Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 00:06
Behavioral task
behavioral1
Sample
28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe
-
Size
75KB
-
MD5
b53fafd733a52384c6596c7650a37650
-
SHA1
3bcc782428708e2432caed6fc7556b342779451f
-
SHA256
28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4
-
SHA512
1881b3c716f090f2992d6746ff528dc580bc37b0260c293d3d1516033c4c17dcf1a3d1c2dbe1ccb1e81fb17ee7523eadbf442502b3e6a10376978b480eca9c83
-
SSDEEP
1536:0vQBeOGtrYS3srx93UBWfwC6Ggnouy8CUYj7FHVNK+1yN32DO:0hOmTsF93UYfwC6GIoutXwji2DO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2444-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2472-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2592-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2516-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2712-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3044-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2656-108-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2332-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2992-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1296-153-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1296-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1296-157-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1276-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1276-168-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2076-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1276-201-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2520-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1792-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2340-220-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1040-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1236-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1620-245-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1984-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2024-297-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1712-309-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1712-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2964-334-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2880-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2328-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1780-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1096-507-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-527-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1704-571-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2276-780-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-795-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1596-845-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2160-852-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2512-864-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/3064-914-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1632-951-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/1236-1062-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/1924-1192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1908-1418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1908-1424-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2592 228048.exe 2472 5xxxflx.exe 2516 vdjdj.exe 2848 hthhtt.exe 3044 lxxrrff.exe 2712 626808.exe 2356 frfllfl.exe 3056 jpvvj.exe 2704 48866.exe 2780 6040246.exe 2656 646406.exe 588 08440.exe 2332 w08020.exe 2992 82802.exe 3024 9tnhhb.exe 1296 9tnbtb.exe 1276 486222.exe 1396 2842866.exe 2340 2286604.exe 2076 jvjjp.exe 1792 4284602.exe 2520 m2008.exe 1040 1hhntn.exe 1236 48002.exe 1620 4608242.exe 548 0242240.exe 1384 