Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 01:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9944bef710de88bc255442716f83fedafdecd36f919864c8c70c44f8ded8380N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a9944bef710de88bc255442716f83fedafdecd36f919864c8c70c44f8ded8380N.exe
-
Size
453KB
-
MD5
07006e08519a485c0cc3806ed8cf22c0
-
SHA1
ba94749269edf7d112a066c0a5c89d3b7d9221e0
-
SHA256
a9944bef710de88bc255442716f83fedafdecd36f919864c8c70c44f8ded8380
-
SHA512
4abc9f48d12a8341d6f9e0d628003f6ad1a72c166e02ccbfa1cbe1fd6faf0f44193cfdd32648647fb3a4e9d45f775c00451d34be6141d5bdfc82ec31f97ebcf2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/2984-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-94-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-99-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2604-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-110-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1728-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-174-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/852-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-217-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/896-227-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/896-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-238-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2188-255-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2232-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/480-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/480-278-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1868-309-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2076-315-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2076-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-356-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-382-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2988-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1356-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-424-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2652-463-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/300-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/688-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/300-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-775-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/300-782-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2356-831-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-873-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2248-932-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1260-956-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2228-994-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1076-1006-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1172-1032-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-1051-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3048 826622.exe 2832 lxrrllx.exe 2060 6462008.exe 2348 ppjvj.exe 2280 vpjjj.exe 2776 80628.exe 2120 c484628.exe 2820 86408.exe 2904 7bntbh.exe 1688 xxrrffr.exe 2604 tnhhnt.exe 1096 8862802.exe 1176 226064.exe 1728 40822.exe 1536 6640066.exe 1988 2684668.exe 