Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 01:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe
Resource
win7-20240708-en
7 signatures
150 seconds
General
-
Target
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe
-
Size
454KB
-
MD5
b0ed066228c36f715ac3b14440c01d17
-
SHA1
0fe302f0f6cded692d118304d762df9e8ed6cbf8
-
SHA256
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245
-
SHA512
de74dbd511c625feca3a8a88a46dc6ac565e37e7a61f22c1607ce11e9dde7e412eceea2c10b04f8f29bb33b5e5930b477ad3027404a8c4223f0c0ab635a55c27
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/3060-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-182-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2908-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-251-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2092-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-309-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-337-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2556-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-368-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2144-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-511-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3060-580-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2864-627-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2560-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-648-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/1528-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-692-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2380-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-720-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2412-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1476 bntntb.exe 2744 lxffrrx.exe 2716 82068.exe 2808 642404.exe 2584 5hhbht.exe 2604 bbbhtb.exe 2600 3frxlrf.exe 2840 thbbnn.exe 636 jddjp.exe 2512 6086884.exe 2292 826462.exe 2860 268406.exe 2420 m0840.exe 1728 822840.exe 2004 086628.exe 2272 606268.exe 1896 4404082.exe 1864 26620.exe 2988 k02244.exe 2908 q86284.exe 1504 3rffrlx.exe 1508 jdjpd.exe 2948 7lllxfl.exe 2240 4262446.exe 1720 1vddj.exe 768 ddpjv.exe 2092 frxxxrx.exe 2956 htbbht.exe 2980 8640222.exe 1464 dddjp.exe 1264 u428042.exe 2460 xlxfllf.exe 1592 vpjpj.exe 1876 9bbhtb.exe 2768 c428620.exe 2712 tnnthn.exe 2720 820246.exe 2808 2868624.exe 2696 xxlrlrf.exe 2556 88068.exe 2632 82624.exe 2600 44842.exe 348 008026.exe 2188 04884.exe 2144 820628.exe 2044 086262.exe 2216 lxxffxx.exe 2656 04808.exe 2388 ddvjp.exe 288 6608062.exe 1364 4220044.exe 536 1jdjd.exe 2276 pvddv.exe 1888 6422062.exe 1144 vjpjp.exe 2156 88288.exe 2876 862860.exe 1904 lxfxfff.exe 944 860646.exe 1248 4202084.exe 1504 7vpdd.exe 1508 vvvjv.exe 2500 pjvvp.exe 1804 42406.exe -
resource yara_rule behavioral1/memory/3060-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-251-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2092-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-580-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2560-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-787-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k06880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4428064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 1476 3060 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 30 PID 3060 wrote to memory of 1476 3060 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 30 PID 3060 wrote