Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 20:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe
-
Size
454KB
-
MD5
28fd9cab2ad43b3b36292ca16fe31c30
-
SHA1
95dcdfe85964a971d2ada07c5e28bc51c7693880
-
SHA256
9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6
-
SHA512
a5e128521ec0735ba1640969e7977ab3330d97109acebee4d86cf40922f8ac3cc28dccf36e97d4db536247e5fa45e87c8193a5d51720e14ea81fc8956cfeee97
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 60 IoCs
resource yara_rule behavioral1/memory/3068-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-82-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1512-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-103-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2008-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/952-188-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1260-210-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1260-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-216-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/352-225-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1548-235-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1792-249-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1792-246-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2448-268-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1504-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-325-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2792-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-386-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2712-384-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2104-393-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2008-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-445-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1644-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-457-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1932-497-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/484-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-531-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2060-538-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2472-545-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2920-586-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1576-600-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2752-649-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2656-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-651-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/1036-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-669-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1084-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-745-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1260-762-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1000-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-827-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1504-835-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2176 2000042.exe 2616 28086.exe 536 60846.exe 2488 486200.exe 2864 66008.exe 2648 pppdd.exe 2900 480682.exe 2492 pppvj.exe 2696 862084.exe 1512 3hhtth.exe 272 448024.exe 2008 jdvjp.exe 2964 7nbnnt.exe 2088 9vvjv.exe 2012 088462.exe 1780 444028.exe 2988 2268624.exe 2416 44808.exe 1920 88286.exe 952 lxllflx.exe 2624 vdjpd.exe 1260 84006.exe 1308 xrrfrxl.exe 352 048466.exe 1548 04806.exe 1792 s6624.exe 1956 1xxxfxx.exe 2448 k02866.exe 1940 bnbhbb.exe 1504 6264000.exe 2200 dvvpv.exe 2376 xrxfxlx.exe 1732 864080.exe 1608 xrfrxxl.exe 1576 nnnhbb.exe 2144 7tnthn.exe 2792 5fxlrxl.exe 2460 vpjpp.exe 2788 k20228.exe 2896 hbntbb.exe 1752 2640602.exe 2492 424622.exe 1872 486628.exe 2712 5xxxllx.exe 2104 llxlfrr.exe 2384 26468.exe 1264 dpdvj.exe 2008 28640.exe 1616 002844.exe 2016 i480402.exe 1976 g2064.exe 3000 648024.exe 1644 fllrfll.exe 2352 22244.exe 380 dvpdj.exe 1920 vjvvd.exe 2040 488028.exe 2272 5pjjv.exe 948 4484608.exe 760 e04062.exe 1932 5htbnh.exe 908 0866446.exe 484 vpdjp.exe 2532 0806408.exe -
