Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 01:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe
-
Size
454KB
-
MD5
7886bff74d479f96c5130cb071e9eb6f
-
SHA1
11f83b51668647de96085a3b5d8866a859a98924
-
SHA256
a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c
-
SHA512
6f638a23de292d556ff6235fdeb6eb91bcdf2eaf01b91d159fe869f5432780c2211ddc009e9c6c9829a9f8ff30898d8982165f8bd57087a963df83bc04da697e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/1976-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/476-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-40-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2172-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-168-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2956-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-397-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1084-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-472-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/680-503-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2140-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-865-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2676-884-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2636-887-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/2676-904-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2812-917-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2560-960-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2156 hbntbb.exe 2300 82046.exe 476 04846.exe 2172 pjvpv.exe 2800 602266.exe 2656 1ntttn.exe 2696 hhbntb.exe 2556 fxrxlxr.exe 2856 vvdpv.exe 2572 486866.exe 2776 9bnnnt.exe 1944 826806.exe 1592 nhbbtt.exe 2000 0486880.exe 1176 3jvpv.exe 2876 042462.exe 2976 xrlrflx.exe 2924 60460.exe 1788 26846.exe 2956 3jdpj.exe 1440 046240.exe 2160 08620.exe 2424 bhbhhn.exe 1864 64662.exe 1732 thhthh.exe 2376 fflrxfr.exe 2056 264280.exe 3024 xlfflrf.exe 2432 rxxrfrl.exe 3004 5xrlrxr.exe 3060 ddpdp.exe 1028 3vjpv.exe 972 tttnbn.exe 2176 60628.exe 1584 420622.exe 1920 lfxlrfx.exe 2300 5vjpv.exe 2260 dvjpv.exe 2684 dpjjv.exe 2828 tnhnbn.exe 2660 0882424.exe 2204 7tnthn.exe 1928 xrllrrf.exe 2668 hbtttt.exe 2528 0244006.exe 2560 pjdjp.exe 2748 80262.exe 1084 48880.exe 1860 lfrrrrx.exe 2752 xrllrxl.exe 1956 ddpdj.exe 1396 fxlrxfl.exe 2872 644400.exe 2028 tbtntb.exe 2940 rfxlllr.exe 2976 a6620.exe 2896 9lxfflx.exe 1788 hhtbhh.exe 1744 1lxxxxl.exe 1660 lxlrffl.exe 2336 fxrfrfr.exe 600 o822402.exe 688 a8284.exe 680 w48888.exe -
resource yara_rule behavioral1/memory/1976-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/476-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/476-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-40-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2172-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/552-1085-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-1147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-1305-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o244484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxfflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8244400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fffllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4828406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2156 1976 a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe 31 PID 1976 wrote to memory of 2156 1976 a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe 31 PID 1976 wrote to memory of 2156 1976 