048440.exe 1000 tnbbnh.exe 2420 6020284.exe 1984 lfxxfxl.exe 2024 jvppp.exe 1712 thtnbh.exe 2496 5vjdd.exe 2888 5vpjv.exe 2488 xxlrrlr.exe 2964 4280284.exe 2588 48842.exe 2980 nnhhtb.exe 2836 8828280.exe 2880 hbntbn.exe 2868 82286.exe 3056 26020.exe 2972 hhhtth.exe 2872 xfxllff.exe 2780 pdjpp.exe 1824 442824.exe 1488 0246406.exe 568 ppjvp.exe 2908 vjvdd.exe 3016 4480884.exe 2328 vdjdd.exe 2112 5dpvd.exe 808 nnbnnt.exe 796 2600220.exe 1780 a2620.exe 2188 642644.exe 2104 ddpvd.exe 2044 a4642.exe 2384 60242.exe 2684 tttnbh.exe 272 628668.exe 2608 jjvvv.exe 2800 k40684.exe 1096 lrxrxrx.exe -
resource yara_rule behavioral1/memory/2444-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000900000001202b-5.dat upx behavioral1/memory/2444-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001930d-18.dat upx behavioral1/memory/2472-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019377-27.dat upx behavioral1/memory/2472-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2592-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001938a-37.dat upx behavioral1/memory/2516-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001938e-44.dat upx behavioral1/files/0x000600000001941b-63.dat upx behavioral1/memory/2712-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001939c-55.dat upx behavioral1/memory/3044-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001946b-71.dat upx behavioral1/memory/2356-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001a303-80.dat upx behavioral1/memory/2780-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a355-91.dat upx behavioral1/memory/2704-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a41a-100.dat upx behavioral1/memory/588-114-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001a41c-111.dat upx behavioral1/memory/588-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a41f-119.dat upx behavioral1/memory/2332-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a423-128.dat upx behavioral1/files/0x000500000001a42d-139.dat upx behavioral1/memory/2992-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a467-148.dat upx behavioral1/memory/3024-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a487-159.dat upx behavioral1/memory/1296-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1276-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1296-157-0x00000000002B0000-0x00000000002D7000-memory.dmp upx behavioral1/memory/1276-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a489-169.dat upx behavioral1/files/0x000500000001a494-179.dat upx behavioral1/files/0x000500000001a495-186.dat upx behavioral1/files/0x0008000000019242-197.dat upx behavioral1/memory/2076-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4a5-206.dat upx behavioral1/memory/2520-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1396-209-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1792-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4ab-219.dat upx behavioral1/files/0x000500000001a4ad-228.dat upx behavioral1/memory/1236-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1040-229-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1236-238-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4af-239.dat upx behavioral1/files/0x000500000001a4b1-249.dat upx behavioral1/files/0x000500000001a4b3-256.dat upx behavioral1/files/0x000500000001a4b5-264.dat upx behavioral1/files/0x000500000001a4b7-273.dat upx behavioral1/files/0x000500000001a4b9-281.dat upx behavioral1/files/0x000500000001a4bb-290.dat upx behavioral1/memory/1984-289-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4bd-301.dat upx