resource yara_rule behavioral1/memory/3068-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-82-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1512-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-445-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1644-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-453-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/380-457-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/484-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-745-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1100-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1000-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-828-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8268624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c866840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k02866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2176 3068 9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe 31 PID 3068 wrote to memory of 2176 3068 9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe 31 PID 3068 wrote to memory of 2176 3068 9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe 31 PID 3068 wrote to memory of 2176 3068 9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe 31 PID 2176 wrote to memory of 2616 2176 2000042.exe 32 PID 2176 wrote to memory of 2616 2176 2000042.exe 32 PID 2176 wrote to memory of 2616 2176 2000042.exe 32 PID 2176 wrote to memory of 2616 2176 2000042.exe 32 PID 2616 wrote to memory of 536 2616 28086.exe 33 PID 2616 wrote to memory of 536 2616 28086.exe 33 PID 2616 wrote to memory of 536 2616 28086.exe 33 PID 2616 wrote to memory of 536 2616 28086.exe 33 PID 536 wrote to memory of 2488 536 60846.exe 34 PID 536 wrote to memory of 2488 536 60846.exe 34 PID 536 wrote to memory of 2488 536 60846.exe 34 PID 536 wrote to memory of 2488 536 60846.exe 34 PID 2488 wrote to memory of 2864 2488 486200.exe 35 PID 2488 wrote to memory of 2864 2488 486200.exe 35 PID 2488 wrote to memory of 2864 2488 486200.exe 35 PID 2488 wrote to memory of 2864 2488 486200.exe 35 PID 2864 wrote to memory of 2648 2864 66008.exe 36 PID 2864 wrote to memory of 2648 2864 66008.exe 36 PID 2864 wrote to memory of 2648 2864 66008.exe 36 PID 2864 wrote to memory of 2648 2864 66008.exe 36 PID 2648 wrote to memory of 2900 2648 pppdd.exe 37 PID 2648 wrote to memory of 2900 2648 pppdd.exe 37 PID 2648 wrote to memory of 2900 2648 pppdd.exe 37 PID 2648 wrote to memory of 2900 2648 pppdd.exe 37 PID 2900 wrote to memory of 2492 2900 480682.exe 38 PID 2900 wrote to memory of 2492 2900 480682.exe 38 PID 2900 wrote to memory of 2492 2900 480682.exe 38 PID 2900 wrote to memory of 2492 2900 480682.exe 38 PID 2492 wrote to memory of 2696 2492 pppvj.exe 39 PID 2492 wrote to memory of 2696 2492 pppvj.exe 39 PID 2492 wrote to memory of 2696 2492 pppvj.exe 39 PID 2492 wrote to memory of 2696 2492 pppvj.exe 39 PID 2696 wrote to memory of 1512 2696 862084.exe 40 PID 2696 wrote to memory of 1512 2696 862084.exe 40 PID 2696 wrote to memory of 1512 2696 862084.exe 40 PID 2696 wrote to memory of 1512 2696 862084.exe 40 PID 1512 wrote to memory of 272 1512 3hhtth.exe 41 PID 1512 wrote to memory of 272 1512 3hhtth.exe 41 PID 1512 wrote to memory of 272 1512 3hhtth.exe 41 PID 1512 wrote to memory of 272 1512 3hhtth.exe 41 PID 272 wrote to memory of 2008 272 448024.exe 42 PID 272 wrote to memory of 2008 272 448024.exe 42 PID 272 wrote to memory of 2008 272 448024.exe 42 PID 272 wrote to memory of 2008 272 448024.exe 42 PID 2008 wrote to memory of 2964 2008 jdvjp.exe 43 PID 2008 wrote to memory of 2964 2008 jdvjp.exe 43 PID 2008 wrote to memory of 2964 2008 jdvjp.exe 43 PID 2008 wrote to memory of 2964 2008 jdvjp.exe 43 PID 2964 wrote