Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 00:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
97691710e8e3ae5e0d8bd7e442eaae5eff9c5e0b374e73dc9adb7844ab4e2b41N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
97691710e8e3ae5e0d8bd7e442eaae5eff9c5e0b374e73dc9adb7844ab4e2b41N.exe
-
Size
452KB
-
MD5
74df0160dee9bfb4631c8564fb16aad0
-
SHA1
a065e7639ee1fdd03d73e35b7230eb12bab7a2b1
-
SHA256
97691710e8e3ae5e0d8bd7e442eaae5eff9c5e0b374e73dc9adb7844ab4e2b41
-
SHA512
d863acd7729a03ab2b918b5019a74486976e2071a968e48b05428bd43b8681d4ec5cd1adf6990a8f8cd9c722ba4314c718497342d331e98c1ccf1a3f6270a904
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/1064-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-113-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1516-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-136-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2916-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-124-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2916-119-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2948-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1160-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-283-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1604-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-327-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1400-344-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2804-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-372-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/644-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-556-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2956-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-808-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2292-821-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/1252-840-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1940 llxrxfx.exe 2400 jjpvd.exe 2836 djpvj.exe 2208 u286646.exe 2848 rllxfff.exe 2792 nhhhbh.exe 2708 5vjpv.exe 2612 40260.exe 2588 nhbhnn.exe 2668 xxxxrfr.exe 1640 2646842.exe 2916 0080242.exe 1516 8640208.exe 2948 q86800.exe 1648 3dvdp.exe 1160 8808402.exe 2056 bbhnht.exe 1200 jjdpd.exe 1596 btntth.exe 2572 826866.exe 2304 1pddj.exe 2244 rxxlflx.exe 1340 48840.exe 912 i266842.exe 1716 88024.exe 1792 82006.exe 944 3nhttt.exe 2036 vdjvp.exe 1512 lxfllfr.exe 1568 e64466.exe 1972 nhtbbb.exe 1800 200024.exe 1604 rllrxrr.exe 1328 hthntt.exe 1940 2684602.exe 2780 pdvvj.exe 2184 042862.exe 1400 826022.exe 2804 5rflrrx.exe 2776 24448.exe 2792 rlfxrrr.exe 2344 486400.exe 2952 c800228.exe 2604 8688442.exe 2156 0400662.exe 2712 866688.exe 2648 424400.exe 2936 vpdjj.exe 2680 3nbhbb.exe 1304 420688.exe 2856 428228.exe 584 82402.exe 1964 8042260.exe 1912 flrfxfl.exe 2220 0844064.exe 644 q66600.exe 1492 xrffffr.exe 2084 60840.exe 2140 20284.exe 1332 fxrlxxl.exe 1668 9pppp.exe 2452 0806842.exe 2264 ntbtbb.exe 988 9vjjj.exe -