1816 bhbbnb.exe 852 vdvpp.exe 2856 7pjjp.exe 2864 o262408.exe 1832 42008.exe 1624 btnbnt.exe 1332 206288.exe 896 646244.exe 1548 nhhnbn.exe 760 5pdjd.exe 2188 826840.exe 2232 nnhtnt.exe 480 rrrfffl.exe 2204 pdpdj.exe 2984 00408.exe 1932 w20284.exe 1868 o200886.exe 2076 rlrxxlr.exe 2484 rrfrxxf.exe 1924 48624.exe 2680 w44462.exe 2280 826468.exe 2752 m0846.exe 2684 llfrflx.exe 2808 48024.exe 2840 3xxfrxf.exe 2904 5bbbnn.exe 2556 820644.exe 2988 xxxfrxl.exe 2612 a6646.exe 2024 nhhttb.exe 1356 3lflrxr.exe 2396 bhhnhh.exe 1812 480680.exe 1536 824028.exe 1756 9rxxxxr.exe 1392 6640066.exe 2860 8202024.exe 2996 jpjvp.exe 2652 608422.exe 1788 bttbtb.exe 988 rffxrrf.exe 1660 lfxxlrf.exe 2240 486240.exe 300 6060886.exe 836 080200.exe 736 26462.exe 1840 xxxxflx.exe -
resource yara_rule behavioral1/memory/2984-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/480-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-382-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2988-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-463-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/300-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/736-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-704-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/300-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/300-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-775-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2356-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-843-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1496-919-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-1032-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-1051-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3052-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-1095-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c484628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2984 wrote to memory of 3048 2984 a9944bef710de88bc255442716f83fedafdecd36f919864c8c70c44f8ded8380N.exe 30 PID 2984 wrote to memory of 3048 2984 a9944bef710de88bc255442716f83fedafdecd36f919864c8c70c44f8ded8380N.exe 30 PID 2984 wrote to memory of 3048 2984 a9944bef710de88bc255442716f83fedafdecd36f919864c8c70c44f8ded8380N.exe 30 PID 2984 wrote to memory of 3048 2984 a9944bef710de88bc255442716f83fedafdecd36f919864c8c70c44f8ded8380N.exe 30 PID 3048 wrote to memory of 2832 3048 826622.exe 31 PID 3048 wrote to memory of 2832 3048 826622.exe 31 PID 3048 wrote to memory of 2832 3048 826622.exe 31 PID 3048 wrote to memory of 2832 3048 826622.exe 31 PID 2832 wrote to memory of 2060 2832 lxrrllx.exe 32 PID 2832 wrote to memory of 2060 2832 lxrrllx.exe 32 PID 2832 wrote to memory of 2060 2832 lxrrllx.exe 32 PID 2832 wrote to memory of 2060 2832 lxrrllx.exe 32 PID 2060 wrote to memory of 2348 2060 6462008.exe 33 PID 2060 wrote to memory of 2348 2060 6462008.exe 33 PID 2060 wrote to memory of 2348 2060 6462008.exe 33 PID 2060 wrote to memory of 2348 2060 6462008.exe 33 PID 2348 wrote to memory of 2280 2348 ppjvj.exe 34 PID 2348 wrote to memory of 2280 2348 ppjvj.exe 34 PID 2348 wrote to memory of 2280 2348 ppjvj.exe 34 PID 2348 wrote to memory of 