Analysis
-
max time kernel
50s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 08:22
Behavioral task
behavioral1
Sample
1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe
-
Size
345KB
-
MD5
c0c039dfa8493e272642c82a1b233e70
-
SHA1
387c4921bd5463561b1b0bc3cc84edd85e7710f9
-
SHA256
1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310
-
SHA512
13afd2af4d8a843d5446444ae16b9e0e92571ea32cc382f0d8522d7ccd47470d07320ce5623ebf3a244a6d984bb2949309b0c7dc7718dc809ed85cc9f9f9ec0a
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYA8:R4wFHoS3WXZshJX2VGd8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2172-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2364-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2360-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2596-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2452-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2840-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2344-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2344-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2028-377-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/1504-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1940-389-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2836-365-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2824-343-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2340-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2840-321-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2572-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2568-268-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2564-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1628-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1540-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/632-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/632-211-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1672-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2304-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1216-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-135-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1648-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2764-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2764-103-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2956-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2904-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1776-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1368-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2484-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-482-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-493-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2532-525-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2500-533-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2992-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2888-569-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1600-640-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-797-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2592-1027-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2620-1054-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2620-1070-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2364 64280.exe 2596 64606.exe 2360 7tnttb.exe 1776 u460602.exe 2452 48446.exe 2904 lxllxff.exe 2840 084840.exe 2940 60224.exe 2956 20840.exe 2824 o248408.exe 2688 jjvdv.exe 2764 5rxxxxl.exe 1648 9vpjv.exe 1692 2028444.exe 2344 86880.exe 2352 48000.exe 1216 5vdpp.exe 2120 hbtbhn.exe 1576 nhtnbb.exe 1972 5jjdj.exe 2996 i468880.exe 2304 jvjpv.exe 2252 9lfxxxx.exe 2328 8622622.exe 1672 s6840.exe 632 tbnbbt.exe 1860 hbtbbh.exe 548 8606886.exe 1540 i244606.exe 1628 8026822.exe 2480 3rfllfl.exe 2672 3rlxfrf.exe 2564 268440.exe 2568 xrxrxrx.exe 776 tnbhnh.exe 2572 5ttthb.exe 2172 2088440.exe 2364 9xrxrrl.exe 1660 3rfrxxf.exe 1604 bnnntb.exe 2360 9nbnnt.exe 2780 xfrlffl.exe 2968 080660.exe 2840 s0840.exe 2908 42488.exe 2936 rrxfxlx.exe 2916 0466224.exe 2824 bhnntn.exe 1752 pdppv.exe 2708 nhbnbh.exe 2896 rfllrxf.exe 2836 7xlrxxr.exe 2344 42684.exe 2028 vpdvv.exe 1504 2406600.exe 1940 dpvdp.exe 2748 g8628.exe 2340 8244606.exe 1368 2044628.exe 2980 82066.exe 2788 tnnttt.exe 1048 084848.exe 2432 420006.exe 2964 8686828.exe -