resource yara_rule behavioral1/memory/1064-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-808-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1036-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-1012-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-1025-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-1057-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k88208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2062884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e02622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8808402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0484086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2620602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1940 1064 97691710e8e3ae5e0d8bd7e442eaae5eff9c5e0b374e73dc9adb7844ab4e2b41N.exe 30 PID 1064 wrote to memory of 1940 1064 97691710e8e3ae5e0d8bd7e442eaae5eff9c5e0b374e73dc9adb7844ab4e2b41N.exe 30 PID 1064 wrote to memory of 1940 1064 97691710e8e3ae5e0d8bd7e442eaae5eff9c5e0b374e73dc9adb7844ab4e2b41N.exe 30 PID 1064 wrote to memory of 1940 1064 97691710e8e3ae5e0d8bd7e442eaae5eff9c5e0b374e73dc9adb7844ab4e2b41N.exe 30 PID 1940 wrote to memory of 2400 1940 llxrxfx.exe 31 PID 1940 wrote to memory of 2400 1940 llxrxfx.exe 31 PID 1940 wrote to memory of 2400 1940 llxrxfx.exe 31 PID 1940 wrote to memory of 2400 1940 llxrxfx.exe 31 PID 2400 wrote to memory of 2836 2400 jjpvd.exe 32 PID 2400 wrote to memory of 2836 2400 jjpvd.exe 32 PID 2400 wrote to memory of 2836 2400 jjpvd.exe 32 PID 2400 wrote to memory of 2836 2400 jjpvd.exe 32 PID 2836 wrote to memory of 2208 2836 djpvj.exe 33 PID 2836 wrote to memory of 2208 2836 djpvj.exe 33 PID 2836 wrote to memory of 2208 2836 djpvj.exe 33 PID 2836 wrote to memory of 2208 2836 djpvj.exe 33 PID 2208 wrote to memory of 2848 2208 u286646.exe 34 PID 2208 wrote to memory of 2848 2208 u286646.exe 34 PID 2208 wrote to memory of 2848 2208 u286646.exe 34 PID 2208 wrote to memory of 2848 2208 u286646.exe 34 PID 2848 wrote to memory of 2792 2848 rllxfff.exe 70 PID 2848 wrote to memory of 2792 2848 rllxfff.exe 70 PID 2848 wrote to memory of 2792 2848 rllxfff.exe 70 PID 2848 wrote to memory of 2792 2848 rllxfff.exe 70 PID 2792 wrote to memory of 2708 2792 nhhhbh.exe 36 PID 2792 wrote to memory of 2708 2792 nhhhbh.exe 36 PID 2792 wrote to memory of 2708 2792 nhhhbh.exe 36 PID 2792 wrote to memory of 2708 2792 nhhhbh.exe 36 PID 2708 wrote to memory of 2612 2708 5vjpv.exe 37 PID 2708 wrote to memory of 2612 2708 5vjpv.exe 37 PID 2708 wrote to memory of 2612 2708 5vjpv.exe 37 PID 2708 wrote to memory of 2612 2708 5vjpv.exe 37 PID 2612 wrote to memory of 2588 2612 40260.exe 38 PID 2612 wrote to memory of 2588 2612 40260.exe 38 PID 2612 wrote to memory of 2588 2612 40260.exe 38 PID 2612 wrote to memory of 2588 2612 40260.exe 38 PID 2588 wrote to memory of 