Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 04:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe
-
Size
454KB
-
MD5
0cb6ac7063d2ee3b0575c197b2327714
-
SHA1
6bff88c1e230c4a431d339ca22bf965fac68b02a
-
SHA256
ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad
-
SHA512
4b55c3ca372cf3df300db4417bbdc14ad70c604e156e31ff476d8bb87043043ca276f0a66c49a9cdd75dfbaff6a9d2aebc54589a3d47040a4fc70b24ce72fde3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/1484-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-25-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1828-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/788-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-266-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1720-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-622-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2788-596-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2788-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/588-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/960-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-465-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2752-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-276-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/840-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-224-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1944-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-152-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2456-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-105-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2768-100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2312-731-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1552-743-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1508-764-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/708-1052-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-1148-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2352-1193-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2456-1206-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2652-1220-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2652-1218-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1344-1229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1344-1228-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1928-1236-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1512 0866802.exe 2520 dpdjp.exe 1828 s8000.exe 2568 8404420.exe 2888 bhhbbh.exe 788 a4624.exe 2952 820028.exe 2380 8206280.exe 2868 9pddj.exe 2768 6066268.exe 2456 xrlllrl.exe 1948 488428.exe 1440 2646880.exe 1928 nhtbhn.exe 2368 424062.exe 1208 pjjpp.exe 2228 24228.exe 2276 1lfxrrr.exe 2656 42442.exe 2148 686688.exe 1636 pjvdp.exe 1940 bttttt.exe 1944 80228.exe 1040 xxrxflx.exe 2876 6422042.exe 2584 424402.exe 888 xrflllx.exe 840 fxrxrrx.exe 2124 5dpvd.exe 2560 08066.exe 1668 hbhntn.exe 2540 86224.exe 2044 8628406.exe 2404 jvpvd.exe 1720 ttbhtb.exe 2008 8644662.exe 2172 rflrrrx.exe 2104 w86240.exe 2900 i646802.exe 2888 3jvjv.exe 788 806682.exe 2932 k82862.exe 2944 fxlrxfl.exe 2704 3fffxrr.exe 2864 pjvvd.exe 1588 pjdjd.exe 2756 rlrrfxr.exe 3064 2688440.exe 2508 bthnhn.exe 2752 hbtthh.exe 2116 60844.exe 2368 o822824.exe 2588 nbbhbn.exe 1208 ddjvv.exe 2188 u240006.exe 2112 vjppp.exe 2312 2222846.exe 2656 rrxxfff.exe 2148 42846.exe 960 7tbbht.exe 380 8684880.exe 1780 btnnnt.exe 912 u200602.exe 1556 i640620.exe -