behavioral1/memory/1712-308-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2880-359-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2780-391-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/568-404-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8804866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0464406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2592 2444 28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe 30 PID 2444 wrote to memory of 2592 2444 28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe 30 PID 2444 wrote to memory of 2592 2444 28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe 30 PID 2444 wrote to memory of 2592 2444 28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe 30 PID 2592 wrote to memory of 2472 2592 228048.exe 31 PID 2592 wrote to memory of 2472 2592 228048.exe 31 PID 2592 wrote to memory of 2472 2592 228048.exe 31 PID 2592 wrote to memory of 2472 2592 228048.exe 31 PID 2472 wrote to memory of 2516 2472 5xxxflx.exe 32 PID 2472 wrote to memory of 2516 2472 5xxxflx.exe 32 PID 2472 wrote to memory of 2516 2472 5xxxflx.exe 32 PID 2472 wrote to memory of 2516 2472 5xxxflx.exe 32 PID 2516 wrote to memory of 2848 2516 vdjdj.exe 33 PID 2516 wrote to memory of 2848 2516 vdjdj.exe 33 PID 2516 wrote to memory of 2848 2516 vdjdj.exe 33 PID 2516 wrote to memory of 2848 2516 vdjdj.exe 33 PID 2848 wrote to memory of 3044 2848 hthhtt.exe 34 PID 2848 wrote to memory of 3044 2848 hthhtt.exe 34 PID 2848 wrote to memory of 3044 2848 hthhtt.exe 34 PID 2848 wrote to memory of 3044 2848 hthhtt.exe 34 PID 3044 wrote to memory of 2712 3044 lxxrrff.exe 35 PID 3044 wrote to memory of 2712 3044 lxxrrff.exe 35 PID 3044 wrote to memory of 2712 3044 lxxrrff.exe 35 PID 3044 wrote to memory of 2712 3044 lxxrrff.exe 35 PID 2712 wrote to memory of 2356 2712 626808.exe 36 PID 2712 wrote to memory of 2356 2712 626808.exe 36 PID 2712 wrote to memory of 2356 2712 626808.exe 36 PID 2712 wrote to memory of 2356 2712 626808.exe 36 PID 2356 wrote to memory of 3056 2356 frfllfl.exe 37 PID 2356 wrote to memory of 3056 2356 frfllfl.exe 37 PID 2356 wrote to memory of 3056 2356 frfllfl.exe 37 PID 2356 wrote to memory of 3056 2356 frfllfl.exe 37 PID 3056 wrote to memory of 2704 3056 jpvvj.exe 38 PID 3056 wrote to memory of 2704 3056 jpvvj.exe 38 PID 3056 wrote to memory of 2704 3056 jpvvj.exe 38 PID 3056 wrote to memory of 2704 3056 jpvvj.exe 38 PID 2704 wrote to memory of 2780 2704 48866.exe 39 PID 2704 wrote to memory of 2780 2704 48866.exe 39 PID 2704 wrote to memory of 2780 2704 48866.exe 39 PID 2704 wrote to memory of 2780 2704 48866.exe 39 PID 2780 wrote to memory of 2656 2780 6040246.exe 40 PID 2780 wrote to memory of 2656 2780 6040246.exe 40 PID 2780 wrote to memory of 2656 2780 6040246.exe 40 PID 2780 wrote to memory of 2656 2780 6040246.exe 40 PID 2656 wrote to memory of 588 2656 646406.exe 41 PID 2656 wrote to memory of 588 2656 646406.exe 41 PID 2656 wrote to memory of 588 2656 646406.exe 41 PID 2656 wrote to memory of 588 2656 646406.exe 41 PID 588 wrote to memory of 2332 588 08440.exe 42 PID 588 wrote to memory of 2332 588 08440.exe 42 PID 588 wrote to memory of 2332 588 08440.exe 42 PID 588 wrote to memory of 2332 588 08440.exe 42 PID 2332 wrote to memory of 2992 2332 w08020.exe 43 PID 2332 wrote to memory of 2992 2332 w08020.exe 43 PID 2332 wrote to memory of 2992 2332 w08020.exe 43 PID 2332 wrote to memory of 2992 2332 w08020.exe 43 PID 2992 wrote to memory of 3024 2992 82802.exe 44 PID 2992 wrote to memory of 3024 2992 82802.exe 44 PID 2992 wrote to memory of 3024 2992 82802.exe 44 PID 2992 wrote to memory of 3024 2992 82802.exe 44 PID 3024 wrote to memory of 1296 3024 9tnhhb.exe 45 PID 3024 wrote to memory of 1296 3024 9tnhhb.exe 45 PID 3024 wrote to memory of 1296 3024 9tnhhb.exe 45 PID 3024 wrote to memory of 1296 3024 9tnhhb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe"C:\Users\Admin\AppData\Local\Temp\28956dfc41da1251550821cb38a5008c9ddb6721f8eca0150d2c416f1fd61cb4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\228048.exec:\228048.