2668 2588 nhbhnn.exe 39 PID 2588 wrote to memory of 2668 2588 nhbhnn.exe 39 PID 2588 wrote to memory of 2668 2588 nhbhnn.exe 39 PID 2588 wrote to memory of 2668 2588 nhbhnn.exe 39 PID 2668 wrote to memory of 1640 2668 xxxxrfr.exe 40 PID 2668 wrote to memory of 1640 2668 xxxxrfr.exe 40 PID 2668 wrote to memory of 1640 2668 xxxxrfr.exe 40 PID 2668 wrote to memory of 1640 2668 xxxxrfr.exe 40 PID 1640 wrote to memory of 2916 1640 2646842.exe 41 PID 1640 wrote to memory of 2916 1640 2646842.exe 41 PID 1640 wrote to memory of 2916 1640 2646842.exe 41 PID 1640 wrote to memory of 2916 1640 2646842.exe 41 PID 2916 wrote to memory of 1516 2916 0080242.exe 42 PID 2916 wrote to memory of 1516 2916 0080242.exe 42 PID 2916 wrote to memory of 1516 2916 0080242.exe 42 PID 2916 wrote to memory of 1516 2916 0080242.exe 42 PID 1516 wrote to memory of 2948 1516 8640208.exe 43 PID 1516 wrote to memory of 2948 1516 8640208.exe 43 PID 1516 wrote to memory of 2948 1516 8640208.exe 43 PID 1516 wrote to memory of 2948 1516 8640208.exe 43 PID 2948 wrote to memory of 1648 2948 q86800.exe 44 PID 2948 wrote to memory of 1648 2948 q86800.exe 44 PID 2948 wrote to memory of 1648 2948 q86800.exe 44 PID 2948 wrote to memory of 1648 2948 q86800.exe 44 PID 1648 wrote to memory of 1160 1648 3dvdp.exe 45 PID 1648 wrote to memory of 1160 1648 3dvdp.exe 45 PID 1648 wrote to memory of 1160 1648 3dvdp.exe 45 PID 1648 wrote to memory of 1160 1648 3dvdp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\97691710e8e3ae5e0d8bd7e442eaae5eff9c5e0b374e73dc9adb7844ab4e2b41N.exe"C:\Users\Admin\AppData\Local\Temp\97691710e8e3ae5e0d8bd7e442eaae5eff9c5e0b374e73dc9adb7844ab4e2b41N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\llxrxfx.exec:\llxrxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\jjpvd.exec:\jjpvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\djpvj.exec:\djpvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\u286646.exec:\u286646.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\rllxfff.exec:\rllxfff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\nhhhbh.exec:\nhhhbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\5vjpv.exec:\5vjpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\40260.exec:\40260.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\nhbhnn.exec:\nhbhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\xxxxrfr.exec:\xxxxrfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\2646842.exec:\2646842.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\0080242.exec:\0080242.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\8640208.exec:\8640208.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\q86800.exec:\q86800.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\3dvdp.exec:\3dvdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\8808402.exec:\8808402.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1160 -