resource yara_rule behavioral1/memory/2172-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c000000012280-7.dat upx behavioral1/memory/2364-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2172-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2364-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016b47-27.dat upx behavioral1/memory/2360-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2596-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016c66-35.dat upx behavioral1/memory/2452-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2840-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017497-77.dat upx behavioral1/memory/2688-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2344-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018744-156.dat upx behavioral1/files/0x000500000001878e-163.dat upx behavioral1/files/0x0006000000018c16-185.dat upx behavioral1/files/0x0005000000019250-199.dat upx behavioral1/files/0x0005000000019246-193.dat upx behavioral1/files/0x0005000000019269-208.dat upx behavioral1/files/0x000500000001933f-246.dat upx behavioral1/memory/2344-369-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1504-382-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2340-398-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2572-282-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2564-260-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019360-254.dat upx behavioral1/memory/1628-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000164b1-239.dat upx behavioral1/memory/1540-233-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019297-231.dat upx behavioral1/files/0x0005000000019284-224.dat upx behavioral1/files/0x0005000000019278-217.dat upx behavioral1/memory/632-215-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1672-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2252-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2304-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018b4e-177.dat upx behavioral1/files/0x00050000000187a8-170.dat upx behavioral1/files/0x0005000000018739-149.dat upx behavioral1/memory/1216-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186f4-132.dat upx behavioral1/files/0x0005000000018704-141.dat upx behavioral1/memory/2352-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2352-135-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00050000000186f1-124.dat upx behavioral1/files/0x00050000000186ed-117.dat upx behavioral1/memory/1648-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186e7-109.dat upx behavioral1/memory/2764-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018686-100.dat upx behavioral1/files/0x000600000001755b-92.dat upx behavioral1/files/0x000600000001749c-85.dat upx behavioral1/memory/2956-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2940-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000017049-68.dat upx behavioral1/files/0x0007000000016cf5-60.dat upx behavioral1/memory/2904-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016cd7-52.dat upx behavioral1/files/0x0007000000016c88-44.dat upx behavioral1/memory/1776-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016875-18.dat upx