to memory of 2088 2964 7nbnnt.exe 44 PID 2964 wrote to memory of 2088 2964 7nbnnt.exe 44 PID 2964 wrote to memory of 2088 2964 7nbnnt.exe 44 PID 2964 wrote to memory of 2088 2964 7nbnnt.exe 44 PID 2088 wrote to memory of 2012 2088 9vvjv.exe 45 PID 2088 wrote to memory of 2012 2088 9vvjv.exe 45 PID 2088 wrote to memory of 2012 2088 9vvjv.exe 45 PID 2088 wrote to memory of 2012 2088 9vvjv.exe 45 PID 2012 wrote to memory of 1780 2012 088462.exe 46 PID 2012 wrote to memory of 1780 2012 088462.exe 46 PID 2012 wrote to memory of 1780 2012 088462.exe 46 PID 2012 wrote to memory of 1780 2012 088462.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe"C:\Users\Admin\AppData\Local\Temp\9f572c419b3df98412dc6fa92dfeb7e3c4f2565935c316fac7cf84b87c22bff6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\2000042.exec:\2000042.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\28086.exec:\28086.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\60846.exec:\60846.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\486200.exec:\486200.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\66008.exec:\66008.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\pppdd.exec:\pppdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\480682.exec:\480682.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\pppvj.exec:\pppvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\862084.exec:\862084.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\3hhtth.exec:\3hhtth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\448024.exec:\448024.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:272 -
\??\c:\jdvjp.exec:\jdvjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\7nbnnt.exec:\7nbnnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\9vvjv.exec:\9vvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\088462.exec:\088462.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\444028.exec:\444028.exe17⤵
- Executes dropped EXE
PID:1780 -
\??\c:\2268624.exec:\2268624.exe18⤵
- Executes dropped EXE
PID:2988 -
\??\c:\44808.exec:\44808.exe19⤵
- Executes dropped EXE
PID:2416 -
\??\c:\88286.exec:\88286.exe20⤵
- Executes dropped EXE
PID:1920 -
\??\c:\lxllflx.exec:\lxllflx.exe21⤵
- Executes dropped EXE
PID:952 -
\??\c:\vdjpd.exec:\vdjpd.exe22⤵
- Executes dropped EXE
PID:2624 -
\??\c:\84006.exec:\84006.exe23⤵
- Executes dropped EXE
PID:1260 -
\??\c:\xrrfrxl.exec:\xrrfrxl.exe24⤵
- Executes dropped EXE
PID:1308 -
\??\c:\048466.exec:\048466.exe25⤵
- Executes dropped EXE
PID:352 -
\??\c:\04806.exec:\04806.exe26⤵
- Executes dropped EXE
PID:1548 -
\??\c:\s6624.exec:\s6624.exe27⤵
- Executes dropped EXE
PID:1792 -
\??\c:\1xxxfxx.exec:\1xxxfxx.exe28⤵
- Executes dropped EXE
PID:1956 -
\??\c:\k02866.exec:\k02866.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2448 -
\??\c:\bnbhbb.exec:\bnbhbb.exe30⤵
- Executes dropped EXE
PID:1940 -
\??\c:\6264000.exec:\6264000.exe31⤵
- Executes dropped EXE
PID:1504 -
\??\c:\dvvpv.exec:\dvvpv.exe32⤵
- Executes dropped EXE
PID:2200 -
\??\c:\xrxfxlx.exec:\xrxfxlx.exe33⤵
- Executes dropped EXE
PID:2376 -
\??\c:\864080.exec:\864080.exe34⤵
- Executes dropped EXE
PID:1732 -
\??\c:\xrfrxxl.exec:\xrfrxxl.exe35⤵
- Executes dropped EXE
PID:1608 -
\??\c:\nnnhbb.exec:\nnnhbb.exe36⤵
- Executes dropped EXE
PID:1576 -
\??\c:\7tnthn.exec:\7tnthn.exe37⤵
- Executes dropped EXE
PID:2144 -
\??\c:\5fxlrxl.exec:\5fxlrxl.exe38⤵
- Executes dropped EXE
PID:2792 -
\??\c:\vpjpp.exec:\vpjpp.exe39⤵
- Executes dropped EXE
PID:2460 -
\??\c:\k20228.exec:\k20228.exe40⤵
- Executes dropped EXE
PID:2788 -
\??\c:\hbntbb.exec:\hbntbb.exe41⤵
- Executes dropped EXE
PID:2896 -
\??\c:\2640602.exec:\2640602.exe42⤵
- Executes dropped EXE
PID:1752 -
\??\c:\424622.exec:\424622.exe43⤵
- Executes dropped EXE
PID:2492 -
\??\c:\486628.exec:\486628.exe44⤵
- Executes dropped EXE
PID:1872 -
\??\c:\5xxxllx.exec:\5xxxllx.exe45⤵
- Executes dropped EXE
PID:2712 -
