Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 05:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe
-
Size
456KB
-
MD5
b09bdea933a38c902713063913c8ac65
-
SHA1
e348867186116fb2b0aa38a2bc07670b662cf7cd
-
SHA256
dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7
-
SHA512
5a051f3cb8973885999eab3ebf6a09ff49f3d0d39cabb446e3fe4bea441a6094c0fbc6a8e3e6bbb8f5b1ac5d95dcf3089d691090a1e36aedf39d79181678100c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRJ:q7Tc2NYHUrAwfMp3CDRJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/1380-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-37-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2796-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-75-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2888-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-95-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2644-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-131-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2352-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/340-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-153-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2992-168-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2776-186-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1648-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/644-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-363-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2736-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-400-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2292-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1072-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-419-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1752-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-538-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2916-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-650-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2712-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-856-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-921-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2872-959-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1896 tnhbhb.exe 3020 o868000.exe 2680 688006.exe 2124 lrlfxxf.exe 2796 fxlflfl.exe 2708 26468.exe 2888 828682.exe 2936 rflrrxx.exe 2648 9rxrrlf.exe 2644 lfrxrxl.exe 320 44842.exe 580 84206.exe 2836 004022.exe 2352 vppvd.exe 2776 s6880.exe 340 pdpvj.exe 2992 lrffxxx.exe 1648 tnbbhh.exe 2940 jvvpp.exe 2064 bhttbb.exe 1036 g0420.exe 1604 dddpj.exe 804 48280.exe 2568 jdvvd.exe 1420 c040886.exe 596 nnbbtb.exe 2368 e62468.exe 644 nnhnhn.exe 1360 6868068.exe 1652 2066802.exe 2372 jdjpv.exe 1564 nnhbnn.exe 2224 pvvvd.exe 328 a2642.exe 1864 2046886.exe 380 frfxxrr.exe 2744 e02280.exe 2808 022482.exe 2756 448602.exe 2608 jvpdv.exe 2760 pvvjp.exe 2892 082840.exe 2712 5bthbb.exe 2736 bntbnn.exe 2720 tnthhn.exe 2292 djjvp.exe 2504 0088064.exe 1072 260206.exe 1908 882420.exe 1600 1hbnhn.exe 2128 20842.exe 2776 e26628.exe 1640 pdvjj.exe 1536 082482.exe 680 xfrxlrl.exe 2944 vjdvv.exe 1752 bhhtnt.exe 2956 llfrfxl.exe 2444 8400288.exe 1036 6008242.exe 1252 48242.exe 968 4480242.exe 3048 0268624.exe 2852 82400.exe -
