42 PID 840 wrote to memory of 1508 840 602246.exe 42 PID 840 wrote to memory of 1508 840 602246.exe 42 PID 1508 wrote to memory of 1028 1508 2084446.exe 43 PID 1508 wrote to memory of 1028 1508 2084446.exe 43 PID 1508 wrote to memory of 1028 1508 2084446.exe 43 PID 1508 wrote to memory of 1028 1508 2084446.exe 43 PID 1028 wrote to memory of 2812 1028 nhttbn.exe 44 PID 1028 wrote to memory of 2812 1028 nhttbn.exe 44 PID 1028 wrote to memory of 2812 1028 nhttbn.exe 44 PID 1028 wrote to memory of 2812 1028 nhttbn.exe 44 PID 2812 wrote to memory of 600 2812 q08226.exe 45 PID 2812 wrote to memory of 600 2812 q08226.exe 45 PID 2812 wrote to memory of 600 2812 q08226.exe 45 PID 2812 wrote to memory of 600 2812 q08226.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe"C:\Users\Admin\AppData\Local\Temp\a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\s0288.exec:\s0288.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\rrlxffr.exec:\rrlxffr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\jdpvd.exec:\jdpvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\rlxxflr.exec:\rlxxflr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\608806.exec:\608806.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\8206864.exec:\8206864.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\2686228.exec:\2686228.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\dvjjp.exec:\dvjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\jdvvj.exec:\jdvvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\00280.exec:\00280.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\262888.exec:\262888.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\602246.exec:\602246.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\2084446.exec:\2084446.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\nhttbn.exec:\nhttbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\q08226.exec:\q08226.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\hbnhnn.exec:\hbnhnn.exe17⤵
- Executes dropped EXE
PID:600 -
\??\c:\g4280.exec:\g4280.exe18⤵
- Executes dropped EXE
PID:1140 -
\??\c:\o462442.exec:\o462442.exe19⤵
- Executes dropped EXE
PID:2032 -
\??\c:\4406242.exec:\4406242.exe20⤵
- Executes dropped EXE
PID:2460 -
\??\c:\64224.exec:\64224.exe21⤵
- Executes dropped EXE
PID:2400 -
\??\c:\64624.exec:\64624.exe22⤵
- Executes dropped EXE
PID:1448 -
\??\c:\hthnhn.exec:\hthnhn.exe23⤵
- Executes dropped EXE
PID:2456 -
\??\c:\0048004.exec:\0048004.exe24⤵
- Executes dropped EXE
PID:2248 -
\??\c:\86406.exec:\86406.exe25⤵
- Executes dropped EXE
PID:1572 -
\??\c:\0806264.exec:\0806264.exe26⤵
- Executes dropped EXE
PID:1312 -
