Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 01:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe
-
Size
455KB
-
MD5
0042c616ac02c252f3d9f66c735a74b0
-
SHA1
f5d4cb2bfb519b2d1dccad3563cef4bfb8d7dbee
-
SHA256
ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546
-
SHA512
af84ea18b44625f64dc664317cad41a33b0ce1af0b3fd1075dc992074f233480959a4f6a9e5e47d7acc5690c6b341509a632853da954ffacdd80c4c9c358d598
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR+:q7Tc2NYHUrAwfMp3CDR+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2696-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-57-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2176-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/588-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/788-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-287-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1920-300-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/1916-305-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1916-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-315-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2260-320-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1920-325-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/1696-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-376-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2668-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-465-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2108-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-506-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1852-513-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1932-520-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1932-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-625-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1972-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-817-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2264-851-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1564-1012-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1340-1114-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/880-1133-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1604-1389-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2536 q86680.exe 1848 u022222.exe 2720 820680.exe 2904 428800.exe 2768 20662.exe 2176 rrxrxxl.exe 2964 0424668.exe 2780 u044846.exe 2632 64808.exe 1784 vpjvp.exe 1668 80862.exe 2008 42668.exe 1148 3pjjv.exe 1892 3pjjd.exe 2600 jjjpv.exe 2420 a4460.exe 1984 ttnbht.exe 2428 28488.exe 588 vjdpd.exe 3000 1nnnbh.exe 1676 1htbbh.exe 1240 frllrrf.exe 1276 vdddj.exe 1244 082866.exe 608 thbtnh.exe 788 xrrlxrr.exe 1660 pdvjd.exe 908 vjpjd.exe 2576 nnbbnb.exe 1040 6600262.exe 2380 k86662.exe 876 0284606.exe 896 u480220.exe 1920 nbnnnh.exe 1916 flrllxx.exe 1028 a4662.exe 2260 4646440.exe 2920 vjdjv.exe 1580 7llffrf.exe 1696 rfxrrxx.exe 2620 xfrxrrf.exe 2804 m4846.exe 2652 664268.exe 2668 04242.exe 2780 pvvjv.exe 2644 208840.exe 3056 864406.exe 1248 lxrxxxf.exe 1524 2680846.exe 1792 hhbbhn.exe 1720 5rlxxlr.exe 692 5flxlxf.exe 2864 4480068.exe 2000 i824624.exe 1564 jpjpd.exe 1228 04808.exe 2708 rrlfxlx.exe 592 a4624.exe 2596 lfflflx.exe 3008 5bntnn.exe 1680 k86622.exe 440 bnbntt.exe 2108 9pppd.exe 2800 0444662.exe -