resource yara_rule behavioral1/memory/1380-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/664-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-856-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-875-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-907-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-914-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/2872-952-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-978-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-991-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-1082-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-1107-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8000466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6868068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0824620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2026400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1380 wrote to memory of 1896 1380 dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe 30 PID 1380 wrote to memory of 1896 1380 dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe 30 PID 1380 wrote to memory of 1896 1380 dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe 30 PID 1380 wrote to memory of 1896 1380 dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe 30 PID 1896 wrote to memory of 3020 1896 tnhbhb.exe 31 PID 1896 wrote to memory of 3020 1896 tnhbhb.exe 31 PID 1896 wrote to memory of 3020 1896 tnhbhb.exe 31 PID 1896 wrote to memory of 3020 1896 tnhbhb.exe 31 PID 3020 wrote to memory of 2680 3020 o868000.exe 32 PID 3020 wrote to memory of 2680 3020 o868000.exe 32 PID 3020 wrote to memory of 2680 3020 o868000.exe 32 PID 3020 wrote to memory of 2680 3020 o868000.exe 32 PID 2680 wrote to memory of 2124 2680 688006.exe 33 PID 2680 wrote to memory of 2124 2680 688006.exe 33 PID 2680 wrote to memory of 2124 2680 688006.exe 33 PID 2680 wrote to memory of 2124 2680 688006.exe 33 PID 2124 wrote to memory of 2796 2124 lrlfxxf.exe 34 PID 2124 wrote to memory of 2796 2124 lrlfxxf.exe 34 PID 2124 wrote to memory of 2796 2124 lrlfxxf.exe 34 PID 2124 wrote to memory of 2796 2124 lrlfxxf.exe 34 PID 2796 wrote to memory of 2708 2796 fxlflfl.exe 35 PID 2796 wrote to memory of 2708 2796 fxlflfl.exe 35 PID 2796 wrote to memory of 2708 2796 fxlflfl.exe 35 PID 2796 wrote to memory of 2708 2796 fxlflfl.exe 35 PID 2708 wrote to memory of 2888 2708 26468.exe 36 PID 2708 wrote to memory of 2888 2708 26468.exe 36 PID 2708 wrote to memory of 2888 2708 26468.exe 36 PID 2708 wrote to memory of 2888 2708 26468.exe 36 PID 2888 wrote to memory of 2936 2888 828682.exe 37 PID 2888 wrote to memory of 2936 2888 828682.exe 37 PID 2888 wrote to memory of 2936 2888 828682.exe 37 PID 2888 wrote to memory of 2936 2888 828682.exe 37 PID 2936 wrote to memory of 2648 2936 rflrrxx.exe 38 PID 2936 wrote to memory of 2648 2936 rflrrxx.exe 38 PID 2936 wrote to memory of 2648 2936 rflrrxx.exe 38 PID 2936 wrote to memory of 2648 2936 rflrrxx.exe 38 PID 2648 wrote to memory of 2644 2648 9rxrrlf.exe 39 PID 2648 wrote to memory of 2644 2648 9rxrrlf.exe 39 PID 2648 wrote to memory of 2644 2648 9rxrrlf.exe 39 PID 2648 wrote to memory of 2644 2648 9rxrrlf.exe 39 PID 2644 wrote to memory of 320 2644 lfrxrxl.exe 40 PID 2644 wrote to memory of 320 2644 lfrxrxl.exe 40 PID 2644 wrote to memory of 320 2644 lfrxrxl.exe 40 PID 2644 wrote to memory of 320 2644 lfrxrxl.exe 40 PID 320 wrote to memory of 580 320 44842.exe 41 PID 320 wrote to memory of 580 320 44842.exe 41 PID 320 wrote to memory of 580 320 44842.exe 41 PID 320 wrote to memory of 580 320 44842.exe 41 PID 580 wrote to memory of 2836 580 84206.exe 42 PID 580 wrote to memory of 2836 580 84206.exe 42 PID 580 wrote to memory of 2836 580 84206.exe 42 PID 580 wrote to memory of 2836 580 84206.exe 42 PID 2836 wrote to memory of 2352 2836 004022.exe 43 PID 2836 wrote to memory of 2352 2836 004022.exe 43 PID 2836 wrote to memory of 2352 2836 004022.exe 43 PID 2836 wrote to memory of 2352 2836 004022.exe 43 PID 2352 wrote to memory of 2776 2352 vppvd.exe 44 PID 2352 wrote to memory of 2776 2352 vppvd.exe 44 PID 2352 wrote to memory of 2776 2352 vppvd.exe 44 PID 2352 wrote to memory of 2776 2352 vppvd.exe 44 PID 2776 wrote to memory of 340 2776 s6880.exe 45 PID 2776 wrote to memory of 340 2776 s6880.exe 45 PID 2776 wrote to memory of 340 2776 s6880.exe 45 PID 2776 wrote to memory of 340 2776 s6880.