a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe 31 PID 1976 wrote to memory of 2156 1976 a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe 31 PID 2156 wrote to memory of 2300 2156 hbntbb.exe 32 PID 2156 wrote to memory of 2300 2156 hbntbb.exe 32 PID 2156 wrote to memory of 2300 2156 hbntbb.exe 32 PID 2156 wrote to memory of 2300 2156 hbntbb.exe 32 PID 2300 wrote to memory of 476 2300 82046.exe 33 PID 2300 wrote to memory of 476 2300 82046.exe 33 PID 2300 wrote to memory of 476 2300 82046.exe 33 PID 2300 wrote to memory of 476 2300 82046.exe 33 PID 476 wrote to memory of 2172 476 04846.exe 34 PID 476 wrote to memory of 2172 476 04846.exe 34 PID 476 wrote to memory of 2172 476 04846.exe 34 PID 476 wrote to memory of 2172 476 04846.exe 34 PID 2172 wrote to memory of 2800 2172 pjvpv.exe 35 PID 2172 wrote to memory of 2800 2172 pjvpv.exe 35 PID 2172 wrote to memory of 2800 2172 pjvpv.exe 35 PID 2172 wrote to memory of 2800 2172 pjvpv.exe 35 PID 2800 wrote to memory of 2656 2800 602266.exe 36 PID 2800 wrote to memory of 2656 2800 602266.exe 36 PID 2800 wrote to memory of 2656 2800 602266.exe 36 PID 2800 wrote to memory of 2656 2800 602266.exe 36 PID 2656 wrote to memory of 2696 2656 1ntttn.exe 37 PID 2656 wrote to memory of 2696 2656 1ntttn.exe 37 PID 2656 wrote to memory of 2696 2656 1ntttn.exe 37 PID 2656 wrote to memory of 2696 2656 1ntttn.exe 37 PID 2696 wrote to memory of 2556 2696 hhbntb.exe 38 PID 2696 wrote to memory of 2556 2696 hhbntb.exe 38 PID 2696 wrote to memory of 2556 2696 hhbntb.exe 38 PID 2696 wrote to memory of 2556 2696 hhbntb.exe 38 PID 2556 wrote to memory of 2856 2556 fxrxlxr.exe 39 PID 2556 wrote to memory of 2856 2556 fxrxlxr.exe 39 PID 2556 wrote to memory of 2856 2556 fxrxlxr.exe 39 PID 2556 wrote to memory of 2856 2556 fxrxlxr.exe 39 PID 2856 wrote to memory of 2572 2856 vvdpv.exe 40 PID 2856 wrote to memory of 2572 2856 vvdpv.exe 40 PID 2856 wrote to memory of 2572 2856 vvdpv.exe 40 PID 2856 wrote to memory of 2572 2856 vvdpv.exe 40 PID 2572 wrote to memory of 2776 2572 486866.exe 41 PID 2572 wrote to memory of 2776 2572 486866.exe 41 PID 2572 wrote to memory of 2776 2572 486866.exe 41 PID 2572 wrote to memory of 2776 2572 486866.exe 41 PID 2776 wrote to memory of 1944 2776 9bnnnt.exe 42 PID 2776 wrote to memory of 1944 2776 9bnnnt.exe 42 PID 2776 wrote to memory of 1944 2776 9bnnnt.exe 42 PID 2776 wrote to memory of 1944 2776 9bnnnt.exe 42 PID 1944 wrote to memory of 1592 1944 826806.exe 43 PID 1944 wrote to memory of 1592 1944 826806.exe 43 PID 1944 wrote to memory of 1592 1944 826806.exe 43 PID 1944 wrote to memory of 1592 1944 826806.exe 43 PID 1592 wrote to memory of 2000 1592 nhbbtt.exe 44 PID 1592 wrote to memory of 2000 1592 nhbbtt.exe 44 PID 1592 wrote to memory of 2000 1592 nhbbtt.exe 44 PID 1592 wrote to memory of 2000 1592 nhbbtt.exe 44 PID 2000 wrote to memory of 1176 2000 0486880.exe 45 PID 2000 wrote to memory of 1176 2000 0486880.exe 45 PID 2000 wrote to memory of 1176 2000 0486880.exe 45 PID 2000 wrote to memory of 1176 2000 0486880.exe 45 PID 1176 wrote to memory of 2876 1176 3jvpv.exe 46 PID 1176 wrote to memory of 2876 1176 3jvpv.exe 46 PID 1176 wrote to memory of 2876 1176 3jvpv.exe 46 PID 1176 wrote to memory of 2876 1176 3jvpv.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe"C:\Users\Admin\AppData\Local\Temp\a768666c3c2845648d705cb85469015d4d01d02b72b1a90c2f9e90d4cad9480c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\hbntbb.exec:\hbntbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\82046.exec:\82046.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\04846.exec:\04846.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:476 -
