Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 07:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f70165bd20574786f3ec6bc53cbb503e5fb3015a89dafd05592913b55b240a82.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f70165bd20574786f3ec6bc53cbb503e5fb3015a89dafd05592913b55b240a82.exe
-
Size
455KB
-
MD5
0c29db0183e54122832b7c4c5ed874d9
-
SHA1
5c7086f2aac8c12a47809cded31bf27943a735b1
-
SHA256
f70165bd20574786f3ec6bc53cbb503e5fb3015a89dafd05592913b55b240a82
-
SHA512
5b9407bb99383c30e725a52be81f5a0b93a86089158f34b0938e237383e3568b99f22470dd166c58d1e639b09d150806de6c4eacec7a20b30de382e1ee43048c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTY:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/1956-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1384-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/764-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-329-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2472-330-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2096-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-396-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1708-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1000-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-683-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2840-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-1024-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-1063-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2196-1083-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-1108-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1544-1122-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2092-1244-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1616 64228.exe 1796 7nbbhh.exe 1264 7jppp.exe 2988 tthntt.exe 2832 3frxlff.exe 2964 c422846.exe 2700 0860602.exe 2980 26228.exe 2828 202866.exe 2696 dpdjv.exe 2768 806288.exe 2500 u200224.exe 844 3jvdp.exe 1384 rrfflfr.exe 2908 608066.exe 1584 u640622.exe 620 m2224.exe 2560 k68462.exe 2088 4248042.exe 1800 ddvvd.exe 1520 080026.exe 764 hthnnt.exe 2068 vpppd.exe 1944 lxlfrrf.exe 2136 thbhnt.exe 1688 260022.exe 1988 fxxxlrl.exe 1764 hbnbht.exe 2160 1fxrxfr.exe 2196 1hbnbb.exe 2640 pjvjp.exe 1732 28680.exe 1500 7rllllr.exe 2440 fxxxfff.exe 1956 3vjdj.exe 1568 82002.exe 1712 6022408.exe 1796 42884.exe 2124 424062.exe 2472 m2066.exe 2096 4244440.exe 2956 08044.exe 2852 7vpvv.exe 2880 646622.exe 2960 rlrrfxx.exe 2748 k80626.exe 2688 3lxlfxx.exe 2768 1jpjj.exe 2540 lrlfrfx.exe 2864 208884.exe 844 8684440.exe 2744 64224.exe 3008 48084.exe 1708 042288.exe 1248 4844400.exe 2512 46840.exe 2568 9hnhnt.exe 2088 1vjjj.exe 2156 0204040.exe 3024 606228.exe 2652 1bbttn.exe 764 468804.exe 2552 tthbnt.exe 1328 9bhhnh.exe -
resource yara_rule behavioral1/memory/1956-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1000-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-646-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2884-683-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2384-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-884-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-1004-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-1024-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-1050-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-1083-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-1115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-1142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-1167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-1205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-1212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-1219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-1296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-1328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-1341-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c866228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4284040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4244440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2040624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4206628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2000222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0888446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8684440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4846806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k80044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2622446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 