2280 2348 ppjvj.exe 34 PID 2280 wrote to memory of 2776 2280 vpjjj.exe 35 PID 2280 wrote to memory of 2776 2280 vpjjj.exe 35 PID 2280 wrote to memory of 2776 2280 vpjjj.exe 35 PID 2280 wrote to memory of 2776 2280 vpjjj.exe 35 PID 2776 wrote to memory of 2120 2776 80628.exe 36 PID 2776 wrote to memory of 2120 2776 80628.exe 36 PID 2776 wrote to memory of 2120 2776 80628.exe 36 PID 2776 wrote to memory of 2120 2776 80628.exe 36 PID 2120 wrote to memory of 2820 2120 c484628.exe 37 PID 2120 wrote to memory of 2820 2120 c484628.exe 37 PID 2120 wrote to memory of 2820 2120 c484628.exe 37 PID 2120 wrote to memory of 2820 2120 c484628.exe 37 PID 2820 wrote to memory of 2904 2820 86408.exe 38 PID 2820 wrote to memory of 2904 2820 86408.exe 38 PID 2820 wrote to memory of 2904 2820 86408.exe 38 PID 2820 wrote to memory of 2904 2820 86408.exe 38 PID 2904 wrote to memory of 1688 2904 7bntbh.exe 39 PID 2904 wrote to memory of 1688 2904 7bntbh.exe 39 PID 2904 wrote to memory of 1688 2904 7bntbh.exe 39 PID 2904 wrote to memory of 1688 2904 7bntbh.exe 39 PID 1688 wrote to memory of 2604 1688 xxrrffr.exe 40 PID 1688 wrote to memory of 2604 1688 xxrrffr.exe 40 PID 1688 wrote to memory of 2604 1688 xxrrffr.exe 40 PID 1688 wrote to memory of 2604 1688 xxrrffr.exe 40 PID 2604 wrote to memory of 1096 2604 tnhhnt.exe 41 PID 2604 wrote to memory of 1096 2604 tnhhnt.exe 41 PID 2604 wrote to memory of 1096 2604 tnhhnt.exe 41 PID 2604 wrote to memory of 1096 2604 tnhhnt.exe 41 PID 1096 wrote to memory of 1176 1096 8862802.exe 42 PID 1096 wrote to memory of 1176 1096 8862802.exe 42 PID 1096 wrote to memory of 1176 1096 8862802.exe 42 PID 1096 wrote to memory of 1176 1096 8862802.exe 42 PID 1176 wrote to memory of 1728 1176 226064.exe 43 PID 1176 wrote to memory of 1728 1176 226064.exe 43 PID 1176 wrote to memory of 1728 1176 226064.exe 43 PID 1176 wrote to memory of 1728 1176 226064.exe 43 PID 1728 wrote to memory of 1536 1728 40822.exe 44 PID 1728 wrote to memory of 1536 1728 40822.exe 44 PID 1728 wrote to memory of 1536 1728 40822.exe 44 PID 1728 wrote to memory of 1536 1728 40822.exe 44 PID 1536 wrote to memory of 1988 1536 6640066.exe 45 PID 1536 wrote to memory of 1988 1536 6640066.exe 45 PID 1536 wrote to memory of 1988 1536 6640066.exe 45 PID 1536 wrote to memory of 1988 1536 6640066.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9944bef710de88bc255442716f83fedafdecd36f919864c8c70c44f8ded8380N.exe"C:\Users\Admin\AppData\Local\Temp\a9944bef710de88bc255442716f83fedafdecd36f919864c8c70c44f8ded8380N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\826622.exec:\826622.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\lxrrllx.exec:\lxrrllx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\6462008.exec:\6462008.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\ppjvj.exec:\ppjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\vpjjj.exec:\vpjjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\80628.exec:\80628.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\c484628.exec:\c484628.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\86408.exec:\86408.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\7bntbh.exec:\7bntbh.