resource yara_rule behavioral1/memory/2696-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-993-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-1013-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-1069-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-1076-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2084-1095-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-1252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1176-1284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-1370-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8682884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2080020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k06644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o480280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2536 2696 ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe 30 PID 2696 wrote to memory of 2536 2696 ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe 30 PID 2696 wrote to memory of 2536 2696 ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe 30 PID 2696 wrote to memory of 2536 2696 ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe 30 PID 2536 wrote to memory of 1848 2536 q86680.exe 31 PID 2536 wrote to memory of 1848 2536 q86680.exe 31 PID 2536 wrote to memory of 1848 2536 q86680.exe 31 PID 2536 wrote to memory of 1848 2536 q86680.exe 31 PID 1848 wrote to memory of 2720 1848 u022222.exe 32 PID 1848 wrote to memory of 2720 1848 u022222.exe 32 PID 1848 wrote to memory of 2720 1848 u022222.exe 32 PID 1848 wrote to memory of 2720 1848 u022222.exe 32 PID 2720 wrote to memory of 2904 2720 820680.exe 33 PID 2720 wrote to memory of 2904 2720 820680.exe 33 PID 2720 wrote to memory of 2904 2720 820680.exe 33 PID 2720 wrote to memory of 2904 2720 820680.exe 33 PID 2904 wrote to memory of 2768 2904 428800.exe 34 PID 2904 wrote to memory of 2768 2904 428800.exe 34 PID 2904 wrote to memory of 2768 2904 428800.exe 34 PID 2904 wrote to memory of 2768 2904 428800.exe 34 PID 2768 wrote to memory of 2176 2768 20662.exe 35 PID 2768 wrote to memory of 2176 2768 20662.exe 35 PID 2768 wrote to memory of 2176 2768 20662.exe 35 PID 2768 wrote to memory of 2176 2768 20662.exe 35 PID 2176 wrote to memory of 2964 2176 rrxrxxl.exe 36 PID 2176 wrote to memory of 2964 2176 rrxrxxl.exe 36 PID 2176 wrote to memory of 2964 2176 rrxrxxl.exe 36 PID 2176 wrote to memory of 2964 2176 rrxrxxl.exe 36 PID 2964 wrote to memory of 2780 2964 0424668.exe 37 PID 2964 wrote to memory of 2780 2964 0424668.exe 37 PID 2964 wrote to memory of 2780 2964 0424668.exe 37 PID 2964 wrote to memory of 2780 2964 0424668.exe 37 PID 2780 wrote to memory of 2632 2780 u044846.exe 38 PID 2780 wrote to memory of 2632 2780 u044846.exe 38 PID 2780 wrote to memory of 2632 2780 u044846.exe 38 PID 2780 wrote to memory of 2632 2780 u044846.exe 38 PID 2632 wrote to memory of 1784 2632 64808.exe 39 PID 2632 wrote to memory of 1784 2632 64808.exe 39 PID 2632 wrote to memory of 1784 2632 64808.exe 39 PID 2632 wrote to memory of 1784 2632 64808.exe 39 PID 1784 wrote to memory of 1668 1784 vpjvp.exe 40 PID 1784 wrote to memory of 1668 1784 vpjvp.exe 40 PID 1784 wrote to memory of 1668 1784 vpjvp.exe 40 PID 1784 wrote to memory of 1668 1784 vpjvp.exe 40 PID 1668 wrote to memory of 2008 1668 80862.exe 41 PID 1668 wrote to memory of 2008 1668 80862.exe 41 PID 1668 wrote to memory of 2008 1668 80862.exe 41 PID 1668 wrote to memory of 2008 1668 80862.exe 41 PID 2008 wrote to memory of 1148 2008 42668.exe 42 PID 2008 wrote to memory of 1148 2008 42668.exe 42 PID 2008 wrote to memory of 1148 2008 42668.exe 42 PID 2008 wrote to memory of 1148 2008 42668.exe 42 PID 1148 wrote to memory of 1892 1148 3pjjv.exe 43 PID 1148 wrote to memory of 1892 1148 3pjjv.exe 43 PID 1148 wrote to memory of 1892 1148 3pjjv.exe 43 PID 1148 wrote to memory of 1892 1148 3pjjv.exe 43 PID 1892 wrote to memory of 2600 1892 3pjjd.exe 44 PID 1892 wrote to memory of 2600 1892 3pjjd.exe 44 PID 1892 wrote to memory of 2600 1892 3pjjd.exe 44 PID 1892 wrote to memory of 2600 1892 3pjjd.exe 44 PID 2600 wrote to memory of 2420 2600 jjjpv.exe 45 PID 2600 wrote to memory of 2420 2600 jjjpv.exe 45 PID 2600 wrote to memory of 2420 2600 jjjpv.exe 45 PID 2600 wrote to memory of 2420 2600 jjjpv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe"C:\Users\Admin\AppData\Local\Temp\ac41d3a7166bd42eb6d52d8c9315c45976d679d7447d937cc1ca17c371eca546.