resource yara_rule behavioral1/memory/1484-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-25-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1828-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-63-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1928-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-794-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1604-870-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1636-1005-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-1012-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-1019-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-1045-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-1052-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1112-1089-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2512-1114-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/1272-1127-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/2916-1148-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2352-1193-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2456-1206-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1344-1229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-1226-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2204-1249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-1268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-1317-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4848826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frflffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e80426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8628.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1484 wrote to memory of 1512 1484 ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe 31 PID 1484 wrote to memory of 1512 1484 ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe 31 PID 1484 wrote to memory of 1512 1484 ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe 31 PID 1484 wrote to memory of 1512 1484 ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe 31 PID 1512 wrote to memory of 2520 1512 0866802.exe 32 PID 1512 wrote to memory of 2520 1512 0866802.exe 32 PID 1512 wrote to memory of 2520 1512 0866802.exe 32 PID 1512 wrote to memory of 2520 1512 0866802.exe 32 PID 2520 wrote to memory of 1828 2520 dpdjp.exe 33 PID 2520 wrote to memory of 1828 2520 dpdjp.exe 33 PID 2520 wrote to memory of 1828 2520 dpdjp.exe 33 PID 2520 wrote to memory of 1828 2520 dpdjp.exe 33 PID 1828 wrote to memory of 2568 1828 s8000.exe 34 PID 1828 wrote to memory of 2568 1828 s8000.exe 34 PID 1828 wrote to memory of 2568 1828 s8000.exe 34 PID 1828 wrote to memory of 2568 1828 s8000.exe 34 PID 2568 wrote to memory of 2888 2568 8404420.exe 70 PID 2568 wrote to memory of 2888 2568 8404420.exe 70 PID 2568 wrote to memory of 2888 2568 8404420.exe 70 PID 2568 wrote to memory of 2888 2568 8404420.exe 70 PID 2888 wrote to memory of 788 2888 bhhbbh.exe 71 PID 2888 wrote to memory of 788 2888 bhhbbh.exe 71 PID 2888 wrote to memory of 788 2888 bhhbbh.exe 71 PID 2888 wrote to memory of 788 2888 bhhbbh.exe 71 PID 788 wrote to memory of 2952 788 a4624.exe 37 PID 788 wrote to memory of 2952 788 a4624.exe 37 PID 788 wrote to memory of 2952 788 a4624.exe 37 PID 788 wrote to memory of 2952 788 a4624.exe 37 PID 2952 wrote to memory of 2380 2952 820028.exe 38 PID 2952 wrote to memory of 2380 2952 820028.exe 38 PID 2952 wrote to memory of 2380 2952 820028.exe 38 PID 2952 wrote to memory of 2380 2952 820028.exe 38 PID 2380 wrote to memory of 2868 2380 8206280.exe 39 PID 2380 wrote to memory of 2868 2380 8206280.exe 39 PID 2380 wrote to memory of 2868 2380 8206280.exe 39 PID 2380 wrote to memory of 2868 2380 8206280.exe 39 PID 2868 wrote to memory of 2768 2868 9pddj.exe 40 PID 2868 wrote to memory of 2768 2868 9pddj.exe 40 PID 2868 wrote to memory of 2768 2868 9pddj.exe 40 PID 2868 wrote to memory of 2768 2868 9pddj.exe 40 PID 2768 wrote to memory of 2456 2768 6066268.exe 41 PID 2768 wrote to memory of 2456 2768 6066268.exe 41 PID 2768 wrote to memory of 2456 2768 6066268.exe 41 PID 2768 wrote to memory of 2456 2768 6066268.exe 41 PID 2456 wrote to memory of 1948 2456 xrlllrl.exe 42 PID 2456 wrote to memory of 1948 2456 xrlllrl.exe 42 PID 2456 wrote to memory of 1948 2456 xrlllrl.exe 42 PID 2456 wrote to memory of 1948 2456 xrlllrl.exe 42 PID 1948 wrote to memory of 1440 1948 488428.exe 43 PID 1948 wrote to memory of 1440 1948 488428.exe 43 PID 1948 wrote to memory of 1440 1948 488428.exe 43 