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\xxrrffr.exec:\xxrrffr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\tnhhnt.exec:\tnhhnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\8862802.exec:\8862802.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\226064.exec:\226064.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\40822.exec:\40822.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\6640066.exec:\6640066.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\2684668.exec:\2684668.exe17⤵
- Executes dropped EXE
PID:1988 -
\??\c:\bhbbnb.exec:\bhbbnb.exe18⤵
- Executes dropped EXE
PID:1816 -
\??\c:\vdvpp.exec:\vdvpp.exe19⤵
- Executes dropped EXE
PID:852 -
\??\c:\7pjjp.exec:\7pjjp.exe20⤵
- Executes dropped EXE
PID:2856 -
\??\c:\o262408.exec:\o262408.exe21⤵
- Executes dropped EXE
PID:2864 -
\??\c:\42008.exec:\42008.exe22⤵
- Executes dropped EXE
PID:1832 -
\??\c:\btnbnt.exec:\btnbnt.exe23⤵
- Executes dropped EXE
PID:1624 -
\??\c:\206288.exec:\206288.exe24⤵
- Executes dropped EXE
PID:1332 -
\??\c:\646244.exec:\646244.exe25⤵
- Executes dropped EXE
PID:896 -
\??\c:\nhhnbn.exec:\nhhnbn.exe26⤵
- Executes dropped EXE
PID:1548 -
\??\c:\5pdjd.exec:\5pdjd.exe27⤵
- Executes dropped EXE
PID:760 -
\??\c:\826840.exec:\826840.exe28⤵
- Executes dropped EXE
PID:2188 -
\??\c:\nnhtnt.exec:\nnhtnt.exe29⤵
- Executes dropped EXE
PID:2232 -
\??\c:\rrrfffl.exec:\rrrfffl.exe30⤵
- Executes dropped EXE
PID:480 -
\??\c:\pdpdj.exec:\pdpdj.exe31⤵
- Executes dropped EXE
PID:2204 -
\??\c:\00408.exec:\00408.exe32⤵
- Executes dropped EXE
PID:2984 -
\??\c:\w20284.exec:\w20284.exe33⤵
- Executes dropped EXE
PID:1932 -
\??\c:\o200886.exec:\o200886.exe34⤵
- Executes dropped EXE
PID:1868 -
\??\c:\rlrxxlr.exec:\rlrxxlr.exe35⤵
- Executes dropped EXE
PID:2076 -
\??\c:\rrfrxxf.exec:\rrfrxxf.exe36⤵
- Executes dropped EXE
PID:2484 -
\??\c:\48624.exec:\48624.exe37⤵
- Executes dropped EXE
PID:1924 -
\??\c:\w44462.exec:\w44462.exe38⤵
- Executes dropped EXE
PID:2680 -
\??\c:\826468.exec:\826468.exe39⤵
- Executes dropped EXE
PID:2280 -
\??\c:\m0846.exec:\m0846.exe40⤵
- Executes dropped EXE
PID:2752 -
\??\c:\llfrflx.exec:\llfrflx.exe41⤵
- Executes dropped EXE
PID:2684 -
\??\c:\48024.exec:\48024.exe42⤵
- Executes dropped EXE
PID:2808 -
\??\c:\3xxfrxf.exec:\3xxfrxf.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\5bbbnn.exec:\5bbbnn.exe44⤵
- Executes dropped EXE
PID:2904 -
\??\c:\820644.exec:\820644.exe45⤵
- Executes dropped EXE
PID:2556 -
\??\c:\xxxfrxl.exec:\xxxfrxl.exe46⤵
- Executes dropped EXE
PID:2988 -
\??\c:\a6646.exec:\a6646.exe47⤵
- Executes dropped EXE
PID:2612 -
\??\c:\nhhttb.exec:\nhhttb.exe48⤵
- Executes dropped EXE
PID:2024 -
\??\c:\3lflrxr.exec:\3lflrxr.exe49⤵
- Executes dropped EXE
PID:1356 -
\??\c:\bhhnhh.exec:\bhhnhh.exe50⤵
- Executes dropped EXE
PID:2396 -
\??\c:\480680.exec:\480680.exe51⤵
- Executes dropped EXE
PID:1812 -
\??\c:\824028.exec:\824028.exe52⤵
- Executes dropped EXE
PID:1536 -
\??\c:\9rxxxxr.exec:\9rxxxxr.exe53⤵
- Executes dropped EXE
PID:1756 -
\??\c:\6640066.exec:\6640066.exe54⤵
- Executes dropped EXE
PID:1392 -
\??\c:\8202024.exec:\8202024.exe55⤵
- Executes dropped EXE
PID:2860 -