to memory of 1476 3060 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 30 PID 3060 wrote to memory of 1476 3060 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 30 PID 1476 wrote to memory of 2744 1476 bntntb.exe 31 PID 1476 wrote to memory of 2744 1476 bntntb.exe 31 PID 1476 wrote to memory of 2744 1476 bntntb.exe 31 PID 1476 wrote to memory of 2744 1476 bntntb.exe 31 PID 2744 wrote to memory of 2716 2744 lxffrrx.exe 32 PID 2744 wrote to memory of 2716 2744 lxffrrx.exe 32 PID 2744 wrote to memory of 2716 2744 lxffrrx.exe 32 PID 2744 wrote to memory of 2716 2744 lxffrrx.exe 32 PID 2716 wrote to memory of 2808 2716 82068.exe 33 PID 2716 wrote to memory of 2808 2716 82068.exe 33 PID 2716 wrote to memory of 2808 2716 82068.exe 33 PID 2716 wrote to memory of 2808 2716 82068.exe 33 PID 2808 wrote to memory of 2584 2808 642404.exe 34 PID 2808 wrote to memory of 2584 2808 642404.exe 34 PID 2808 wrote to memory of 2584 2808 642404.exe 34 PID 2808 wrote to memory of 2584 2808 642404.exe 34 PID 2584 wrote to memory of 2604 2584 5hhbht.exe 35 PID 2584 wrote to memory of 2604 2584 5hhbht.exe 35 PID 2584 wrote to memory of 2604 2584 5hhbht.exe 35 PID 2584 wrote to memory of 2604 2584 5hhbht.exe 35 PID 2604 wrote to memory of 2600 2604 bbbhtb.exe 36 PID 2604 wrote to memory of 2600 2604 bbbhtb.exe 36 PID 2604 wrote to memory of 2600 2604 bbbhtb.exe 36 PID 2604 wrote to memory of 2600 2604 bbbhtb.exe 36 PID 2600 wrote to memory of 2840 2600 3frxlrf.exe 37 PID 2600 wrote to memory of 2840 2600 3frxlrf.exe 37 PID 2600 wrote to memory of 2840 2600 3frxlrf.exe 37 PID 2600 wrote to memory of 2840 2600 3frxlrf.exe 37 PID 2840 wrote to memory of 636 2840 thbbnn.exe 38 PID 2840 wrote to memory of 636 2840 thbbnn.exe 38 PID 2840 wrote to memory of 636 2840 thbbnn.exe 38 PID 2840 wrote to memory of 636 2840 thbbnn.exe 38 PID 636 wrote to memory of 2512 636 jddjp.exe 39 PID 636 wrote to memory of 2512 636 jddjp.exe 39 PID 636 wrote to memory of 2512 636 jddjp.exe 39 PID 636 wrote to memory of 2512 636 jddjp.exe 39 PID 2512 wrote to memory of 2292 2512 6086884.exe 40 PID 2512 wrote to memory of 2292 2512 6086884.exe 40 PID 2512 wrote to memory of 2292 2512 6086884.exe 40 PID 2512 wrote to memory of 2292 2512 6086884.exe 40 PID 2292 wrote to memory of 2860 2292 826462.exe 41 PID 2292 wrote to memory of 2860 2292 826462.exe 41 PID 2292 wrote to memory of 2860 2292 826462.exe 41 PID 2292 wrote to memory of 2860 2292 826462.exe 41 PID 2860 wrote to memory of 2420 2860 268406.exe 42 PID 2860 wrote to memory of 2420 2860 268406.exe 42 PID 2860 wrote to memory of 2420 2860 268406.exe 42 PID 2860 wrote to memory of 2420 2860 268406.exe 42 PID 2420 wrote to memory of 1728 2420 m0840.exe 43 PID 2420 wrote to memory of 1728 2420 m0840.exe 43 PID 2420 wrote to memory of 1728 2420 m0840.exe 43 PID 2420 wrote to memory of 1728 2420 m0840.exe 43 PID 1728 wrote to memory of 2004 1728 822840.exe 44 PID 1728 wrote to memory of 2004 1728 822840.exe 44 PID 1728 wrote to memory of 2004 1728 822840.exe 44 PID 1728 wrote to memory of 2004 1728 822840.exe 44 PID 2004 wrote to memory of 2272 2004 086628.exe 45 PID 2004 wrote to memory of 2272 2004 086628.exe 45 PID 2004 wrote to memory of 2272 2004 086628.exe 45 PID 2004 wrote to memory of 2272 2004 086628.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe"C:\Users\Admin\AppData\Local\Temp\abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\bntntb.exec:\bntntb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\lxffrrx.exec:\lxffrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\82068.exec:\82068.