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe"C:\Users\Admin\AppData\Local\Temp\dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\tnhbhb.exec:\tnhbhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\o868000.exec:\o868000.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\688006.exec:\688006.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\lrlfxxf.exec:\lrlfxxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\fxlflfl.exec:\fxlflfl.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\26468.exec:\26468.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\828682.exec:\828682.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\rflrrxx.exec:\rflrrxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\9rxrrlf.exec:\9rxrrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\lfrxrxl.exec:\lfrxrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\44842.exec:\44842.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\84206.exec:\84206.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\004022.exec:\004022.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\vppvd.exec:\vppvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\s6880.exec:\s6880.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\pdpvj.exec:\pdpvj.exe17⤵
- Executes dropped EXE
PID:340 -
\??\c:\lrffxxx.exec:\lrffxxx.exe18⤵
- Executes dropped EXE
PID:2992 -
\??\c:\tnbbhh.exec:\tnbbhh.exe19⤵
- Executes dropped EXE
PID:1648 -
\??\c:\jvvpp.exec:\jvvpp.exe20⤵
- Executes dropped EXE
PID:2940 -
\??\c:\bhttbb.exec:\bhttbb.exe21⤵
- Executes dropped EXE
PID:2064 -
\??\c:\g0420.exec:\g0420.exe22⤵
- Executes dropped EXE
PID:1036 -
\??\c:\dddpj.exec:\dddpj.exe23⤵
- Executes dropped EXE
PID:1604 -
\??\c:\48280.exec:\48280.exe24⤵
- Executes dropped EXE
PID:804 -
\??\c:\jdvvd.exec:\jdvvd.exe25⤵
- Executes dropped EXE
PID:2568 -
\??\c:\c040886.exec:\c040886.exe26⤵
- Executes dropped EXE
PID:1420 -
\??\c:\nnbbtb.exec:\nnbbtb.exe27⤵
- Executes dropped EXE
PID:596 -
\??\c:\e62468.exec:\e62468.exe28⤵
- Executes dropped EXE
PID:2368 -
\??\c:\nnhnhn.exec:\nnhnhn.exe29⤵
- Executes dropped EXE
PID:644 -
\??\c:\6868068.exec:\6868068.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360 -
\??\c:\2066802.exec:\2066802.exe31⤵
- Executes dropped EXE
PID:1652 -
\??\c:\jdjpv.exec:\jdjpv.exe32⤵
- Executes dropped EXE
PID:2372 -
\??\c:\nnhbnn.exec:\nnhbnn.exe33⤵
- Executes dropped EXE
PID:1564 -
\??\c:\pvvvd.exec:\pvvvd.exe34⤵
- Executes dropped EXE
PID:2224 -
\??\c:\a2642.exec:\a2642.exe35⤵
- Executes dropped EXE
PID:328 -
\??\c:\2046886.exec:\2046886.exe36⤵
- Executes dropped EXE
PID:1864 -
\??\c:\frfxxrr.exec:\frfxxrr.exe37⤵
- Executes dropped EXE
PID:380 -
\??\c:\e02280.exec:\e02280.exe38⤵
- Executes dropped EXE
PID:2744 -
\??\c:\022482.exec:\022482.exe39⤵
- Executes dropped EXE
PID:2808 -
\??\c:\448602.exec:\448602.exe40⤵
- Executes dropped EXE
PID:2756 -
\??\c:\jvpdv.exec:\jvpdv.exe41⤵
- Executes dropped EXE
PID:2608 -
\??\c:\pvvjp.exec:\pvvjp.exe42⤵
- Executes dropped EXE
PID:2760 -
\??\c:\082840.exec:\082840.exe43⤵
- Executes dropped EXE
PID:2892 -
\??\c:\5bthbb.exec:\5bthbb.exe44⤵
- Executes dropped EXE
PID:2712 -
\??\c:\bntbnn.exec:\bntbnn.exe45⤵
- Executes dropped EXE
PID:2736 -
\??\c:\tnthhn.exec:\tnthhn.exe46⤵
- Executes dropped EXE
PID:2720 -
\??\c:\djjvp.exec:\djjvp.exe47⤵
- Executes dropped EXE
PID:2292 -
\??\c:\0088064.exec:\0088064.exe48⤵
- Executes dropped EXE
PID:2504 -
\??\c:\260206.exec:\260206.exe49⤵
- Executes dropped EXE
PID:1072 -