444840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4248042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 204828.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1616 1956 f70165bd20574786f3ec6bc53cbb503e5fb3015a89dafd05592913b55b240a82.exe 30 PID 1956 wrote to memory of 1616 1956 f70165bd20574786f3ec6bc53cbb503e5fb3015a89dafd05592913b55b240a82.exe 30 PID 1956 wrote to memory of 1616 1956 f70165bd20574786f3ec6bc53cbb503e5fb3015a89dafd05592913b55b240a82.exe 30 PID 1956 wrote to memory of 1616 1956 f70165bd20574786f3ec6bc53cbb503e5fb3015a89dafd05592913b55b240a82.exe 30 PID 1616 wrote to memory of 1796 1616 64228.exe 67 PID 1616 wrote to memory of 1796 1616 64228.exe 67 PID 1616 wrote to memory of 1796 1616 64228.exe 67 PID 1616 wrote to memory of 1796 1616 64228.exe 67 PID 1796 wrote to memory of 1264 1796 7nbbhh.exe 32 PID 1796 wrote to memory of 1264 1796 7nbbhh.exe 32 PID 1796 wrote to memory of 1264 1796 7nbbhh.exe 32 PID 1796 wrote to memory of 1264 1796 7nbbhh.exe 32 PID 1264 wrote to memory of 2988 1264 7jppp.exe 33 PID 1264 wrote to memory of 2988 1264 7jppp.exe 33 PID 1264 wrote to memory of 2988 1264 7jppp.exe 33 PID 1264 wrote to memory of 2988 1264 7jppp.exe 33 PID 2988 wrote to memory of 2832 2988 tthntt.exe 34 PID 2988 wrote to memory of 2832 2988 tthntt.exe 34 PID 2988 wrote to memory of 2832 2988 tthntt.exe 34 PID 2988 wrote to memory of 2832 2988 tthntt.exe 34 PID 2832 wrote to memory of 2964 2832 3frxlff.exe 35 PID 2832 wrote to memory of 2964 2832 3frxlff.exe 35 PID 2832 wrote to memory of 2964 2832 3frxlff.exe 35 PID 2832 wrote to memory of 2964 2832 3frxlff.exe 35 PID 2964 wrote to memory of 2700 2964 c422846.exe 36 PID 2964 wrote to memory of 2700 2964 c422846.exe 36 PID 2964 wrote to memory of 2700 2964 c422846.exe 36 PID 2964 wrote to memory of 2700 2964 c422846.exe 36 PID 2700 wrote to memory of 2980 2700 0860602.exe 37 PID 2700 wrote to memory of 2980 2700 0860602.exe 37 PID 2700 wrote to memory of 2980 2700 0860602.exe 37 PID 2700 wrote to memory of 2980 2700 0860602.exe 37 PID 2980 wrote to memory of 2828 2980 26228.exe 38 PID 2980 wrote to memory of 2828 2980 26228.exe 38 PID 2980 wrote to memory of 2828 2980 26228.exe 38 PID 2980 wrote to memory of 2828 2980 26228.exe 38 PID 2828 wrote to memory of 2696 2828 202866.exe 39 PID 2828 wrote to memory of 2696 2828 202866.exe 39 PID 2828 wrote to memory of 2696 2828 202866.exe 39 PID 2828 wrote to memory of 2696 2828 202866.exe 39 PID 2696 wrote to memory of 2768 2696 dpdjv.exe 77 PID 2696 wrote to memory of 2768 2696 dpdjv.exe 77 PID 2696 wrote to memory of 2768 2696 dpdjv.exe 77 PID 2696 wrote to memory of 2768 2696 dpdjv.exe 77 PID 2768 wrote to memory of 2500 2768 806288.exe 41 PID 2768 wrote to memory of 2500 2768 806288.exe 41 PID 2768 wrote to memory of 2500 2768 806288.exe 41 PID 2768 wrote to memory of 2500 2768 806288.exe 41 PID 2500 wrote to memory of 844 2500 u200224.exe 42 PID 2500 wrote to memory of 844 2500 u200224.exe 42 PID 2500 wrote to memory of 844 2500 u200224.exe 42 PID 2500 wrote to memory of 844 2500 u200224.exe 42 PID 844 wrote to memory of 1384 844 3jvdp.exe 43 PID 844 wrote to memory of 1384 844 3jvdp.exe 43 PID 844 wrote to memory of 1384 844 3jvdp.exe 43 PID 844 wrote to memory of 1384 844 3jvdp.exe 43 PID 1384 wrote to memory of 2908 1384 rrfflfr.exe 44 PID 1384 wrote to memory of 2908 1384 rrfflfr.exe 44 PID 1384 wrote to memory of 2908 1384 rrfflfr.exe 44 PID 1384 wrote to memory of 2908 1384 rrfflfr.exe 44 PID 2908 wrote to memory of 1584 2908 608066.exe 45 PID 2908 wrote to memory of 1584 2908 608066.exe 45 PID 2908 wrote to memory of 1584 2908 608066.exe 45 PID 2908 wrote to memory of 1584 2908 608066.