behavioral1/memory/1368-405-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2980-416-0x0000000000220000-0x0000000000247000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u460602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u202028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6462228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o244444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o688486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k82240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 800426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4806884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4806406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q08404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82222.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2364 2172 1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe 30 PID 2172 wrote to memory of 2364 2172 1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe 30 PID 2172 wrote to memory of 2364 2172 1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe 30 PID 2172 wrote to memory of 2364 2172 1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe 30 PID 2364 wrote to memory of 2596 2364 64280.exe 31 PID 2364 wrote to memory of 2596 2364 64280.exe 31 PID 2364 wrote to memory of 2596 2364 64280.exe 31 PID 2364 wrote to memory of 2596 2364 64280.exe 31 PID 2596 wrote to memory of 2360 2596 64606.exe 70 PID 2596 wrote to memory of 2360 2596 64606.exe 70 PID 2596 wrote to memory of 2360 2596 64606.exe 70 PID 2596 wrote to memory of 2360 2596 64606.exe 70 PID 2360 wrote to memory of 1776 2360 7tnttb.exe 33 PID 2360 wrote to memory of 1776 2360 7tnttb.exe 33 PID 2360 wrote to memory of 1776 2360 7tnttb.exe 33 PID 2360 wrote to memory of 1776 2360 7tnttb.exe 33 PID 1776 wrote to memory of 2452 1776 u460602.exe 34 PID 1776 wrote to memory of 2452 1776 u460602.exe 34 PID 1776 wrote to memory of 2452 1776 u460602.exe 34 PID 1776 wrote to memory of 2452 1776 u460602.exe 34 PID 2452 wrote to memory of 2904 2452 48446.exe 35 PID 2452 wrote to memory of 2904 2452 48446.exe 35 PID 2452 wrote to memory of 2904 2452 48446.exe 35 PID 2452 wrote to memory of 2904 2452 48446.exe 35 PID 2904 wrote to memory of 2840 2904 lxllxff.exe 36 PID 2904 wrote to memory of 2840 2904 lxllxff.exe 36 PID 2904 wrote to memory of 2840 2904 lxllxff.exe 36 PID 2904 wrote to memory of 2840 2904 lxllxff.exe 36 PID 2840 wrote to memory of 2940 2840 084840.exe 37 PID 2840 wrote to memory of 2940 2840 084840.exe 37 PID 2840 wrote to memory of 2940 2840 084840.exe 37 PID 2840 wrote to memory of 2940 2840 084840.exe 37 PID 2940 wrote to memory of 2956 2940 60224.exe 38 PID 2940 wrote to memory of 2956 2940 60224.exe 38 PID 2940 wrote to memory of 2956 2940 60224.exe 38 PID 2940 wrote to memory of 2956 2940 60224.exe 38 PID 2956 wrote to memory of 2824 2956 20840.exe 39 PID 2956 wrote to memory of 2824 2956 20840.exe 39 PID 2956 wrote to memory of 2824 2956 20840.exe 39 PID 2956 wrote to memory of 2824 2956 20840.exe 39 PID 2824 wrote to memory of 2688 2824 o248408.exe 40 PID 2824 wrote to memory of 2688 2824 o248408.exe 40 PID 2824 wrote to memory of 2688 2824 o248408.exe 40 PID 2824 wrote to memory of 2688 2824 o248408.exe 40 PID 2688 wrote to memory of 2764 2688 jjvdv.exe 41 PID 2688 wrote to memory of 2764 2688 jjvdv.exe 41 PID 2688 wrote to memory of 2764 2688 jjvdv.exe 41 PID 2688 wrote to memory of 2764 2688 jjvdv.exe 41 PID 2764 wrote to memory of 1648 2764 5rxxxxl.exe 42 PID 2764 wrote to memory of 1648 2764 5rxxxxl.exe 42 PID 2764 wrote to memory of 1648 2764 5rxxxxl.exe 42 PID 2764 wrote to memory of 1648 2764 5rxxxxl.exe 42 PID 1648 wrote to memory of 1692 1648 9vpjv.exe 43 PID 1648 wrote to memory of 1692 1648 9vpjv.exe 43 PID 1648 wrote to memory of 1692 1648 9vpjv.exe 43 PID 1648 wrote to memory of 1692 1648 9vpjv.exe 43 PID 1692 wrote to memory of 2344 1692 2028444.exe 44 PID 1692 wrote to memory of 2344 1692 2028444.exe 44 PID 1692 wrote to memory of 2344 1692 2028444.exe 44 PID 1692 wrote to memory of 2344 1692 2028444.exe 44 PID 2344 wrote to memory of 2352 2344 86880.exe 45 PID 2344 wrote to memory of 2352 2344 86880.exe 45 PID 2344 wrote to memory of 2352 2344 86880.exe 45 PID 2344 wrote to memory of 2352 2344 86880.