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\5xxxflx.exec:\5xxxflx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\vdjdj.exec:\vdjdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\hthhtt.exec:\hthhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\lxxrrff.exec:\lxxrrff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\626808.exec:\626808.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\frfllfl.exec:\frfllfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\jpvvj.exec:\jpvvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\48866.exec:\48866.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\6040246.exec:\6040246.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\646406.exec:\646406.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\08440.exec:\08440.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588 -
\??\c:\w08020.exec:\w08020.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\82802.exec:\82802.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\9tnhhb.exec:\9tnhhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\9tnbtb.exec:\9tnbtb.exe17⤵
- Executes dropped EXE
PID:1296 -
\??\c:\486222.exec:\486222.exe18⤵
- Executes dropped EXE
PID:1276 -
\??\c:\2842866.exec:\2842866.exe19⤵
- Executes dropped EXE
PID:1396 -
\??\c:\2286604.exec:\2286604.exe20⤵
- Executes dropped EXE
PID:2340 -
\??\c:\jvjjp.exec:\jvjjp.exe21⤵
- Executes dropped EXE
PID:2076 -
\??\c:\4284602.exec:\4284602.exe22⤵
- Executes dropped EXE
PID:1792 -
\??\c:\m2008.exec:\m2008.exe23⤵
- Executes dropped EXE
PID:2520 -
\??\c:\1hhntn.exec:\1hhntn.exe24⤵
- Executes dropped EXE
PID:1040 -
\??\c:\48002.exec:\48002.exe25⤵
- Executes dropped EXE
PID:1236 -
\??\c:\4608242.exec:\4608242.exe26⤵
- Executes dropped EXE
PID:1620 -
\??\c:\0242240.exec:\0242240.exe27⤵
- Executes dropped EXE
PID:548 -
\??\c:\048440.exec:\048440.exe28⤵
- Executes dropped EXE
PID:1384 -
\??\c:\tnbbnh.exec:\tnbbnh.exe29⤵
- Executes dropped EXE
PID:1000 -
\??\c:\6020284.exec:\6020284.exe30⤵
- Executes dropped EXE
PID:2420 -
\??\c:\lfxxfxl.exec:\lfxxfxl.exe31⤵
- Executes dropped EXE
PID:1984 -
\??\c:\jvppp.exec:\jvppp.exe32⤵
- Executes dropped EXE
PID:2024 -
\??\c:\thtnbh.exec:\thtnbh.exe33⤵
- Executes dropped EXE
PID:1712 -
\??\c:\5vjdd.exec:\5vjdd.exe34⤵
- Executes dropped EXE
PID:2496 -
\??\c:\5vpjv.exec:\5vpjv.exe35⤵
- Executes dropped EXE
PID:2888 -
\??\c:\xxlrrlr.exec:\xxlrrlr.exe36⤵
- Executes dropped EXE
PID:2488 -
\??\c:\4280284.exec:\4280284.exe37⤵
- Executes dropped EXE
PID:2964 -
\??\c:\48842.exec:\48842.exe38⤵
- Executes dropped EXE
PID:2588 -
\??\c:\nnhhtb.exec:\nnhhtb.exe39⤵
- Executes dropped EXE
PID:2980 -
\??\c:\8828280.exec:\8828280.exe40⤵
- Executes dropped EXE
PID:2836 -
\??\c:\hbntbn.exec:\hbntbn.exe41⤵
- Executes dropped EXE
PID:2880 -
\??\c:\82286.exec:\82286.exe42⤵
- Executes dropped EXE
PID:2868 -
\??\c:\26020.exec:\26020.exe43⤵
- Executes dropped EXE
PID:3056 -
\??\c:\hhhtth.exec:\hhhtth.exe44⤵
- Executes dropped EXE
PID:2972 -
\??\c:\xfxllff.exec:\xfxllff.exe45⤵
- Executes dropped EXE
PID:2872 -
\??\c:\pdjpp.exec:\pdjpp.exe46⤵
- Executes dropped EXE
PID:2780 -
\??\c:\442824.exec:\442824.exe47⤵
- Executes dropped EXE
PID:1824 -
\??\c:\0246406.exec:\0246406.exe48⤵
- Executes dropped EXE
PID:1488 -
\??\c:\ppjvp.exec:\ppjvp.exe49⤵
- Executes dropped EXE