\??\c:\602806.exec:\602806.exe27⤵
- Executes dropped EXE
PID:2184 -
\??\c:\pddjp.exec:\pddjp.exe28⤵
- Executes dropped EXE
PID:2240 -
\??\c:\4862886.exec:\4862886.exe29⤵
- Executes dropped EXE
PID:2192 -
\??\c:\dvjvj.exec:\dvjvj.exe30⤵
- Executes dropped EXE
PID:2524 -
\??\c:\jdvvd.exec:\jdvvd.exe31⤵
- Executes dropped EXE
PID:1868 -
\??\c:\vdpdp.exec:\vdpdp.exe32⤵
- Executes dropped EXE
PID:2264 -
\??\c:\hbntbb.exec:\hbntbb.exe33⤵
- Executes dropped EXE
PID:2356 -
\??\c:\7vvdj.exec:\7vvdj.exe34⤵
- Executes dropped EXE
PID:1964 -
\??\c:\2644662.exec:\2644662.exe35⤵
- Executes dropped EXE
PID:1088 -
\??\c:\084028.exec:\084028.exe36⤵
- Executes dropped EXE
PID:2528 -
\??\c:\bhhbhb.exec:\bhhbhb.exe37⤵
- Executes dropped EXE
PID:1972 -
\??\c:\204088.exec:\204088.exe38⤵
- Executes dropped EXE
PID:1996 -
\??\c:\4664842.exec:\4664842.exe39⤵
- Executes dropped EXE
PID:2816 -
\??\c:\a8284.exec:\a8284.exe40⤵
- Executes dropped EXE
PID:2148 -
\??\c:\llrxrll.exec:\llrxrll.exe41⤵
- Executes dropped EXE
PID:2736 -
\??\c:\48240.exec:\48240.exe42⤵
- Executes dropped EXE
PID:2920 -
\??\c:\fxrrflr.exec:\fxrrflr.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468 -
\??\c:\m0224.exec:\m0224.exe44⤵
- Executes dropped EXE
PID:2724 -
\??\c:\1tntbh.exec:\1tntbh.exe45⤵
- Executes dropped EXE
PID:2880 -
\??\c:\8206880.exec:\8206880.exe46⤵
- Executes dropped EXE
PID:2984 -
\??\c:\04846.exec:\04846.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344 -
\??\c:\rlrrfff.exec:\rlrrfff.exe48⤵
- Executes dropped EXE
PID:788 -
\??\c:\20626.exec:\20626.exe49⤵
- Executes dropped EXE
PID:1336 -
\??\c:\btnnhh.exec:\btnnhh.exe50⤵
- Executes dropped EXE
PID:3024 -
\??\c:\u684484.exec:\u684484.exe51⤵
- Executes dropped EXE
PID:1508 -
\??\c:\646282.exec:\646282.exe52⤵
- Executes dropped EXE
PID:1028 -
\??\c:\jjjdv.exec:\jjjdv.exe53⤵
- Executes dropped EXE
PID:2768 -
\??\c:\a6002.exec:\a6002.exe54⤵
- Executes dropped EXE
PID:1940 -
\??\c:\7xflfxl.exec:\7xflfxl.exe55⤵
- Executes dropped EXE
PID:2028 -
\??\c:\lfflxxf.exec:\lfflxxf.exe56⤵
- Executes dropped EXE
PID:2004 -
\??\c:\jdppd.exec:\jdppd.exe57⤵
- Executes dropped EXE
PID:2200 -
\??\c:\6466846.exec:\6466846.exe58⤵
- Executes dropped EXE
PID:2748 -
\??\c:\lrffrrr.exec:\lrffrrr.exe59⤵
- Executes dropped EXE
PID:2392 -
\??\c:\xrrxllr.exec:\xrrxllr.exe60⤵
- Executes dropped EXE
PID:2428 -
\??\c:\7dppd.exec:\7dppd.exe61⤵
- Executes dropped EXE
PID:2680 -
\??\c:\82064.exec:\82064.exe62⤵
- Executes dropped EXE
PID:1080 -
\??\c:\q64004.exec:\q64004.exe63⤵
- Executes dropped EXE
PID:1148 -
\??\c:\40644.exec:\40644.exe64⤵
- Executes dropped EXE
PID:992 -
\??\c:\vjjpj.exec:\vjjpj.exe65⤵
- Executes dropped EXE