\??\c:\pjvpv.exec:\pjvpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\602266.exec:\602266.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\1ntttn.exec:\1ntttn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\hhbntb.exec:\hhbntb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\fxrxlxr.exec:\fxrxlxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\vvdpv.exec:\vvdpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\486866.exec:\486866.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\9bnnnt.exec:\9bnnnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\826806.exec:\826806.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\nhbbtt.exec:\nhbbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\0486880.exec:\0486880.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\3jvpv.exec:\3jvpv.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\042462.exec:\042462.exe17⤵
- Executes dropped EXE
PID:2876 -
\??\c:\xrlrflx.exec:\xrlrflx.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
\??\c:\60460.exec:\60460.exe19⤵
- Executes dropped EXE
PID:2924 -
\??\c:\26846.exec:\26846.exe20⤵
- Executes dropped EXE
PID:1788 -
\??\c:\3jdpj.exec:\3jdpj.exe21⤵
- Executes dropped EXE
PID:2956 -
\??\c:\046240.exec:\046240.exe22⤵
- Executes dropped EXE
PID:1440 -
\??\c:\08620.exec:\08620.exe23⤵
- Executes dropped EXE
PID:2160 -
\??\c:\bhbhhn.exec:\bhbhhn.exe24⤵
- Executes dropped EXE
PID:2424 -
\??\c:\64662.exec:\64662.exe25⤵
- Executes dropped EXE
PID:1864 -
\??\c:\thhthh.exec:\thhthh.exe26⤵
- Executes dropped EXE
PID:1732 -
\??\c:\fflrxfr.exec:\fflrxfr.exe27⤵
- Executes dropped EXE
PID:2376 -
\??\c:\264280.exec:\264280.exe28⤵
- Executes dropped EXE
PID:2056 -
\??\c:\xlfflrf.exec:\xlfflrf.exe29⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rxxrfrl.exec:\rxxrfrl.exe30⤵
- Executes dropped EXE
PID:2432 -
\??\c:\5xrlrxr.exec:\5xrlrxr.exe31⤵
- Executes dropped EXE
PID:3004 -
\??\c:\ddpdp.exec:\ddpdp.exe32⤵
- Executes dropped EXE
PID:3060 -
\??\c:\3vjpv.exec:\3vjpv.exe33⤵
- Executes dropped EXE
PID:1028 -
\??\c:\tttnbn.exec:\tttnbn.exe34⤵
- Executes dropped EXE
PID:972 -
\??\c:\60628.exec:\60628.exe35⤵
- Executes dropped EXE
PID:2176 -
\??\c:\420622.exec:\420622.exe36⤵
- Executes dropped EXE
PID:1584 -
\??\c:\lfxlrfx.exec:\lfxlrfx.exe37⤵
- Executes dropped EXE
PID:1920 -
\??\c:\5vjpv.exec:\5vjpv.exe38⤵
- Executes dropped EXE
PID:2300 -
\??\c:\dvjpv.exec:\dvjpv.exe39⤵
- Executes dropped EXE
PID:2260 -
\??\c:\dpjjv.exec:\dpjjv.exe40⤵
- Executes dropped EXE
PID:2684 -
\??\c:\tnhnbn.exec:\tnhnbn.exe41⤵
- Executes dropped EXE
PID:2828 -
\??\c:\0882424.exec:\0882424.exe42⤵
- Executes dropped EXE
PID:2660 -
\??\c:\7tnthn.exec:\7tnthn.exe43⤵
- Executes dropped EXE
PID:2204 -
\??\c:\xrllrrf.exec:\xrllrrf.exe44⤵
- Executes dropped EXE
PID:1928 -
\??\c:\hbtttt.exec:\hbtttt.exe45⤵
- Executes dropped EXE
PID:2668 -
\??\c:\0244006.exec:\0244006.exe46⤵
- Executes dropped EXE
PID:2528 -
\??\c:\pjdjp.exec:\pjdjp.exe47⤵
- Executes dropped EXE
PID:2560 -
\??\c:\80262.exec:\80262.exe48⤵
- Executes dropped EXE
PID:2748 -
\??\c:\48880.exec:\48880.exe49⤵
- Executes dropped EXE
PID:1084 -
\??\c:\lfrrrrx.exec:\lfrrrrx.exe50⤵
- Executes dropped EXE
PID:1860 -
\??\c:\xrllrxl.exec:\xrllrxl.exe51⤵
- Executes dropped EXE
PID:2752 -
\??\c:\ddpdj.exec:\ddpdj.exe52⤵
- Executes dropped EXE
PID:1956 -