\??\c:\882420.exec:\882420.exe50⤵
- Executes dropped EXE
PID:1908 -
\??\c:\1hbnhn.exec:\1hbnhn.exe51⤵
- Executes dropped EXE
PID:1600 -
\??\c:\20842.exec:\20842.exe52⤵
- Executes dropped EXE
PID:2128 -
\??\c:\e26628.exec:\e26628.exe53⤵
- Executes dropped EXE
PID:2776 -
\??\c:\pdvjj.exec:\pdvjj.exe54⤵
- Executes dropped EXE
PID:1640 -
\??\c:\082482.exec:\082482.exe55⤵
- Executes dropped EXE
PID:1536 -
\??\c:\xfrxlrl.exec:\xfrxlrl.exe56⤵
- Executes dropped EXE
PID:680 -
\??\c:\vjdvv.exec:\vjdvv.exe57⤵
- Executes dropped EXE
PID:2944 -
\??\c:\bhhtnt.exec:\bhhtnt.exe58⤵
- Executes dropped EXE
PID:1752 -
\??\c:\llfrfxl.exec:\llfrfxl.exe59⤵
- Executes dropped EXE
PID:2956 -
\??\c:\8400288.exec:\8400288.exe60⤵
- Executes dropped EXE
PID:2444 -
\??\c:\6008242.exec:\6008242.exe61⤵
- Executes dropped EXE
PID:1036 -
\??\c:\48242.exec:\48242.exe62⤵
- Executes dropped EXE
PID:1252 -
\??\c:\4480242.exec:\4480242.exe63⤵
- Executes dropped EXE
PID:968 -
\??\c:\0268624.exec:\0268624.exe64⤵
- Executes dropped EXE
PID:3048 -
\??\c:\82400.exec:\82400.exe65⤵
- Executes dropped EXE
PID:2852 -
\??\c:\fflxxrx.exec:\fflxxrx.exe66⤵PID:1532
-
\??\c:\bththn.exec:\bththn.exe67⤵PID:3000
-
\??\c:\66440.exec:\66440.exe68⤵PID:1724
-
\??\c:\486862.exec:\486862.exe69⤵PID:3024
-
\??\c:\u444686.exec:\u444686.exe70⤵PID:1492
-
\??\c:\hhbnht.exec:\hhbnht.exe71⤵PID:2416
-
\??\c:\w44684.exec:\w44684.exe72⤵PID:1684
-
\??\c:\ttnbnt.exec:\ttnbnt.exe73⤵PID:896
-
\??\c:\rlflllf.exec:\rlflllf.exe74⤵PID:2016
-
\??\c:\00242.exec:\00242.exe75⤵PID:1592
-
\??\c:\e00062.exec:\e00062.exe76⤵PID:2108
-
\??\c:\482484.exec:\482484.exe77⤵PID:2916
-
\??\c:\4446882.exec:\4446882.exe78⤵PID:2684
-
\??\c:\06862.exec:\06862.exe79⤵PID:1864
-
\??\c:\g0464.exec:\g0464.exe80⤵PID:2188
-
\??\c:\82024.exec:\82024.exe81⤵PID:2740
-
\??\c:\k20202.exec:\k20202.exe82⤵PID:2808
-
\??\c:\bbnbnt.exec:\bbnbnt.exe83⤵PID:2756
-
\??\c:\q04684.exec:\q04684.exe84⤵PID:2608
-
\??\c:\vvvpd.exec:\vvvpd.exe85⤵PID:2624
-
\??\c:\48020.exec:\48020.exe86⤵PID:2936
-
\??\c:\ntnbtb.exec:\ntnbtb.exe87⤵
- System Location Discovery: System Language Discovery
PID:2712 -
\??\c:\fllxlxr.exec:\fllxlxr.exe88⤵PID:2620
-
\??\c:\26402.exec:\26402.exe89⤵PID:2908
-
\??\c:\lllffrl.exec:\lllffrl.exe90⤵PID:2220
-
\??\c:\q88820.exec:\q88820.exe91⤵PID:688
-
\??\c:\rxxxlfx.exec:\rxxxlfx.exe92⤵PID:2688
-
\??\c:\tbthbn.exec:\tbthbn.exe93⤵PID:1616
-
\??\c:\622046.exec:\622046.exe94⤵PID:2784
-
\??\c:\dpdvd.exec:\dpdvd.exe95⤵PID:1520
-
\??\c:\lrrfxfx.exec:\lrrfxfx.exe96⤵
- System Location Discovery: System Language Discovery
PID:2828 -
\??\c:\m6468.exec:\m6468.exe97⤵PID:2160
-
\??\c:\1dvjp.exec:\1dvjp.exe98⤵PID:1640
-
\??\c:\408008.exec:\408008.exe99⤵PID:1816
-
\??\c:\i608620.exec:\i608620.exe100⤵PID:1408
-
\??\c:\hhnhbh.exec:\hhnhbh.exe101⤵PID:2324
-
\??\c:\pppdj.exec:\pppdj.exe102⤵PID:1752
-
\??\c:\ttnnbb.exec:\ttnnbb.exe103⤵PID:664
-
\??\c:\882428.exec:\882428.exe104⤵PID:2444
-
\??\c:\42882.exec:\42882.exe105⤵PID:2484
-
\??\c:\00000.exec:\00000.exe106⤵PID:2696
-
\??\c:\i420482.exec:\i420482.exe107⤵PID:1688
-
\??\c:\pjpjj.exec:\pjpjj.exe108⤵PID:872
-
\??\c:\rrrfrxl.exec:\rrrfrxl.exe109⤵PID:2852
-
\??\c:\ddvdj.exec:\ddvdj.exe110⤵PID:1780
-
\??\c:\2464482.exec:\2464482.exe111⤵PID:704
-
\??\c:\002862.exec:\002862.exe112⤵PID:1396
-
\??\c:\062482.exec:\062482.exe113⤵PID:1744
-
\??\c:\xxlxrfr.exec:\xxlxrfr.exe114⤵PID:1628
-
\??\c:\g2242.exec:\g2242.exe115⤵PID:2088
-
\??\c:\80224.exec:\80224.exe116⤵PID:2544
-
\??\c:\8006880.exec:\8006880.exe117⤵PID:2372
-
\??\c:\vdvdd.exec:\vdvdd.exe118⤵PID:1564
-
\??\c:\5thhbn.exec:\5thhbn.exe119⤵PID:1960
-
\??\c:\086000.exec:\086000.exe120⤵PID:3020
-
\??\c:\bbbbnh.exec:\bbbbnh.exe121⤵PID:2452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-