\??\c:\bbhnht.exec:\bbhnht.exe18⤵
- Executes dropped EXE
PID:2056 -
\??\c:\jjdpd.exec:\jjdpd.exe19⤵
- Executes dropped EXE
PID:1200 -
\??\c:\btntth.exec:\btntth.exe20⤵
- Executes dropped EXE
PID:1596 -
\??\c:\826866.exec:\826866.exe21⤵
- Executes dropped EXE
PID:2572 -
\??\c:\1pddj.exec:\1pddj.exe22⤵
- Executes dropped EXE
PID:2304 -
\??\c:\rxxlflx.exec:\rxxlflx.exe23⤵
- Executes dropped EXE
PID:2244 -
\??\c:\48840.exec:\48840.exe24⤵
- Executes dropped EXE
PID:1340 -
\??\c:\i266842.exec:\i266842.exe25⤵
- Executes dropped EXE
PID:912 -
\??\c:\88024.exec:\88024.exe26⤵
- Executes dropped EXE
PID:1716 -
\??\c:\82006.exec:\82006.exe27⤵
- Executes dropped EXE
PID:1792 -
\??\c:\3nhttt.exec:\3nhttt.exe28⤵
- Executes dropped EXE
PID:944 -
\??\c:\vdjvp.exec:\vdjvp.exe29⤵
- Executes dropped EXE
PID:2036 -
\??\c:\lxfllfr.exec:\lxfllfr.exe30⤵
- Executes dropped EXE
PID:1512 -
\??\c:\e64466.exec:\e64466.exe31⤵
- Executes dropped EXE
PID:1568 -
\??\c:\nhtbbb.exec:\nhtbbb.exe32⤵
- Executes dropped EXE
PID:1972 -
\??\c:\200024.exec:\200024.exe33⤵
- Executes dropped EXE
PID:1800 -
\??\c:\rllrxrr.exec:\rllrxrr.exe34⤵
- Executes dropped EXE
PID:1604 -
\??\c:\hthntt.exec:\hthntt.exe35⤵
- Executes dropped EXE
PID:1328 -
\??\c:\2684602.exec:\2684602.exe36⤵
- Executes dropped EXE
PID:1940 -
\??\c:\pdvvj.exec:\pdvvj.exe37⤵
- Executes dropped EXE
PID:2780 -
\??\c:\042862.exec:\042862.exe38⤵
- Executes dropped EXE
PID:2184 -
\??\c:\826022.exec:\826022.exe39⤵
- Executes dropped EXE
PID:1400 -
\??\c:\5rflrrx.exec:\5rflrrx.exe40⤵
- Executes dropped EXE
PID:2804 -
\??\c:\24448.exec:\24448.exe41⤵
- Executes dropped EXE
PID:2776 -
\??\c:\rlfxrrr.exec:\rlfxrrr.exe42⤵
- Executes dropped EXE
PID:2792 -
\??\c:\486400.exec:\486400.exe43⤵
- Executes dropped EXE
PID:2344 -
\??\c:\c800228.exec:\c800228.exe44⤵
- Executes dropped EXE
PID:2952 -
\??\c:\8688442.exec:\8688442.exe45⤵
- Executes dropped EXE
PID:2604 -
\??\c:\0400662.exec:\0400662.exe46⤵
- Executes dropped EXE
PID:2156 -
\??\c:\866688.exec:\866688.exe47⤵
- Executes dropped EXE
PID:2712 -
\??\c:\424400.exec:\424400.exe48⤵
- Executes dropped EXE
PID:2648 -
\??\c:\vpdjj.exec:\vpdjj.exe49⤵
- Executes dropped EXE
PID:2936 -
\??\c:\3nbhbb.exec:\3nbhbb.exe50⤵
- Executes dropped EXE
PID:2680 -
\??\c:\420688.exec:\420688.exe51⤵
- Executes dropped EXE
PID:1304 -
\??\c:\428228.exec:\428228.exe52⤵
- Executes dropped EXE
PID:2856 -
\??\c:\82402.exec:\82402.exe53⤵
- Executes dropped EXE
PID:584 -
\??\c:\8042260.exec:\8042260.exe54⤵
- Executes dropped EXE
PID:1964 -
\??\c:\flrfxfl.exec:\flrfxfl.exe55⤵
- Executes dropped EXE
PID:1912 -
\??\c:\0844064.exec:\0844064.exe56⤵
- Executes dropped EXE
PID:2220 -
\??\c:\q66600.exec:\q66600.exe57⤵
- Executes dropped EXE
PID:644 -
\??\c:\xrffffr.exec:\xrffffr.exe58⤵
- Executes dropped EXE
PID:1492 -
\??\c:\60840.exec:\60840.exe59⤵
- Executes dropped EXE
PID:2084 -
\??\c:\20284.exec:\20284.exe60⤵