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\q86680.exec:\q86680.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\u022222.exec:\u022222.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\820680.exec:\820680.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\428800.exec:\428800.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\20662.exec:\20662.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\rrxrxxl.exec:\rrxrxxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\0424668.exec:\0424668.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\u044846.exec:\u044846.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\64808.exec:\64808.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\vpjvp.exec:\vpjvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\80862.exec:\80862.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\42668.exec:\42668.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\3pjjv.exec:\3pjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\3pjjd.exec:\3pjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\jjjpv.exec:\jjjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\a4460.exec:\a4460.exe17⤵
- Executes dropped EXE
PID:2420 -
\??\c:\ttnbht.exec:\ttnbht.exe18⤵
- Executes dropped EXE
PID:1984 -
\??\c:\28488.exec:\28488.exe19⤵
- Executes dropped EXE
PID:2428 -
\??\c:\vjdpd.exec:\vjdpd.exe20⤵
- Executes dropped EXE
PID:588 -
\??\c:\1nnnbh.exec:\1nnnbh.exe21⤵
- Executes dropped EXE
PID:3000 -
\??\c:\1htbbh.exec:\1htbbh.exe22⤵
- Executes dropped EXE
PID:1676 -
\??\c:\frllrrf.exec:\frllrrf.exe23⤵
- Executes dropped EXE
PID:1240 -
\??\c:\vdddj.exec:\vdddj.exe24⤵
- Executes dropped EXE
PID:1276 -
\??\c:\082866.exec:\082866.exe25⤵
- Executes dropped EXE
PID:1244 -
\??\c:\thbtnh.exec:\thbtnh.exe26⤵
- Executes dropped EXE
PID:608 -
\??\c:\xrrlxrr.exec:\xrrlxrr.exe27⤵
- Executes dropped EXE
PID:788 -
\??\c:\pdvjd.exec:\pdvjd.exe28⤵
- Executes dropped EXE
PID:1660 -
\??\c:\vjpjd.exec:\vjpjd.exe29⤵
- Executes dropped EXE
PID:908 -
\??\c:\nnbbnb.exec:\nnbbnb.exe30⤵
- Executes dropped EXE
PID:2576 -
\??\c:\6600262.exec:\6600262.exe31⤵
- Executes dropped EXE
PID:1040 -
\??\c:\k86662.exec:\k86662.exe32⤵
- Executes dropped EXE
PID:2380 -
\??\c:\0284606.exec:\0284606.exe33⤵
- Executes dropped EXE
PID:876 -
\??\c:\u480220.exec:\u480220.exe34⤵
- Executes dropped EXE
PID:896 -
\??\c:\nbnnnh.exec:\nbnnnh.exe35⤵
- Executes dropped EXE
PID:1920 -
\??\c:\flrllxx.exec:\flrllxx.exe36⤵
- Executes dropped EXE
PID:1916 -
\??\c:\a4662.exec:\a4662.exe37⤵
- Executes dropped EXE
PID:1028 -
\??\c:\4646440.exec:\4646440.exe38⤵
- Executes dropped EXE
PID:2260 -
\??\c:\vjdjv.exec:\vjdjv.exe39⤵
- Executes dropped EXE
PID:2920 -
\??\c:\7llffrf.exec:\7llffrf.exe40⤵
- Executes dropped EXE
PID:1580 -
\??\c:\rfxrrxx.exec:\rfxrrxx.exe41⤵
- Executes dropped EXE
PID:1696 -
\??\c:\xfrxrrf.exec:\xfrxrrf.exe42⤵
- Executes dropped EXE
PID:2620 -
\??\c:\m4846.exec:\m4846.exe43⤵
- Executes dropped EXE
PID:2804 -
\??\c:\664268.exec:\664268.exe44⤵
- Executes dropped EXE
PID:2652 -
\??\c:\04242.exec:\04242.exe45⤵
- Executes dropped EXE
PID:2668 -
\??\c:\pvvjv.exec:\pvvjv.exe46⤵
- Executes dropped EXE
PID:2780 -
\??\c:\208840.exec:\208840.exe47⤵
- Executes dropped EXE
PID:2644 -
\??\c:\864406.exec:\864406.exe48⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lxrxxxf.exec:\lxrxxxf.exe49⤵