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f70165bd20574786f3ec6bc53cbb503e5fb3015a89dafd05592913b55b240a82.exe"C:\Users\Admin\AppData\Local\Temp\f70165bd20574786f3ec6bc53cbb503e5fb3015a89dafd05592913b55b240a82.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\64228.exec:\64228.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\7nbbhh.exec:\7nbbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\7jppp.exec:\7jppp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\tthntt.exec:\tthntt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\3frxlff.exec:\3frxlff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\c422846.exec:\c422846.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\0860602.exec:\0860602.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\26228.exec:\26228.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\202866.exec:\202866.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\dpdjv.exec:\dpdjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\806288.exec:\806288.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\u200224.exec:\u200224.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\3jvdp.exec:\3jvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\rrfflfr.exec:\rrfflfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\608066.exec:\608066.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\u640622.exec:\u640622.exe17⤵
- Executes dropped EXE
PID:1584 -
\??\c:\m2224.exec:\m2224.exe18⤵
- Executes dropped EXE
PID:620 -
\??\c:\k68462.exec:\k68462.exe19⤵
- Executes dropped EXE
PID:2560 -
\??\c:\4248042.exec:\4248042.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088 -
\??\c:\ddvvd.exec:\ddvvd.exe21⤵
- Executes dropped EXE
PID:1800 -
\??\c:\080026.exec:\080026.exe22⤵
- Executes dropped EXE
PID:1520 -
\??\c:\hthnnt.exec:\hthnnt.exe23⤵
- Executes dropped EXE
PID:764 -
\??\c:\vpppd.exec:\vpppd.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
\??\c:\lxlfrrf.exec:\lxlfrrf.exe25⤵
- Executes dropped EXE
PID:1944 -
\??\c:\thbhnt.exec:\thbhnt.exe26⤵
- Executes dropped EXE
PID:2136 -
\??\c:\260022.exec:\260022.exe27⤵
- Executes dropped EXE
PID:1688 -
\??\c:\fxxxlrl.exec:\fxxxlrl.exe28⤵
- Executes dropped EXE
PID:1988 -
\??\c:\hbnbht.exec:\hbnbht.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1764 -
\??\c:\1fxrxfr.exec:\1fxrxfr.exe30⤵
- Executes dropped EXE
PID:2160 -
\??\c:\1hbnbb.exec:\1hbnbb.exe31⤵
- Executes dropped EXE
PID:2196 -
\??\c:\pjvjp.exec:\pjvjp.exe32⤵
- Executes dropped EXE
PID:2640 -
\??\c:\28680.exec:\28680.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
\??\c:\7rllllr.exec:\7rllllr.exe34⤵
- Executes dropped EXE
PID:1500 -
\??\c:\fxxxfff.exec:\fxxxfff.exe35⤵
- Executes dropped EXE
PID:2440 -
\??\c:\3vjdj.exec:\3vjdj.exe36⤵
- Executes dropped EXE
PID:1956 -
\??\c:\82002.exec:\82002.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568 -
\??\c:\6022408.exec:\6022408.exe38⤵
- Executes dropped EXE
PID:1712 -
\??\c:\42884.exec:\42884.exe39⤵
- Executes dropped EXE
PID:1796 -
\??\c:\424062.exec:\424062.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124 -
\??\c:\m2066.exec:\m2066.exe41⤵
- Executes dropped EXE
PID:2472 -
\??\c:\4244440.exec:\4244440.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
\??\c:\08044.exec:\08044.exe43⤵
- Executes dropped EXE
PID:2956 -
\??\c:\7vpvv.exec:\7vpvv.exe44⤵
- Executes dropped EXE
PID:2852 -
\??\c:\646622.exec:\646622.exe45⤵
- Executes dropped EXE
PID:2880 -
\??\c:\rlrrfxx.exec:\rlrrfxx.exe46⤵
- Executes dropped EXE
PID:2960 -
\??\c:\k80626.exec:\k80626.exe47⤵
- Executes dropped EXE
PID:2748 -
\??\c:\3lxlfxx.exec:\3lxlfxx.exe48⤵
- Executes dropped EXE
PID:2688 -