PID:1692 -
\??\c:\60804.exec:\60804.exe66⤵
- System Location Discovery: System Language Discovery
PID:844 -
\??\c:\422288.exec:\422288.exe67⤵PID:2572
-
\??\c:\btntbh.exec:\btntbh.exe68⤵PID:1328
-
\??\c:\8206468.exec:\8206468.exe69⤵PID:2352
-
\??\c:\k64406.exec:\k64406.exe70⤵PID:2304
-
\??\c:\424466.exec:\424466.exe71⤵PID:344
-
\??\c:\08662.exec:\08662.exe72⤵PID:888
-
\??\c:\jvpjj.exec:\jvpjj.exe73⤵PID:1868
-
\??\c:\fxllrrf.exec:\fxllrrf.exe74⤵PID:1720
-
\??\c:\1hbnth.exec:\1hbnth.exe75⤵PID:2144
-
\??\c:\866682.exec:\866682.exe76⤵PID:1264
-
\??\c:\btbbbb.exec:\btbbbb.exe77⤵PID:2216
-
\??\c:\rllfllr.exec:\rllfllr.exe78⤵PID:2596
-
\??\c:\208468.exec:\208468.exe79⤵PID:2956
-
\??\c:\1frrrrx.exec:\1frrrrx.exe80⤵PID:2864
-
\??\c:\68000.exec:\68000.exe81⤵PID:1996
-
\??\c:\xlfxxxx.exec:\xlfxxxx.exe82⤵PID:2828
-
\??\c:\7thbtn.exec:\7thbtn.exe83⤵PID:2744
-
\??\c:\4868422.exec:\4868422.exe84⤵PID:2924
-
\??\c:\m0888.exec:\m0888.exe85⤵PID:2920
-
\??\c:\o888400.exec:\o888400.exe86⤵PID:2832
-
\??\c:\3lxflrx.exec:\3lxflrx.exe87⤵PID:2752
-
\??\c:\5ppvd.exec:\5ppvd.exe88⤵PID:2140
-
\??\c:\vpjpv.exec:\vpjpv.exe89⤵PID:324
-
\??\c:\268466.exec:\268466.exe90⤵PID:700
-
\??\c:\ppjpj.exec:\ppjpj.exe91⤵PID:3028
-
\??\c:\1vvvd.exec:\1vvvd.exe92⤵PID:568
-
\??\c:\jdpjj.exec:\jdpjj.exe93⤵PID:708
-
\??\c:\48802.exec:\48802.exe94⤵PID:2612
-
\??\c:\3lxxxlx.exec:\3lxxxlx.exe95⤵PID:3004
-
\??\c:\hbtthb.exec:\hbtthb.exe96⤵PID:1744
-
\??\c:\5frflrf.exec:\5frflrf.exe97⤵PID:1140
-
\??\c:\080460.exec:\080460.exe98⤵
- System Location Discovery: System Language Discovery
PID:828 -
\??\c:\8604464.exec:\8604464.exe99⤵PID:1696
-
\??\c:\nnnhhh.exec:\nnnhhh.exe100⤵PID:2804
-
\??\c:\w46244.exec:\w46244.exe101⤵PID:2060
-
\??\c:\0860224.exec:\0860224.exe102⤵PID:2396
-
\??\c:\dvjpd.exec:\dvjpd.exe103⤵PID:2656
-
\??\c:\7vddp.exec:\7vddp.exe104⤵PID:1888
-
\??\c:\268882.exec:\268882.exe105⤵PID:1388
-
\??\c:\pvdpp.exec:\pvdpp.exe106⤵PID:2100
-
\??\c:\644022.exec:\644022.exe107⤵PID:2576
-
\??\c:\s8062.exec:\s8062.exe108⤵PID:1640
-
\??\c:\6400006.exec:\6400006.exe109⤵PID:2184
-
\??\c:\u868002.exec:\u868002.exe110⤵PID:2388
-
\??\c:\08062.exec:\08062.exe111⤵PID:3036
-
\??\c:\nbnttb.exec:\nbnttb.exe112⤵PID:1700
-
\??\c:\nhnthh.exec:\nhnthh.exe113⤵PID:1664
-
\??\c:\bntttn.exec:\bntttn.exe114⤵PID:1932
-
\??\c:\xlrffff.exec:\xlrffff.exe115⤵PID:1520
-
\??\c:\40020.exec:\40020.exe116⤵PID:1868
-
\??\c:\3jvdj.exec:\3jvdj.exe117⤵PID:1704
-
\??\c:\8206280.exec:\8206280.exe118⤵PID:1628
-
\??\c:\08662.exec:\08662.exe119⤵PID:1088
-
\??\c:\64202.exec:\64202.exe120⤵PID:2996
-
\??\c:\pdvvj.exec:\pdvvj.exe121⤵PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-