- Executes dropped EXE
PID:1248 -
\??\c:\2680846.exec:\2680846.exe50⤵
- Executes dropped EXE
PID:1524 -
\??\c:\hhbbhn.exec:\hhbbhn.exe51⤵
- Executes dropped EXE
PID:1792 -
\??\c:\5rlxxlr.exec:\5rlxxlr.exe52⤵
- Executes dropped EXE
PID:1720 -
\??\c:\5flxlxf.exec:\5flxlxf.exe53⤵
- Executes dropped EXE
PID:692 -
\??\c:\4480068.exec:\4480068.exe54⤵
- Executes dropped EXE
PID:2864 -
\??\c:\i824624.exec:\i824624.exe55⤵
- Executes dropped EXE
PID:2000 -
\??\c:\jpjpd.exec:\jpjpd.exe56⤵
- Executes dropped EXE
PID:1564 -
\??\c:\04808.exec:\04808.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1228 -
\??\c:\rrlfxlx.exec:\rrlfxlx.exe58⤵
- Executes dropped EXE
PID:2708 -
\??\c:\a4624.exec:\a4624.exe59⤵
- Executes dropped EXE
PID:592 -
\??\c:\lfflflx.exec:\lfflflx.exe60⤵
- Executes dropped EXE
PID:2596 -
\??\c:\5bntnn.exec:\5bntnn.exe61⤵
- Executes dropped EXE
PID:3008 -
\??\c:\k86622.exec:\k86622.exe62⤵
- Executes dropped EXE
PID:1680 -
\??\c:\bnbntt.exec:\bnbntt.exe63⤵
- Executes dropped EXE
PID:440 -
\??\c:\9pppd.exec:\9pppd.exe64⤵
- Executes dropped EXE
PID:2108 -
\??\c:\0444662.exec:\0444662.exe65⤵
- Executes dropped EXE
PID:2800 -
\??\c:\nhtbhn.exec:\nhtbhn.exe66⤵PID:1852
-
\??\c:\lrlxrxl.exec:\lrlxrxl.exe67⤵PID:1932
-
\??\c:\llfrxfx.exec:\llfrxfx.exe68⤵PID:1768
-
\??\c:\48624.exec:\48624.exe69⤵PID:1532
-
\??\c:\1fflxfr.exec:\1fflxfr.exe70⤵PID:2484
-
\??\c:\6646880.exec:\6646880.exe71⤵PID:2988
-
\??\c:\080622.exec:\080622.exe72⤵PID:1740
-
\??\c:\60242.exec:\60242.exe73⤵PID:2304
-
\??\c:\jdvdp.exec:\jdvdp.exe74⤵PID:2672
-
\??\c:\44868.exec:\44868.exe75⤵PID:2208
-
\??\c:\nnhthn.exec:\nnhthn.exe76⤵PID:2556
-
\??\c:\xxrxrlr.exec:\xxrxrlr.exe77⤵PID:2356
-
\??\c:\q62268.exec:\q62268.exe78⤵PID:2104
-
\??\c:\1pjjp.exec:\1pjjp.exe79⤵PID:1848
-
\??\c:\5lffxrx.exec:\5lffxrx.exe80⤵PID:2916
-
\??\c:\868862.exec:\868862.exe81⤵PID:2884
-
\??\c:\dpjdj.exec:\dpjdj.exe82⤵PID:2516
-
\??\c:\ddvdp.exec:\ddvdp.exe83⤵PID:2736
-
\??\c:\8646406.exec:\8646406.exe84⤵PID:1580
-
\??\c:\7frrrxf.exec:\7frrrxf.exe85⤵PID:2880
-
\??\c:\6428068.exec:\6428068.exe86⤵PID:2640
-
\??\c:\hbbhtb.exec:\hbbhtb.exe87⤵PID:2952
-
\??\c:\lfrxxfl.exec:\lfrxxfl.exe88⤵PID:2652
-
\??\c:\000206.exec:\000206.exe89⤵PID:2688
-
\??\c:\nhbbbb.exec:\nhbbbb.exe90⤵PID:3060
-
\??\c:\086800.exec:\086800.exe91⤵PID:2184
-
\??\c:\fxrrxlr.exec:\fxrrxlr.exe92⤵PID:2148
-
\??\c:\vpvjv.exec:\vpvjv.exe93⤵PID:1844
-
\??\c:\6066802.exec:\6066802.exe94⤵PID:1912
-
\??\c:\482468.exec:\482468.exe95⤵PID:1704
-
\??\c:\tbthhh.exec:\tbthhh.exe96⤵PID:1972
-
\??\c:\9jddd.exec:\9jddd.exe97⤵PID:2512
-
\??\c:\24468.exec:\24468.exe98⤵PID:2876
-
\??\c:\vjjdp.exec:\vjjdp.exe99⤵PID:1600
-
\??\c:\q04244.exec:\q04244.exe100⤵PID:1908
-
\??\c:\8202068.exec:\8202068.exe101⤵PID:1984
-
\??\c:\664246.exec:\664246.exe102⤵PID:2428
-
\??\c:\4862880.exec:\4862880.exe103⤵PID:3036
-
\??\c:\pjdjj.exec:\pjdjj.exe104⤵PID:2592
-
\??\c:\3ffrfrl.exec:\3ffrfrl.exe105⤵PID:316
-
\??\c:\q04680.exec:\q04680.exe106⤵PID:2232
-
\??\c:\llxfllf.exec:\llxfllf.exe107⤵PID:1680
-
\??\c:\422868.exec:\422868.exe108⤵PID:440
-
\??\c:\8684206.exec:\8684206.exe109⤵PID:2332
-
\??\c:\ppdjp.exec:\ppdjp.exe110⤵PID:968
-
\??\c:\7hbhnt.exec:\7hbhnt.exe111⤵PID:1924
-
\??\c:\hnnthh.exec:\hnnthh.exe112⤵PID:1536
-
\??\c:\nnthbn.exec:\nnthbn.exe113⤵PID:916
-
\??\c:\3httbb.exec:\3httbb.exe114⤵PID:1660
-
\??\c:\46486.exec:\46486.exe115⤵PID:1568
-
\??\c:\btthnb.exec:\btthnb.exe116⤵PID:2444
-
\??\c:\jdvdj.exec:\jdvdj.exe117⤵PID:2292
-
\??\c:\k04488.exec:\k04488.exe118⤵PID:2464
-
\??\c:\btnhhh.exec:\btnhhh.exe119⤵PID:2264
-
\??\c:\202222.exec:\202222.exe120⤵PID:2064
-
\??\c:\48440.exec:\48440.exe121⤵PID:2136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-