\??\c:\jpjvp.exec:\jpjvp.exe56⤵
- Executes dropped EXE
PID:2996 -
\??\c:\608422.exec:\608422.exe57⤵
- Executes dropped EXE
PID:2652 -
\??\c:\bttbtb.exec:\bttbtb.exe58⤵
- Executes dropped EXE
PID:1788 -
\??\c:\rffxrrf.exec:\rffxrrf.exe59⤵
- Executes dropped EXE
PID:988 -
\??\c:\lfxxlrf.exec:\lfxxlrf.exe60⤵
- Executes dropped EXE
PID:1660 -
\??\c:\486240.exec:\486240.exe61⤵
- Executes dropped EXE
PID:2240 -
\??\c:\6060886.exec:\6060886.exe62⤵
- Executes dropped EXE
PID:300 -
\??\c:\080200.exec:\080200.exe63⤵
- Executes dropped EXE
PID:836 -
\??\c:\26462.exec:\26462.exe64⤵
- Executes dropped EXE
PID:736 -
\??\c:\xxxxflx.exec:\xxxxflx.exe65⤵
- Executes dropped EXE
PID:1840 -
\??\c:\q80684.exec:\q80684.exe66⤵PID:760
-
\??\c:\4862846.exec:\4862846.exe67⤵PID:396
-
\??\c:\2282828.exec:\2282828.exe68⤵PID:2416
-
\??\c:\q26284.exec:\q26284.exe69⤵PID:2468
-
\??\c:\4484488.exec:\4484488.exe70⤵PID:3040
-
\??\c:\hbbnbb.exec:\hbbnbb.exe71⤵PID:3052
-
\??\c:\9ffrxfr.exec:\9ffrxfr.exe72⤵PID:2632
-
\??\c:\28662.exec:\28662.exe73⤵PID:1608
-
\??\c:\i026268.exec:\i026268.exe74⤵PID:2460
-
\??\c:\3jdvp.exec:\3jdvp.exe75⤵PID:1856
-
\??\c:\3vjpp.exec:\3vjpp.exe76⤵PID:3024
-
\??\c:\06404.exec:\06404.exe77⤵PID:2692
-
\??\c:\424466.exec:\424466.exe78⤵PID:2660
-
\??\c:\m6006.exec:\m6006.exe79⤵PID:2696
-
\??\c:\frllrrf.exec:\frllrrf.exe80⤵PID:2928
-
\??\c:\8206262.exec:\8206262.exe81⤵PID:2676
-
\??\c:\o244428.exec:\o244428.exe82⤵PID:2824
-
\??\c:\jjdvj.exec:\jjdvj.exe83⤵PID:2812
-
\??\c:\htntbb.exec:\htntbb.exe84⤵PID:2716
-
\??\c:\26084.exec:\26084.exe85⤵PID:1688
-
\??\c:\7dpvd.exec:\7dpvd.exe86⤵PID:3012
-
\??\c:\lflrxxf.exec:\lflrxxf.exe87⤵PID:1552
-
\??\c:\dpddj.exec:\dpddj.exe88⤵PID:1096
-
\??\c:\httnnt.exec:\httnnt.exe89⤵PID:688
-
\??\c:\9hbbhn.exec:\9hbbhn.exe90⤵PID:1356
-
\??\c:\424000.exec:\424000.exe91⤵PID:1644
-
\??\c:\xfrlrrr.exec:\xfrlrrr.exe92⤵PID:2004
-
\??\c:\246622.exec:\246622.exe93⤵PID:1988
-
\??\c:\5vvvv.exec:\5vvvv.exe94⤵PID:1288
-
\??\c:\dpvpp.exec:\dpvpp.exe95⤵PID:1920
-
\??\c:\5pddj.exec:\5pddj.exe96⤵PID:2852
-
\??\c:\e82244.exec:\e82244.exe97⤵PID:2276
-
\??\c:\4682480.exec:\4682480.exe98⤵PID:2652
-
\??\c:\86266.exec:\86266.exe99⤵PID:948
-
\??\c:\64666.exec:\64666.exe100⤵PID:816
-
\??\c:\jvppv.exec:\jvppv.exe101⤵PID:2020
-
\??\c:\vjppp.exec:\vjppp.exe102⤵PID:1792
-
\??\c:\vjppj.exec:\vjppj.exe103⤵PID:300
-
\??\c:\4248046.exec:\4248046.exe104⤵PID:896
-
\??\c:\08000.exec:\08000.exe105⤵PID:632
-
\??\c:\bthbbh.exec:\bthbbh.exe106⤵PID:1840
-
\??\c:\64006.exec:\64006.exe107⤵PID:760
-
\??\c:\42484.exec:\42484.exe108⤵PID:292
-
\??\c:\tnbhnt.exec:\tnbhnt.exe109⤵PID:480
-
\??\c:\3rflrxx.exec:\3rflrxx.exe110⤵PID:2972
-
\??\c:\lfflllr.exec:\lfflllr.exe111⤵PID:2204
-
\??\c:\g8824.exec:\g8824.exe112⤵PID:3052
-
\??\c:\00062.exec:\00062.exe113⤵PID:1972
-
\??\c:\bntnhn.exec:\bntnhn.exe114⤵PID:2832
-
\??\c:\24262.exec:\24262.exe115⤵PID:2356
-
\??\c:\84864.exec:\84864.exe116⤵PID:2168
-
\??\c:\2062886.exec:\2062886.exe117⤵PID:2700
-
\??\c:\o804600.exec:\o804600.exe118⤵PID:1080
-
\??\c:\tnbhhh.exec:\tnbhhh.exe119⤵PID:2756
-
\??\c:\thttbb.exec:\thttbb.exe120⤵PID:2780
-
\??\c:\s2666.exec:\s2666.exe121⤵PID:2752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-