PID 1948 wrote to memory of 1440 1948 488428.exe 43 PID 1440 wrote to memory of 1928 1440 2646880.exe 123 PID 1440 wrote to memory of 1928 1440 2646880.exe 123 PID 1440 wrote to memory of 1928 1440 2646880.exe 123 PID 1440 wrote to memory of 1928 1440 2646880.exe 123 PID 1928 wrote to memory of 2368 1928 nhtbhn.exe 82 PID 1928 wrote to memory of 2368 1928 nhtbhn.exe 82 PID 1928 wrote to memory of 2368 1928 nhtbhn.exe 82 PID 1928 wrote to memory of 2368 1928 nhtbhn.exe 82 PID 2368 wrote to memory of 1208 2368 424062.exe 127 PID 2368 wrote to memory of 1208 2368 424062.exe 127 PID 2368 wrote to memory of 1208 2368 424062.exe 127 PID 2368 wrote to memory of 1208 2368 424062.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe"C:\Users\Admin\AppData\Local\Temp\ce746a88b7e639d49fa666314de7774206dc24dca8dfc88eeb12868dcc0e34ad.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\0866802.exec:\0866802.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\dpdjp.exec:\dpdjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\s8000.exec:\s8000.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\8404420.exec:\8404420.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\bhhbbh.exec:\bhhbbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\a4624.exec:\a4624.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
\??\c:\820028.exec:\820028.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\8206280.exec:\8206280.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\9pddj.exec:\9pddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\6066268.exec:\6066268.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\xrlllrl.exec:\xrlllrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\488428.exec:\488428.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\2646880.exec:\2646880.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\nhtbhn.exec:\nhtbhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\424062.exec:\424062.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\pjjpp.exec:\pjjpp.exe17⤵
- Executes dropped EXE
PID:1208 -
\??\c:\24228.exec:\24228.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2228 -
\??\c:\1lfxrrr.exec:\1lfxrrr.exe19⤵
- Executes dropped EXE
PID:2276 -
\??\c:\42442.exec:\42442.exe20⤵
- Executes dropped EXE
PID:2656 -
\??\c:\686688.exec:\686688.exe21⤵
- Executes dropped EXE
PID:2148 -
\??\c:\pjvdp.exec:\pjvdp.exe22⤵
- Executes dropped EXE
PID:1636 -
\??\c:\bttttt.exec:\bttttt.exe23⤵
- Executes dropped EXE
PID:1940 -
\??\c:\80228.exec:\80228.exe24⤵
- Executes dropped EXE
PID:1944 -
\??\c:\xxrxflx.exec:\xxrxflx.exe25⤵
- Executes dropped EXE
PID:1040 -
\??\c:\6422042.exec:\6422042.exe26⤵
- Executes dropped EXE
PID:2876 -
\??\c:\424402.exec:\424402.exe27⤵
- Executes dropped EXE
PID:2584 -
\??\c:\xrflllx.exec:\xrflllx.exe28⤵
- Executes dropped EXE
PID:888 -
\??\c:\fxrxrrx.exec:\fxrxrrx.exe29⤵
- Executes dropped EXE
PID:840 -
\??\c:\5dpvd.exec:\5dpvd.exe30⤵
- Executes dropped EXE
PID:2124 -
\??\c:\08066.exec:\08066.exe31⤵
- Executes dropped EXE
PID:2560 -
\??\c:\hbhntn.exec:\hbhntn.exe32⤵
- Executes dropped EXE
PID:1668 -
\??\c:\86224.exec:\86224.exe33⤵
- Executes dropped EXE
PID:2540 -
\??\c:\8628406.exec:\8628406.exe34⤵
- Executes dropped EXE
PID:2044 -
\??\c:\jvpvd.exec:\jvpvd.exe35⤵
- Executes dropped EXE
PID:2404 -
\??\c:\ttbhtb.exec:\ttbhtb.exe36⤵
- Executes dropped EXE
PID:1720 -
\??\c:\8644662.exec:\8644662.exe37⤵
- Executes dropped EXE
PID:2008 -
\??\c:\rflrrrx.exec:\rflrrrx.exe38⤵
- Executes dropped EXE
PID:2172 -
\??\c:\w86240.exec:\w86240.exe39⤵
- Executes dropped EXE
PID:2104 -
\??\c:\i646802.exec:\i646802.exe40⤵
- Executes dropped EXE
PID:2900 -
\??\c:\3jvjv.exec:\3jvjv.exe41⤵
- Executes dropped EXE
PID:2888 -
\??\c:\806682.exec:\806682.exe42⤵
- Executes dropped EXE
PID:788 -
\??\c:\k82862.exec:\k82862.exe43⤵
- Executes dropped EXE
PID:2932 -
\??\c:\fxlrxfl.exec:\fxlrxfl.exe44⤵
- Executes dropped EXE
PID:2944 -
\??\c:\3fffxrr.exec:\3fffxrr.exe45⤵
- Executes dropped EXE