- Executes dropped EXE
PID:2140 -
\??\c:\fxrlxxl.exec:\fxrlxxl.exe61⤵
- Executes dropped EXE
PID:1332 -
\??\c:\9pppp.exec:\9pppp.exe62⤵
- Executes dropped EXE
PID:1668 -
\??\c:\0806842.exec:\0806842.exe63⤵
- Executes dropped EXE
PID:2452 -
\??\c:\ntbtbb.exec:\ntbtbb.exe64⤵
- Executes dropped EXE
PID:2264 -
\??\c:\9vjjj.exec:\9vjjj.exe65⤵
- Executes dropped EXE
PID:988 -
\??\c:\208844.exec:\208844.exe66⤵PID:600
-
\??\c:\4206220.exec:\4206220.exe67⤵PID:1720
-
\??\c:\hbtntn.exec:\hbtntn.exe68⤵PID:1560
-
\??\c:\lfrxfrx.exec:\lfrxfrx.exe69⤵PID:560
-
\??\c:\1bnthh.exec:\1bnthh.exe70⤵PID:2364
-
\??\c:\pjpdd.exec:\pjpdd.exe71⤵PID:2412
-
\??\c:\484840.exec:\484840.exe72⤵PID:1512
-
\??\c:\k40400.exec:\k40400.exe73⤵PID:1504
-
\??\c:\vjvvd.exec:\vjvvd.exe74⤵PID:1960
-
\??\c:\64284.exec:\64284.exe75⤵PID:1704
-
\??\c:\g8624.exec:\g8624.exe76⤵PID:1800
-
\??\c:\8682228.exec:\8682228.exe77⤵PID:1064
-
\??\c:\ddjjj.exec:\ddjjj.exe78⤵PID:872
-
\??\c:\tthbhh.exec:\tthbhh.exe79⤵PID:2380
-
\??\c:\242624.exec:\242624.exe80⤵PID:1240
-
\??\c:\60806.exec:\60806.exe81⤵PID:2700
-
\??\c:\482424.exec:\482424.exe82⤵PID:2788
-
\??\c:\4204440.exec:\4204440.exe83⤵PID:2724
-
\??\c:\486200.exec:\486200.exe84⤵PID:2736
-
\??\c:\64006.exec:\64006.exe85⤵PID:2956
-
\??\c:\nntbbb.exec:\nntbbb.exe86⤵PID:2760
-
\??\c:\a6488.exec:\a6488.exe87⤵PID:2608
-
\??\c:\608466.exec:\608466.exe88⤵PID:2664
-
\??\c:\hhthnt.exec:\hhthnt.exe89⤵PID:2308
-
\??\c:\jjvdp.exec:\jjvdp.exe90⤵PID:2576
-
\??\c:\200264.exec:\200264.exe91⤵PID:2920
-
\??\c:\7ppvj.exec:\7ppvj.exe92⤵PID:2340
-
\??\c:\jjddd.exec:\jjddd.exe93⤵PID:2912
-
\??\c:\2246468.exec:\2246468.exe94⤵PID:2008
-
\??\c:\fxrlrrx.exec:\fxrlrrx.exe95⤵PID:1304
-
\??\c:\1xflxfr.exec:\1xflxfr.exe96⤵PID:2856
-
\??\c:\m0888.exec:\m0888.exe97⤵PID:668
-
\??\c:\hbhbnn.exec:\hbhbnn.exe98⤵PID:2120
-
\??\c:\3dvvj.exec:\3dvvj.exe99⤵PID:1912
-
\??\c:\m2406.exec:\m2406.exe100⤵PID:1904
-
\??\c:\vvpdp.exec:\vvpdp.exe101⤵PID:2076
-
\??\c:\5pjpv.exec:\5pjpv.exe102⤵PID:1484
-
\??\c:\e02628.exec:\e02628.exe103⤵PID:1052
-
\??\c:\864022.exec:\864022.exe104⤵PID:2064
-
\??\c:\3xllrrr.exec:\3xllrrr.exe105⤵PID:896
-
\??\c:\1ntbnt.exec:\1ntbnt.exe106⤵PID:2488
-
\??\c:\nttbbn.exec:\nttbbn.exe107⤵PID:2416
-
\??\c:\u684628.exec:\u684628.exe108⤵PID:828
-
\??\c:\3fxxffr.exec:\3fxxffr.exe109⤵PID:2484
-
\??\c:\446626.exec:\446626.exe110⤵PID:1736
-
\??\c:\9fxrffr.exec:\9fxrffr.exe111⤵PID:900
-
\??\c:\btthtn.exec:\btthtn.exe112⤵PID:1656
-
\??\c:\3pddd.exec:\3pddd.exe113⤵PID:2292
-
\??\c:\086622.exec:\086622.exe114⤵PID:1532
-
\??\c:\604606.exec:\604606.exe115⤵PID:692
-
\??\c:\9hnnbt.exec:\9hnnbt.exe116⤵PID:1252
-
\??\c:\tnbhnb.exec:\tnbhnb.exe117⤵PID:2368
-
\??\c:\6462406.exec:\6462406.exe118⤵PID:2328
-
\??\c:\lxlrxxx.exec:\lxlrxxx.exe119⤵PID:3032
-
\??\c:\rxrlrxl.exec:\rxrlrxl.exe120⤵PID:1604
-
\??\c:\ddddj.exec:\ddddj.exe121⤵PID:1916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-