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\642404.exec:\642404.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\5hhbht.exec:\5hhbht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\bbbhtb.exec:\bbbhtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\3frxlrf.exec:\3frxlrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\thbbnn.exec:\thbbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\jddjp.exec:\jddjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\6086884.exec:\6086884.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\826462.exec:\826462.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\268406.exec:\268406.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\m0840.exec:\m0840.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\822840.exec:\822840.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\086628.exec:\086628.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\606268.exec:\606268.exe17⤵
- Executes dropped EXE
PID:2272 -
\??\c:\4404082.exec:\4404082.exe18⤵
- Executes dropped EXE
PID:1896 -
\??\c:\26620.exec:\26620.exe19⤵
- Executes dropped EXE
PID:1864 -
\??\c:\k02244.exec:\k02244.exe20⤵
- Executes dropped EXE
PID:2988 -
\??\c:\q86284.exec:\q86284.exe21⤵
- Executes dropped EXE
PID:2908 -
\??\c:\3rffrlx.exec:\3rffrlx.exe22⤵
- Executes dropped EXE
PID:1504 -
\??\c:\jdjpd.exec:\jdjpd.exe23⤵
- Executes dropped EXE
PID:1508 -
\??\c:\7lllxfl.exec:\7lllxfl.exe24⤵
- Executes dropped EXE
PID:2948 -
\??\c:\4262446.exec:\4262446.exe25⤵
- Executes dropped EXE
PID:2240 -
\??\c:\1vddj.exec:\1vddj.exe26⤵
- Executes dropped EXE
PID:1720 -
\??\c:\ddpjv.exec:\ddpjv.exe27⤵
- Executes dropped EXE
PID:768 -
\??\c:\frxxxrx.exec:\frxxxrx.exe28⤵
- Executes dropped EXE
PID:2092 -
\??\c:\htbbht.exec:\htbbht.exe29⤵
- Executes dropped EXE
PID:2956 -
\??\c:\8640222.exec:\8640222.exe30⤵
- Executes dropped EXE
PID:2980 -
\??\c:\dddjp.exec:\dddjp.exe31⤵
- Executes dropped EXE
PID:1464 -
\??\c:\u428042.exec:\u428042.exe32⤵
- Executes dropped EXE
PID:1264 -
\??\c:\xlxfllf.exec:\xlxfllf.exe33⤵
- Executes dropped EXE
PID:2460 -
\??\c:\vpjpj.exec:\vpjpj.exe34⤵
- Executes dropped EXE
PID:1592 -
\??\c:\9bbhtb.exec:\9bbhtb.exe35⤵
- Executes dropped EXE
PID:1876 -
\??\c:\c428620.exec:\c428620.exe36⤵
- Executes dropped EXE
PID:2768 -
\??\c:\tnnthn.exec:\tnnthn.exe37⤵
- Executes dropped EXE
PID:2712 -
\??\c:\820246.exec:\820246.exe38⤵
- Executes dropped EXE
PID:2720 -
\??\c:\2868624.exec:\2868624.exe39⤵
- Executes dropped EXE
PID:2808 -
\??\c:\xxlrlrf.exec:\xxlrlrf.exe40⤵
- Executes dropped EXE
PID:2696 -
\??\c:\88068.exec:\88068.exe41⤵
- Executes dropped EXE
PID:2556 -
\??\c:\82624.exec:\82624.exe42⤵
- Executes dropped EXE
PID:2632 -
\??\c:\44842.exec:\44842.exe43⤵
- Executes dropped EXE
PID:2600 -
\??\c:\008026.exec:\008026.exe44⤵
- Executes dropped EXE
PID:348 -
\??\c:\04884.exec:\04884.exe45⤵
- Executes dropped EXE
PID:2188 -
\??\c:\820628.exec:\820628.exe46⤵
- Executes dropped EXE
PID:2144 -
\??\c:\086262.exec:\086262.exe47⤵
- Executes dropped EXE
PID:2044 -
\??\c:\lxxffxx.exec:\lxxffxx.exe48⤵
- Executes dropped EXE
PID:2216 -
\??\c:\04808.exec:\04808.exe49⤵
- Executes dropped EXE
PID:2656 -
\??\c:\ddvjp.exec:\ddvjp.exe50⤵
- Executes dropped EXE
PID:2388 -
\??\c:\6608062.exec:\6608062.exe51⤵
- Executes dropped EXE
PID:288 -
\??\c:\4220044.exec:\4220044.exe52⤵