PID:568 -
\??\c:\vjvdd.exec:\vjvdd.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
\??\c:\4480884.exec:\4480884.exe51⤵
- Executes dropped EXE
PID:3016 -
\??\c:\vdjdd.exec:\vdjdd.exe52⤵
- Executes dropped EXE
PID:2328 -
\??\c:\5dpvd.exec:\5dpvd.exe53⤵
- Executes dropped EXE
PID:2112 -
\??\c:\nnbnnt.exec:\nnbnnt.exe54⤵
- Executes dropped EXE
PID:808 -
\??\c:\2600220.exec:\2600220.exe55⤵
- Executes dropped EXE
PID:796 -
\??\c:\a2620.exec:\a2620.exe56⤵
- Executes dropped EXE
PID:1780 -
\??\c:\642644.exec:\642644.exe57⤵
- Executes dropped EXE
PID:2188 -
\??\c:\ddpvd.exec:\ddpvd.exe58⤵
- Executes dropped EXE
PID:2104 -
\??\c:\a4642.exec:\a4642.exe59⤵
- Executes dropped EXE
PID:2044 -
\??\c:\60242.exec:\60242.exe60⤵
- Executes dropped EXE
PID:2384 -
\??\c:\tttnbh.exec:\tttnbh.exe61⤵
- Executes dropped EXE
PID:2684 -
\??\c:\628668.exec:\628668.exe62⤵
- Executes dropped EXE
PID:272 -
\??\c:\jjvvv.exec:\jjvvv.exe63⤵
- Executes dropped EXE
PID:2608 -
\??\c:\k40684.exec:\k40684.exe64⤵
- Executes dropped EXE
PID:2800 -
\??\c:\lrxrxrx.exec:\lrxrxrx.exe65⤵
- Executes dropped EXE
PID:1096 -
\??\c:\6606846.exec:\6606846.exe66⤵PID:2892
-
\??\c:\24482.exec:\24482.exe67⤵PID:2688
-
\??\c:\1jpvd.exec:\1jpvd.exe68⤵PID:1560
-
\??\c:\rrrfrfr.exec:\rrrfrfr.exe69⤵PID:1776
-
\??\c:\6888826.exec:\6888826.exe70⤵PID:2360
-
\??\c:\7bhtbt.exec:\7bhtbt.exe71⤵PID:892
-
\??\c:\bbbntt.exec:\bbbntt.exe72⤵PID:888
-
\??\c:\2640620.exec:\2640620.exe73⤵PID:2120
-
\??\c:\k08068.exec:\k08068.exe74⤵PID:1704
-
\??\c:\lfxfxrl.exec:\lfxfxrl.exe75⤵PID:1568
-
\??\c:\w00802.exec:\w00802.exe76⤵PID:1708
-
\??\c:\vdjdj.exec:\vdjdj.exe77⤵PID:1948
-
\??\c:\thbthb.exec:\thbthb.exe78⤵PID:2312
-
\??\c:\pvjjp.exec:\pvjjp.exe79⤵PID:2180
-
\??\c:\820204.exec:\820204.exe80⤵PID:2848
-
\??\c:\8060664.exec:\8060664.exe81⤵PID:1908
-
\??\c:\64662.exec:\64662.exe82⤵PID:2852
-
\??\c:\228222.exec:\228222.exe83⤵PID:2732
-
\??\c:\602402.exec:\602402.exe84⤵PID:2984
-
\??\c:\206622.exec:\206622.exe85⤵PID:2752
-
\??\c:\88044.exec:\88044.exe86⤵PID:2720
-
\??\c:\2660842.exec:\2660842.exe87⤵PID:1936
-
\??\c:\8208402.exec:\8208402.exe88⤵PID:2924
-
\??\c:\7jdvj.exec:\7jdvj.exe89⤵PID:2756
-
\??\c:\284684.exec:\284684.exe90⤵PID:2656
-
\??\c:\bttnbn.exec:\bttnbn.exe91⤵PID:1452
-
\??\c:\s8204.exec:\s8204.exe92⤵PID:1696
-
\??\c:\3pjjv.exec:\3pjjv.exe93⤵PID:3000
-
\??\c:\46466.exec:\46466.exe94⤵PID:2908
-
\??\c:\048062.exec:\048062.exe95⤵PID:3016
-
\??\c:\tbbtbn.exec:\tbbtbn.exe96⤵PID:2328
-
\??\c:\llfrllf.exec:\llfrllf.exe97⤵PID:2112
-
\??\c:\5llrffr.exec:\5llrffr.exe98⤵PID:1500
-
\??\c:\4048208.exec:\4048208.exe99⤵PID:796
-
\??\c:\7hthht.exec:\7hthht.exe100⤵PID:2216
-
\??\c:\o088442.exec:\o088442.exe101⤵PID:2188
-
\??\c:\5ntnbh.exec:\5ntnbh.exe102⤵PID:2408
-
\??\c:\xrxlffx.exec:\xrxlffx.exe103⤵PID:2076
-
\??\c:\lfrfxfr.exec:\lfrfxfr.exe104⤵PID:2636
-
\??\c:\c088064.exec:\c088064.exe105⤵PID:1380
-
\??\c:\7tnthn.exec:\7tnthn.exe106⤵PID:2484
-
\??\c:\c602006.exec:\c602006.exe107⤵PID:2668
-
\??\c:\642884.exec:\642884.exe108⤵PID:2276
-
\??\c:\7flrffr.exec:\7flrffr.exe109⤵PID:1236
-
\??\c:\rrrxlxf.exec:\rrrxlxf.exe110⤵PID:2532
-
\??\c:\4004880.exec:\4004880.exe111⤵PID:2092
-
\??\c:\lrlflfr.exec:\lrlflfr.exe112⤵PID:2012
-
\??\c:\026446.exec:\026446.exe113⤵PID:2624
-
\??\c:\vvpjp.exec:\vvpjp.exe114⤵PID:2304
-
\??\c:\5rfxrff.exec:\5rfxrff.exe115⤵PID:1640
-
\??\c:\nbhttb.exec:\nbhttb.exe116⤵PID:2420
-
\??\c:\0808846.exec:\0808846.exe117⤵PID:1756
-
\??\c:\nbtntb.exec:\nbtntb.exe118⤵PID:1596
-
\??\c:\2202686.exec:\2202686.exe119⤵PID:2160
-
\??\c:\djjdd.exec:\djjdd.exe120⤵PID:2496
-
\??\c:\3vjdd.exec:\3vjdd.exe121⤵PID:2512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-