\??\c:\llxlfrr.exec:\llxlfrr.exe46⤵
- Executes dropped EXE
PID:2104 -
\??\c:\26468.exec:\26468.exe47⤵
- Executes dropped EXE
PID:2384 -
\??\c:\dpdvj.exec:\dpdvj.exe48⤵
- Executes dropped EXE
PID:1264 -
\??\c:\28640.exec:\28640.exe49⤵
- Executes dropped EXE
PID:2008 -
\??\c:\002844.exec:\002844.exe50⤵
- Executes dropped EXE
PID:1616 -
\??\c:\i480402.exec:\i480402.exe51⤵
- Executes dropped EXE
PID:2016 -
\??\c:\g2064.exec:\g2064.exe52⤵
- Executes dropped EXE
PID:1976 -
\??\c:\648024.exec:\648024.exe53⤵
- Executes dropped EXE
PID:3000 -
\??\c:\fllrfll.exec:\fllrfll.exe54⤵
- Executes dropped EXE
PID:1644 -
\??\c:\22244.exec:\22244.exe55⤵
- Executes dropped EXE
PID:2352 -
\??\c:\dvpdj.exec:\dvpdj.exe56⤵
- Executes dropped EXE
PID:380 -
\??\c:\vjvvd.exec:\vjvvd.exe57⤵
- Executes dropped EXE
PID:1920 -
\??\c:\488028.exec:\488028.exe58⤵
- Executes dropped EXE
PID:2040 -
\??\c:\5pjjv.exec:\5pjjv.exe59⤵
- Executes dropped EXE
PID:2272 -
\??\c:\4484608.exec:\4484608.exe60⤵
- Executes dropped EXE
PID:948 -
\??\c:\e04062.exec:\e04062.exe61⤵
- Executes dropped EXE
PID:760 -
\??\c:\5htbnh.exec:\5htbnh.exe62⤵
- Executes dropped EXE
PID:1932 -
\??\c:\0866446.exec:\0866446.exe63⤵
- Executes dropped EXE
PID:908 -
\??\c:\vpdjp.exec:\vpdjp.exe64⤵
- Executes dropped EXE
PID:484 -
\??\c:\0806408.exec:\0806408.exe65⤵
- Executes dropped EXE
PID:2532 -
\??\c:\flxrllx.exec:\flxrllx.exe66⤵PID:2472
-
\??\c:\dppvd.exec:\dppvd.exe67⤵PID:2412
-
\??\c:\rrflxfr.exec:\rrflxfr.exe68⤵PID:2060
-
\??\c:\1xfllfl.exec:\1xfllfl.exe69⤵PID:572
-
\??\c:\7nhnnt.exec:\7nhnnt.exe70⤵PID:792
-
\??\c:\vvdpv.exec:\vvdpv.exe71⤵PID:1700
-
\??\c:\820200.exec:\820200.exe72⤵PID:2080
-
\??\c:\868422.exec:\868422.exe73⤵PID:2328
-
\??\c:\pjvdv.exec:\pjvdv.exe74⤵PID:2356
-
\??\c:\204644.exec:\204644.exe75⤵PID:1244
-
\??\c:\424404.exec:\424404.exe76⤵PID:2920
-
\??\c:\7pddd.exec:\7pddd.exe77⤵PID:1608
-
\??\c:\c402400.exec:\c402400.exe78⤵PID:1576
-
\??\c:\1vvdp.exec:\1vvdp.exe79⤵PID:2144
-
\??\c:\4444040.exec:\4444040.exe80⤵PID:2872
-
\??\c:\20620.exec:\20620.exe81⤵PID:2772
-
\??\c:\4266262.exec:\4266262.exe82⤵PID:2260
-
\??\c:\640022.exec:\640022.exe83⤵PID:2828
-
\??\c:\0828640.exec:\0828640.exe84⤵PID:2776
-
\??\c:\420062.exec:\420062.exe85⤵PID:2752
-
\??\c:\08006.exec:\08006.exe86⤵PID:2656
-
\??\c:\5rllxxf.exec:\5rllxxf.exe87⤵PID:1632
-
\??\c:\6640268.exec:\6640268.exe88⤵PID:1036
-
\??\c:\bbbnbn.exec:\bbbnbn.exe89⤵PID:2384
-
\??\c:\686000.exec:\686000.exe90⤵PID:2824
-
\??\c:\08842.exec:\08842.exe91⤵PID:2008
-
\??\c:\jjdvp.exec:\jjdvp.exe92⤵PID:1616
-
\??\c:\622046.exec:\622046.exe93⤵PID:540
-
\??\c:\vdvjd.exec:\vdvjd.exe94⤵PID:1976
-
\??\c:\xxlffxx.exec:\xxlffxx.exe95⤵PID:3000
-
\??\c:\4486428.exec:\4486428.exe96⤵PID:1092
-
\??\c:\i424062.exec:\i424062.exe97⤵PID:2416
-
\??\c:\420000.exec:\420000.exe98⤵PID:1136
-
\??\c:\htbnnb.exec:\htbnnb.exe99⤵PID:1084
-
\??\c:\pjdjv.exec:\pjdjv.exe100⤵PID:1520
-
\??\c:\0466884.exec:\0466884.exe101⤵PID:828
-
\??\c:\2640628.exec:\2640628.exe102⤵PID:1260
-
\??\c:\rxlfrfr.exec:\rxlfrfr.exe103⤵PID:1868
-
\??\c:\20406.exec:\20406.exe104⤵PID:1676
-
\??\c:\20240.exec:\20240.exe105⤵PID:1100
-
\??\c:\pjddp.exec:\pjddp.exe106⤵PID:484
-
\??\c:\xlrxfrx.exec:\xlrxfrx.exe107⤵PID:1656
-
\??\c:\vdvdj.exec:\vdvdj.exe108⤵PID:2472
-
\??\c:\6462442.exec:\6462442.exe109⤵PID:568
-
\??\c:\086846.exec:\086846.exe110⤵PID:2240
-
\??\c:\ttthtn.exec:\ttthtn.exe111⤵PID:1000
-
\??\c:\bthntb.exec:\bthntb.exe112⤵PID:2564
-
\??\c:\fxrxlrl.exec:\fxrxlrl.exe113⤵PID:1504
-
\??\c:\ddpvp.exec:\ddpvp.exe114⤵PID:2288
-
\??\c:\608684.exec:\608684.exe115⤵PID:2328
-
\??\c:\0822824.exec:\0822824.exe116⤵PID:2356
-
\??\c:\86406.exec:\86406.exe117⤵PID:2732
-
\??\c:\488088.exec:\488088.exe118⤵PID:2744
-
\??\c:\4862824.exec:\4862824.exe119⤵PID:1608
-
\??\c:\1tthbt.exec:\1tthbt.exe120⤵PID:2848
-
\??\c:\m4228.exec:\m4228.exe121⤵PID:2144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-