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe"C:\Users\Admin\AppData\Local\Temp\1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\64280.exec:\64280.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\64606.exec:\64606.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\7tnttb.exec:\7tnttb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\u460602.exec:\u460602.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\48446.exec:\48446.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\lxllxff.exec:\lxllxff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\084840.exec:\084840.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\60224.exec:\60224.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\20840.exec:\20840.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\o248408.exec:\o248408.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\jjvdv.exec:\jjvdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\5rxxxxl.exec:\5rxxxxl.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\9vpjv.exec:\9vpjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\2028444.exec:\2028444.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\86880.exec:\86880.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\48000.exec:\48000.exe17⤵
- Executes dropped EXE
PID:2352 -
\??\c:\5vdpp.exec:\5vdpp.exe18⤵
- Executes dropped EXE
PID:1216 -
\??\c:\hbtbhn.exec:\hbtbhn.exe19⤵
- Executes dropped EXE
PID:2120 -
\??\c:\nhtnbb.exec:\nhtnbb.exe20⤵
- Executes dropped EXE
PID:1576 -
\??\c:\5jjdj.exec:\5jjdj.exe21⤵
- Executes dropped EXE
PID:1972 -
\??\c:\i468880.exec:\i468880.exe22⤵
- Executes dropped EXE
PID:2996 -
\??\c:\jvjpv.exec:\jvjpv.exe23⤵
- Executes dropped EXE
PID:2304 -
\??\c:\9lfxxxx.exec:\9lfxxxx.exe24⤵
- Executes dropped EXE
PID:2252 -
\??\c:\8622622.exec:\8622622.exe25⤵
- Executes dropped EXE
PID:2328 -
\??\c:\s6840.exec:\s6840.exe26⤵
- Executes dropped EXE
PID:1672 -
\??\c:\tbnbbt.exec:\tbnbbt.exe27⤵
- Executes dropped EXE
PID:632 -
\??\c:\hbtbbh.exec:\hbtbbh.exe28⤵
- Executes dropped EXE
PID:1860 -
\??\c:\8606886.exec:\8606886.exe29⤵
- Executes dropped EXE
PID:548 -
\??\c:\i244606.exec:\i244606.exe30⤵
- Executes dropped EXE
PID:1540 -
\??\c:\8026822.exec:\8026822.exe31⤵
- Executes dropped EXE
PID:1628 -
\??\c:\3rfllfl.exec:\3rfllfl.exe32⤵
- Executes dropped EXE
PID:2480 -
\??\c:\3rlxfrf.exec:\3rlxfrf.exe33⤵
- Executes dropped EXE
PID:2672 -
\??\c:\268440.exec:\268440.exe34⤵
- Executes dropped EXE
PID:2564 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe35⤵
- Executes dropped EXE
PID:2568 -
\??\c:\tnbhnh.exec:\tnbhnh.exe36⤵
- Executes dropped EXE
PID:776 -
\??\c:\5ttthb.exec:\5ttthb.exe37⤵
- Executes dropped EXE
PID:2572 -
\??\c:\2088440.exec:\2088440.exe38⤵
- Executes dropped EXE
PID:2172 -
\??\c:\9xrxrrl.exec:\9xrxrrl.exe39⤵
- Executes dropped EXE
PID:2364 -
\??\c:\3rfrxxf.exec:\3rfrxxf.exe40⤵
- Executes dropped EXE
PID:1660 -
\??\c:\bnnntb.exec:\bnnntb.exe41⤵
- Executes dropped EXE
PID:1604 -
\??\c:\9nbnnt.exec:\9nbnnt.exe42⤵
- Executes dropped EXE
PID:2360 -
\??\c:\xfrlffl.exec:\xfrlffl.exe43⤵
- Executes dropped EXE
PID:2780 -
\??\c:\080660.exec:\080660.exe44⤵
- Executes dropped EXE
PID:2968 -
\??\c:\s0840.exec:\s0840.exe45⤵
- Executes dropped EXE
PID:2840 -
\??\c:\42488.exec:\42488.exe46⤵
- Executes dropped EXE
PID:2908 -
\??\c:\rrxfxlx.exec:\rrxfxlx.exe47⤵
- Executes dropped EXE
PID:2936 -