\??\c:\fxlrxfl.exec:\fxlrxfl.exe53⤵
- Executes dropped EXE
PID:1396 -
\??\c:\644400.exec:\644400.exe54⤵
- Executes dropped EXE
PID:2872 -
\??\c:\tbtntb.exec:\tbtntb.exe55⤵
- Executes dropped EXE
PID:2028 -
\??\c:\rfxlllr.exec:\rfxlllr.exe56⤵
- Executes dropped EXE
PID:2940 -
\??\c:\a6620.exec:\a6620.exe57⤵
- Executes dropped EXE
PID:2976 -
\??\c:\9lxfflx.exec:\9lxfflx.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896 -
\??\c:\hhtbhh.exec:\hhtbhh.exe59⤵
- Executes dropped EXE
PID:1788 -
\??\c:\1lxxxxl.exec:\1lxxxxl.exe60⤵
- Executes dropped EXE
PID:1744 -
\??\c:\lxlrffl.exec:\lxlrffl.exe61⤵
- Executes dropped EXE
PID:1660 -
\??\c:\fxrfrfr.exec:\fxrfrfr.exe62⤵
- Executes dropped EXE
PID:2336 -
\??\c:\o822402.exec:\o822402.exe63⤵
- Executes dropped EXE
PID:600 -
\??\c:\a8284.exec:\a8284.exe64⤵
- Executes dropped EXE
PID:688 -
\??\c:\w48888.exec:\w48888.exe65⤵
- Executes dropped EXE
PID:680 -
\??\c:\800622.exec:\800622.exe66⤵PID:1728
-
\??\c:\c602064.exec:\c602064.exe67⤵PID:1512
-
\??\c:\242688.exec:\242688.exe68⤵PID:1672
-
\??\c:\k48640.exec:\k48640.exe69⤵PID:1544
-
\??\c:\k86248.exec:\k86248.exe70⤵PID:2992
-
\??\c:\xxlfrxl.exec:\xxlfrxl.exe71⤵PID:2452
-
\??\c:\028444.exec:\028444.exe72⤵PID:292
-
\??\c:\fxlfrxl.exec:\fxlfrxl.exe73⤵PID:2208
-
\??\c:\7pvvv.exec:\7pvvv.exe74⤵PID:2612
-
\??\c:\rrrrxfr.exec:\rrrrxfr.exe75⤵PID:3060
-
\??\c:\dddjp.exec:\dddjp.exe76⤵PID:2448
-
\??\c:\jjvvj.exec:\jjvvj.exe77⤵PID:1912
-
\??\c:\428264.exec:\428264.exe78⤵PID:1612
-
\??\c:\7xlrxxf.exec:\7xlrxxf.exe79⤵PID:2304
-
\??\c:\htbhnt.exec:\htbhnt.exe80⤵PID:2140
-
\??\c:\6080284.exec:\6080284.exe81⤵PID:2624
-
\??\c:\pjvdp.exec:\pjvdp.exe82⤵PID:2680
-
\??\c:\3dvjp.exec:\3dvjp.exe83⤵PID:3012
-
\??\c:\8262446.exec:\8262446.exe84⤵PID:2664
-
\??\c:\868088.exec:\868088.exe85⤵PID:3000
-
\??\c:\6084006.exec:\6084006.exe86⤵PID:2840
-
\??\c:\c202468.exec:\c202468.exe87⤵PID:2936
-
\??\c:\5dppv.exec:\5dppv.exe88⤵PID:2576
-
\??\c:\2640224.exec:\2640224.exe89⤵PID:2856
-
\??\c:\082468.exec:\082468.exe90⤵PID:1288
-
\??\c:\a2440.exec:\a2440.exe91⤵PID:2772
-
\??\c:\264462.exec:\264462.exe92⤵PID:2776
-
\??\c:\6424840.exec:\6424840.exe93⤵PID:2780
-
\??\c:\482428.exec:\482428.exe94⤵PID:1548
-
\??\c:\pjdvv.exec:\pjdvv.exe95⤵PID:1432
-
\??\c:\2606284.exec:\2606284.exe96⤵PID:1264
-
\??\c:\o244484.exec:\o244484.exe97⤵
- System Location Discovery: System Language Discovery
PID:1644 -
\??\c:\btbntt.exec:\btbntt.exe98⤵PID:1128
-
\??\c:\hbhhtt.exec:\hbhhtt.exe99⤵PID:2876
-
\??\c:\bbbtbh.exec:\bbbtbh.exe100⤵PID:2928
-
\??\c:\0860000.exec:\0860000.exe101⤵PID:2192
-
\??\c:\5bntnn.exec:\5bntnn.exe102⤵PID:2124
-
\??\c:\46840.exec:\46840.exe103⤵PID:1712
-
\??\c:\5dvdj.exec:\5dvdj.exe104⤵PID:2184
-
\??\c:\pjvdp.exec:\pjvdp.exe105⤵PID:2508
-
\??\c:\vjppd.exec:\vjppd.exe106⤵PID:2016
-
\??\c:\04286.exec:\04286.exe107⤵PID:1764
-
\??\c:\2646848.exec:\2646848.exe108⤵PID:1960
-
\??\c:\8246246.exec:\8246246.exe109⤵PID:1008
-
\??\c:\6488006.exec:\6488006.exe110⤵PID:1320
-
\??\c:\20446.exec:\20446.exe111⤵PID:2504
-
\??\c:\lxxfrxf.exec:\lxxfrxf.exe112⤵PID:1752
-
\??\c:\pjvjv.exec:\pjvjv.exe113⤵PID:316
-
\??\c:\9rfllll.exec:\9rfllll.exe114⤵PID:1856
-
\??\c:\4862846.exec:\4862846.exe115⤵PID:2432
-
\??\c:\thnhhn.exec:\thnhhn.exe116⤵PID:1140
-
\??\c:\hbhnhn.exec:\hbhnhn.exe117⤵PID:1964
-
\??\c:\9lxflrf.exec:\9lxflrf.exe118⤵PID:868
-
\??\c:\dpjpp.exec:\dpjpp.exe119⤵PID:772
-
\??\c:\8646468.exec:\8646468.exe120⤵PID:2988
-
\??\c:\tnhthn.exec:\tnhthn.exe121⤵PID:1604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-