PID:2704 -
\??\c:\pjvvd.exec:\pjvvd.exe46⤵
- Executes dropped EXE
PID:2864 -
\??\c:\pjdjd.exec:\pjdjd.exe47⤵
- Executes dropped EXE
PID:1588 -
\??\c:\rlrrfxr.exec:\rlrrfxr.exe48⤵
- Executes dropped EXE
PID:2756 -
\??\c:\2688440.exec:\2688440.exe49⤵
- Executes dropped EXE
PID:3064 -
\??\c:\bthnhn.exec:\bthnhn.exe50⤵
- Executes dropped EXE
PID:2508 -
\??\c:\hbtthh.exec:\hbtthh.exe51⤵
- Executes dropped EXE
PID:2752 -
\??\c:\60844.exec:\60844.exe52⤵
- Executes dropped EXE
PID:2116 -
\??\c:\o822824.exec:\o822824.exe53⤵
- Executes dropped EXE
PID:2368 -
\??\c:\nbbhbn.exec:\nbbhbn.exe54⤵
- Executes dropped EXE
PID:2588 -
\??\c:\ddjvv.exec:\ddjvv.exe55⤵
- Executes dropped EXE
PID:1208 -
\??\c:\u240006.exec:\u240006.exe56⤵
- Executes dropped EXE
PID:2188 -
\??\c:\vjppp.exec:\vjppp.exe57⤵
- Executes dropped EXE
PID:2112 -
\??\c:\2222846.exec:\2222846.exe58⤵
- Executes dropped EXE
PID:2312 -
\??\c:\rrxxfff.exec:\rrxxfff.exe59⤵
- Executes dropped EXE
PID:2656 -
\??\c:\42846.exec:\42846.exe60⤵
- Executes dropped EXE
PID:2148 -
\??\c:\7tbbht.exec:\7tbbht.exe61⤵
- Executes dropped EXE
PID:960 -
\??\c:\8684880.exec:\8684880.exe62⤵
- Executes dropped EXE
PID:380 -
\??\c:\btnnnt.exec:\btnnnt.exe63⤵
- Executes dropped EXE
PID:1780 -
\??\c:\u200602.exec:\u200602.exe64⤵
- Executes dropped EXE
PID:912 -
\??\c:\i640620.exec:\i640620.exe65⤵
- Executes dropped EXE
PID:1556 -
\??\c:\w20066.exec:\w20066.exe66⤵PID:1360
-
\??\c:\42002.exec:\42002.exe67⤵PID:1640
-
\??\c:\48686.exec:\48686.exe68⤵PID:1864
-
\??\c:\1tbhnh.exec:\1tbhnh.exe69⤵PID:1692
-
\??\c:\e64028.exec:\e64028.exe70⤵PID:1068
-
\??\c:\jdvdp.exec:\jdvdp.exe71⤵PID:2620
-
\??\c:\i228002.exec:\i228002.exe72⤵PID:2212
-
\??\c:\268804.exec:\268804.exe73⤵PID:1648
-
\??\c:\tnbhtt.exec:\tnbhtt.exe74⤵PID:588
-
\??\c:\xxrrflx.exec:\xxrrflx.exe75⤵PID:2596
-
\??\c:\6424668.exec:\6424668.exe76⤵PID:1608
-
\??\c:\btnthn.exec:\btnthn.exe77⤵PID:1028
-
\??\c:\frlrfrf.exec:\frlrfrf.exe78⤵PID:1908
-
\??\c:\xlxrrrl.exec:\xlxrrrl.exe79⤵PID:2152
-
\??\c:\86064.exec:\86064.exe80⤵PID:2788
-
\??\c:\28640.exec:\28640.exe81⤵PID:2920
-
\??\c:\1jjpd.exec:\1jjpd.exe82⤵PID:2844
-
\??\c:\vvppv.exec:\vvppv.exe83⤵PID:2728
-
\??\c:\86402.exec:\86402.exe84⤵PID:2348
-
\??\c:\0466846.exec:\0466846.exe85⤵PID:2716
-
\??\c:\hbtbbh.exec:\hbtbbh.exe86⤵PID:2832
-
\??\c:\86840.exec:\86840.exe87⤵PID:2816
-
\??\c:\rlrffrl.exec:\rlrffrl.exe88⤵PID:2352
-
\??\c:\nhbbnt.exec:\nhbbnt.exe89⤵PID:2336
-
\??\c:\hnhtbt.exec:\hnhtbt.exe90⤵PID:2456
-
\??\c:\8604002.exec:\8604002.exe91⤵PID:3056
-
\??\c:\llfllrx.exec:\llfllrx.exe92⤵PID:1440
-
\??\c:\7tnbbn.exec:\7tnbbn.exe93⤵PID:3016
-
\??\c:\o028422.exec:\o028422.exe94⤵PID:1928
-
\??\c:\bbhhnt.exec:\bbhhnt.exe95⤵PID:1436
-
\??\c:\btbbhh.exec:\btbbhh.exe96⤵PID:2368
-
\??\c:\8262842.exec:\8262842.exe97⤵PID:2204
-
\??\c:\3fxfrrx.exec:\3fxfrrx.exe98⤵PID:1208
-
\??\c:\tnnnhh.exec:\tnnnhh.exe99⤵PID:908
-
\??\c:\66408.exec:\66408.exe100⤵PID:1020
-
\??\c:\008462.exec:\008462.exe101⤵PID:2312
-
\??\c:\08066.exec:\08066.exe102⤵PID:444
-
\??\c:\bthnhb.exec:\bthnhb.exe103⤵PID:1552
-
\??\c:\9xrxllx.exec:\9xrxllx.exe104⤵
- System Location Discovery: System Language Discovery
PID:2580 -
\??\c:\6480228.exec:\6480228.exe105⤵PID:380
-
\??\c:\jvvjj.exec:\jvvjj.exe106⤵PID:1508
-
\??\c:\5hhbhh.exec:\5hhbhh.exe107⤵PID:2460
-
\??\c:\e60244.exec:\e60244.exe108⤵PID:2240
-
\??\c:\860404.exec:\860404.exe109⤵PID:1548
-
\??\c:\c466888.exec:\c466888.exe110⤵PID:888
-
\??\c:\7pvdd.exec:\7pvdd.exe111⤵PID:1956
-
\??\c:\86826.exec:\86826.exe112⤵PID:1692
-
\??\c:\4802824.exec:\4802824.exe113⤵PID:1068
-
\??\c:\8604040.exec:\8604040.exe114⤵PID:884
-
\??\c:\jjppj.exec:\jjppj.exe115⤵PID:1852
-
\??\c:\9tntnt.exec:\9tntnt.exe116⤵PID:1160
-
\??\c:\3flrrrf.exec:\3flrrrf.exe117⤵PID:2416
-
\??\c:\w66806.exec:\w66806.exe118⤵PID:2392
-
\??\c:\0244006.exec:\0244006.exe119⤵PID:1988
-
\??\c:\pjvdj.exec:\pjvdj.exe120⤵PID:1604
-
\??\c:\lfrrrxf.exec:\lfrrrxf.exe121⤵PID:2520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-