\??\c:\0466224.exec:\0466224.exe48⤵
- Executes dropped EXE
PID:2916 -
\??\c:\bhnntn.exec:\bhnntn.exe49⤵
- Executes dropped EXE
PID:2824 -
\??\c:\pdppv.exec:\pdppv.exe50⤵
- Executes dropped EXE
PID:1752 -
\??\c:\nhbnbh.exec:\nhbnbh.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708 -
\??\c:\rfllrxf.exec:\rfllrxf.exe52⤵
- Executes dropped EXE
PID:2896 -
\??\c:\7xlrxxr.exec:\7xlrxxr.exe53⤵
- Executes dropped EXE
PID:2836 -
\??\c:\42684.exec:\42684.exe54⤵
- Executes dropped EXE
PID:2344 -
\??\c:\vpdvv.exec:\vpdvv.exe55⤵
- Executes dropped EXE
PID:2028 -
\??\c:\2406600.exec:\2406600.exe56⤵
- Executes dropped EXE
PID:1504 -
\??\c:\dpvdp.exec:\dpvdp.exe57⤵
- Executes dropped EXE
PID:1940 -
\??\c:\g8628.exec:\g8628.exe58⤵
- Executes dropped EXE
PID:2748 -
\??\c:\8244606.exec:\8244606.exe59⤵
- Executes dropped EXE
PID:2340 -
\??\c:\2044628.exec:\2044628.exe60⤵
- Executes dropped EXE
PID:1368 -
\??\c:\82066.exec:\82066.exe61⤵
- Executes dropped EXE
PID:2980 -
\??\c:\tnnttt.exec:\tnnttt.exe62⤵
- Executes dropped EXE
PID:2788 -
\??\c:\084848.exec:\084848.exe63⤵
- Executes dropped EXE
PID:1048 -
\??\c:\420006.exec:\420006.exe64⤵
- Executes dropped EXE
PID:2432 -
\??\c:\8686828.exec:\8686828.exe65⤵
- Executes dropped EXE
PID:2964 -
\??\c:\004606.exec:\004606.exe66⤵PID:1100
-
\??\c:\frllxff.exec:\frllxff.exe67⤵PID:1480
-
\??\c:\k20060.exec:\k20060.exe68⤵PID:2800
-
\??\c:\q02484.exec:\q02484.exe69⤵PID:2484
-
\??\c:\820066.exec:\820066.exe70⤵PID:2524
-
\??\c:\thbbhh.exec:\thbbhh.exe71⤵PID:1288
-
\??\c:\820068.exec:\820068.exe72⤵PID:964
-
\??\c:\608824.exec:\608824.exe73⤵PID:2740
-
\??\c:\08400.exec:\08400.exe74⤵PID:2216
-
\??\c:\thnbht.exec:\thnbht.exe75⤵PID:2880
-
\??\c:\4200666.exec:\4200666.exe76⤵PID:1112
-
\??\c:\pdvpv.exec:\pdvpv.exe77⤵PID:296
-
\??\c:\4806406.exec:\4806406.exe78⤵
- System Location Discovery: System Language Discovery
PID:316 -
\??\c:\e24882.exec:\e24882.exe79⤵PID:1168
-
\??\c:\628268.exec:\628268.exe80⤵PID:576
-
\??\c:\5dpdj.exec:\5dpdj.exe81⤵PID:2532
-
\??\c:\s8062.exec:\s8062.exe82⤵PID:2380
-
\??\c:\60846.exec:\60846.exe83⤵PID:2500
-
\??\c:\a5vdd.exec:\a5vdd.exe84⤵PID:2780
-
\??\c:\hthntb.exec:\hthntb.exe85⤵PID:2368
-
\??\c:\7btnht.exec:\7btnht.exe86⤵PID:2992
-
\??\c:\hthtbh.exec:\hthtbh.exe87⤵PID:2908
-
\??\c:\jppvp.exec:\jppvp.exe88⤵PID:2376
-
\??\c:\jjvvd.exec:\jjvvd.exe89⤵PID:2888
-
\??\c:\7rrrxfr.exec:\7rrrxfr.exe90⤵PID:2796
-
\??\c:\5ntttt.exec:\5ntttt.exe91⤵PID:2812
-
\??\c:\24628.exec:\24628.exe92⤵PID:2848
-
\??\c:\0000066.exec:\0000066.exe93⤵PID:3020
-
\??\c:\1flrxxx.exec:\1flrxxx.exe94⤵PID:1868
-
\??\c:\a2620.exec:\a2620.exe95⤵PID:1032
-
\??\c:\60068.exec:\60068.exe96⤵PID:2684
-
\??\c:\vpvdv.exec:\vpvdv.exe97⤵PID:2072
-
\??\c:\208844.exec:\208844.exe98⤵PID:2764
-
\??\c:\frffrrx.exec:\frffrrx.exe99⤵PID:2884
-
\??\c:\dddvj.exec:\dddvj.exe100⤵PID:2464
-
\??\c:\xxlrxlr.exec:\xxlrxlr.exe101⤵PID:992
-
\??\c:\hbntnb.exec:\hbntnb.exe102⤵PID:1924
-
\??\c:\5jjvd.exec:\5jjvd.exe103⤵PID:1728
-
\??\c:\9lfllrx.exec:\9lfllrx.exe104⤵PID:1600
-
\??\c:\0806662.exec:\0806662.exe105⤵PID:1344
-
\??\c:\206440.exec:\206440.exe106⤵PID:2804
-
\??\c:\jvjjp.exec:\jvjjp.exe107⤵PID:2748
-
\??\c:\q08288.exec:\q08288.exe108⤵PID:1576
-
\??\c:\i686222.exec:\i686222.exe109⤵PID:2776
-
\??\c:\jdvpv.exec:\jdvpv.exe110⤵PID:3016
-
\??\c:\s2606.exec:\s2606.exe111⤵PID:2980
-
\??\c:\7jvpd.exec:\7jvpd.exe112⤵PID:2104
-
\??\c:\082666.exec:\082666.exe113⤵PID:2204
-
\??\c:\7hbhnn.exec:\7hbhnn.exe114⤵PID:2212
-
\??\c:\xfrrrrx.exec:\xfrrrrx.exe115⤵PID:2320
-
\??\c:\vpdvv.exec:\vpdvv.exe116⤵PID:2732
-
\??\c:\bthnnb.exec:\bthnnb.exe117⤵PID:1268
-
\??\c:\20842.exec:\20842.exe118⤵PID:924
-
\??\c:\4602880.exec:\4602880.exe119⤵PID:1540
-
\??\c:\08624.exec:\08624.exe120⤵PID:2480
-
\??\c:\m2064.exec:\m2064.exe121⤵PID:1292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-