- Executes dropped EXE
PID:1364 -
\??\c:\1jdjd.exec:\1jdjd.exe53⤵
- Executes dropped EXE
PID:536 -
\??\c:\pvddv.exec:\pvddv.exe54⤵
- Executes dropped EXE
PID:2276 -
\??\c:\6422062.exec:\6422062.exe55⤵
- Executes dropped EXE
PID:1888 -
\??\c:\vjpjp.exec:\vjpjp.exe56⤵
- Executes dropped EXE
PID:1144 -
\??\c:\88288.exec:\88288.exe57⤵
- Executes dropped EXE
PID:2156 -
\??\c:\862860.exec:\862860.exe58⤵
- Executes dropped EXE
PID:2876 -
\??\c:\lxfxfff.exec:\lxfxfff.exe59⤵
- Executes dropped EXE
PID:1904 -
\??\c:\860646.exec:\860646.exe60⤵
- Executes dropped EXE
PID:944 -
\??\c:\4202084.exec:\4202084.exe61⤵
- Executes dropped EXE
PID:1248 -
\??\c:\7vpdd.exec:\7vpdd.exe62⤵
- Executes dropped EXE
PID:1504 -
\??\c:\vvvjv.exec:\vvvjv.exe63⤵
- Executes dropped EXE
PID:1508 -
\??\c:\pjvvp.exec:\pjvvp.exe64⤵
- Executes dropped EXE
PID:2500 -
\??\c:\42406.exec:\42406.exe65⤵
- Executes dropped EXE
PID:1804 -
\??\c:\llxrxrx.exec:\llxrxrx.exe66⤵PID:1780
-
\??\c:\602428.exec:\602428.exe67⤵PID:2100
-
\??\c:\dpppv.exec:\dpppv.exe68⤵PID:2984
-
\??\c:\668084.exec:\668084.exe69⤵PID:2832
-
\??\c:\dpdvv.exec:\dpdvv.exe70⤵PID:1292
-
\??\c:\7vjpd.exec:\7vjpd.exe71⤵PID:3040
-
\??\c:\o028006.exec:\o028006.exe72⤵PID:1972
-
\??\c:\g8066.exec:\g8066.exe73⤵PID:1464
-
\??\c:\bnbtbb.exec:\bnbtbb.exe74⤵PID:1744
-
\??\c:\202804.exec:\202804.exe75⤵PID:3060
-
\??\c:\3vvjp.exec:\3vvjp.exe76⤵PID:1716
-
\??\c:\e24444.exec:\e24444.exe77⤵PID:2764
-
\??\c:\640066.exec:\640066.exe78⤵PID:1476
-
\??\c:\m4662.exec:\m4662.exe79⤵PID:2692
-
\??\c:\jdjdj.exec:\jdjdj.exe80⤵PID:2712
-
\??\c:\4284628.exec:\4284628.exe81⤵PID:2708
-
\??\c:\thnnnt.exec:\thnnnt.exe82⤵PID:2864
-
\??\c:\vvvvd.exec:\vvvvd.exe83⤵PID:2836
-
\??\c:\64606.exec:\64606.exe84⤵PID:2568
-
\??\c:\c822880.exec:\c822880.exe85⤵PID:2560
-
\??\c:\206222.exec:\206222.exe86⤵PID:1736
-
\??\c:\20420.exec:\20420.exe87⤵PID:1528
-
\??\c:\xxrfxrf.exec:\xxrfxrf.exe88⤵PID:636
-
\??\c:\dvvjd.exec:\dvvjd.exe89⤵PID:2360
-
\??\c:\6080242.exec:\6080242.exe90⤵PID:2904
-
\??\c:\ttntbn.exec:\ttntbn.exe91⤵PID:2792
-
\??\c:\9nhthh.exec:\9nhthh.exe92⤵PID:2380
-
\??\c:\u606266.exec:\u606266.exe93⤵PID:2108
-
\??\c:\pjvdv.exec:\pjvdv.exe94⤵PID:1660
-
\??\c:\48062.exec:\48062.exe95⤵PID:288
-
\??\c:\fffrfrf.exec:\fffrfrf.exe96⤵PID:1856
-
\??\c:\w46626.exec:\w46626.exe97⤵PID:2268
-
\??\c:\7nnbnt.exec:\7nnbnt.exe98⤵PID:2276
-
\??\c:\88646.exec:\88646.exe99⤵PID:1888
-
\??\c:\rlrrrrx.exec:\rlrrrrx.exe100⤵PID:2412
-
\??\c:\044082.exec:\044082.exe101⤵PID:324
-
\??\c:\44246.exec:\44246.exe102⤵PID:1600
-
\??\c:\g6404.exec:\g6404.exe103⤵PID:948
-
\??\c:\2022840.exec:\2022840.exe104⤵PID:2504
-
\??\c:\7xxlrxl.exec:\7xxlrxl.exe105⤵PID:908
-
\??\c:\3frxflr.exec:\3frxflr.exe106⤵PID:1496
-
\??\c:\44846.exec:\44846.exe107⤵PID:1536
-
\??\c:\7pjpp.exec:\7pjpp.exe108⤵PID:2416
-
\??\c:\e42084.exec:\e42084.exe109⤵PID:2012
-
\??\c:\6466840.exec:\6466840.exe110⤵PID:696
-
\??\c:\jdpdv.exec:\jdpdv.exe111⤵PID:2236
-
\??\c:\84640.exec:\84640.exe112⤵PID:2308
-
\??\c:\vpddj.exec:\vpddj.exe113⤵PID:1320
-
\??\c:\8262448.exec:\8262448.exe114⤵PID:2124
-
\??\c:\9jvvd.exec:\9jvvd.exe115⤵PID:300
-
\??\c:\ntntbb.exec:\ntntbb.exe116⤵PID:1028
-
\??\c:\82624.exec:\82624.exe117⤵PID:1032
-
\??\c:\ffxrflf.exec:\ffxrflf.exe118⤵PID:1588
-
\??\c:\820644.exec:\820644.exe119⤵PID:1584
-
\??\c:\7jppj.exec:\7jppj.exe120⤵PID:2688
-
\??\c:\hbhbbt.exec:\hbhbbt.exe121⤵PID:2828
-
\??\c:\0462440.exec:\0462440.exe122⤵PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-