\??\c:\1jpjj.exec:\1jpjj.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768 -
\??\c:\lrlfrfx.exec:\lrlfrfx.exe50⤵
- Executes dropped EXE
PID:2540 -
\??\c:\208884.exec:\208884.exe51⤵
- Executes dropped EXE
PID:2864 -
\??\c:\8684440.exec:\8684440.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844 -
\??\c:\64224.exec:\64224.exe53⤵
- Executes dropped EXE
PID:2744 -
\??\c:\48084.exec:\48084.exe54⤵
- Executes dropped EXE
PID:3008 -
\??\c:\042288.exec:\042288.exe55⤵
- Executes dropped EXE
PID:1708 -
\??\c:\4844400.exec:\4844400.exe56⤵
- Executes dropped EXE
PID:1248 -
\??\c:\46840.exec:\46840.exe57⤵
- Executes dropped EXE
PID:2512 -
\??\c:\9hnhnt.exec:\9hnhnt.exe58⤵
- Executes dropped EXE
PID:2568 -
\??\c:\1vjjj.exec:\1vjjj.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088 -
\??\c:\0204040.exec:\0204040.exe60⤵
- Executes dropped EXE
PID:2156 -
\??\c:\606228.exec:\606228.exe61⤵
- Executes dropped EXE
PID:3024 -
\??\c:\1bbttn.exec:\1bbttn.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652 -
\??\c:\468804.exec:\468804.exe63⤵
- Executes dropped EXE
PID:764 -
\??\c:\tthbnt.exec:\tthbnt.exe64⤵
- Executes dropped EXE
PID:2552 -
\??\c:\9bhhnh.exec:\9bhhnh.exe65⤵
- Executes dropped EXE
PID:1328 -
\??\c:\08068.exec:\08068.exe66⤵PID:1032
-
\??\c:\9rxrlll.exec:\9rxrlll.exe67⤵PID:1000
-
\??\c:\htthhh.exec:\htthhh.exe68⤵PID:1096
-
\??\c:\60628.exec:\60628.exe69⤵PID:1988
-
\??\c:\tnbbbh.exec:\tnbbbh.exe70⤵PID:1480
-
\??\c:\jdppp.exec:\jdppp.exe71⤵PID:2220
-
\??\c:\s4244.exec:\s4244.exe72⤵PID:2380
-
\??\c:\2040624.exec:\2040624.exe73⤵
- System Location Discovery: System Language Discovery
PID:1620 -
\??\c:\7htttt.exec:\7htttt.exe74⤵PID:1716
-
\??\c:\3lxfllr.exec:\3lxfllr.exe75⤵PID:2276
-
\??\c:\26440.exec:\26440.exe76⤵PID:1752
-
\??\c:\pdvpv.exec:\pdvpv.exe77⤵PID:2648
-
\??\c:\vpdjp.exec:\vpdjp.exe78⤵PID:2120
-
\??\c:\ttbntt.exec:\ttbntt.exe79⤵PID:1588
-
\??\c:\862288.exec:\862288.exe80⤵PID:568
-
\??\c:\w20022.exec:\w20022.exe81⤵PID:2192
-
\??\c:\htbhhb.exec:\htbhhb.exe82⤵PID:2124
-
\??\c:\42662.exec:\42662.exe83⤵PID:1952
-
\??\c:\lllxfxl.exec:\lllxfxl.exe84⤵PID:2836
-
\??\c:\s4228.exec:\s4228.exe85⤵PID:2532
-
\??\c:\frxxfrr.exec:\frxxfrr.exe86⤵PID:2796
-
\??\c:\2028484.exec:\2028484.exe87⤵PID:3020
-
\??\c:\bnnnnh.exec:\bnnnnh.exe88⤵
- System Location Discovery: System Language Discovery
PID:2856 -
\??\c:\a2068.exec:\a2068.exe89⤵PID:1948
-
\??\c:\e80488.exec:\e80488.exe90⤵PID:2756
-
\??\c:\s6800.exec:\s6800.exe91⤵PID:2436
-
\??\c:\bthhnn.exec:\bthhnn.exe92⤵PID:1812
-
\??\c:\5bbbhh.exec:\5bbbhh.exe93⤵PID:1396
-
\??\c:\6466262.exec:\6466262.exe94⤵PID:2904
-
\??\c:\42224.exec:\42224.exe95⤵PID:2884
-
\??\c:\q02222.exec:\q02222.exe96⤵PID:2916
-
\??\c:\7tbbhb.exec:\7tbbhb.exe97⤵PID:1376
-
\??\c:\1htttb.exec:\1htttb.exe98⤵PID:2536
-
\??\c:\0888880.exec:\0888880.exe99⤵PID:1248
-
\??\c:\xrrrrxf.exec:\xrrrrxf.exe100⤵PID:3048
-
\??\c:\5pdpd.exec:\5pdpd.exe101⤵PID:2680
-
\??\c:\62680.exec:\62680.exe102⤵PID:2384
-
\??\c:\802288.exec:\802288.exe103⤵PID:1192
-
\??\c:\862222.exec:\862222.exe104⤵PID:1104
-
\??\c:\462666.exec:\462666.exe105⤵PID:1852
-
\??\c:\9djvd.exec:\9djvd.exe106⤵PID:2672
-
\??\c:\htbttn.exec:\htbttn.exe107⤵PID:820
-
\??\c:\5thntn.exec:\5thntn.exe108⤵PID:1328
-
\??\c:\042804.exec:\042804.exe109⤵
- System Location Discovery: System Language Discovery
PID:2136 -
\??\c:\fxlrlrf.exec:\fxlrlrf.exe110⤵PID:848
-
\??\c:\6862880.exec:\6862880.exe111⤵PID:1048
-
\??\c:\42488.exec:\42488.exe112⤵PID:1344
-
\??\c:\6800600.exec:\6800600.exe113⤵PID:956
-
\??\c:\ntnntn.exec:\ntnntn.exe114⤵PID:1652
-
\??\c:\64668.exec:\64668.exe115⤵PID:1632
-
\??\c:\20880.exec:\20880.exe116⤵
- System Location Discovery: System Language Discovery
PID:1940 -
\??\c:\hbnnnn.exec:\hbnnnn.exe117⤵PID:2248
-
\??\c:\3jpvp.exec:\3jpvp.exe118⤵PID:888
-
\??\c:\pdjdd.exec:\pdjdd.exe119⤵PID:1980
-
\??\c:\42846.exec:\42846.exe120⤵PID:1768
-
\??\c:\lxfflrf.exec:\lxfflrf.exe121⤵PID:1536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-