Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 01:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe
-
Size
454KB
-
MD5
aaba414e6944667286578bf8f57ced30
-
SHA1
354293ea0b6bf7d95a283a038c5947fbede39659
-
SHA256
4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3b
-
SHA512
e3d210f78b350b5158b02b9f0eeb471e224f3a8a42a54acce2a6d2cab08d15ef1b41e10198d248ece93c1c689808714d3f855cf32ddbb310e7d38d16cb6577ff
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2392-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-80-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3052-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-99-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2712-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-168-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/268-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-200-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2224-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1064-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1064-556-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2932-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/308-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-784-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2232-828-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/320-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-923-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1380-951-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2388-1108-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1692-1142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-1198-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2176-1211-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2636 dpjdj.exe 1268 w80668.exe 1444 826840.exe 2264 vpjpd.exe 2832 ttbbnt.exe 2836 246622.exe 2800 rlfxfff.exe 3052 xxrxfxf.exe 2724 c644062.exe 2712 042862.exe 2728 rlflxfl.exe 1812 22068.exe 2964 fxxxlrf.exe 2076 642844.exe 2000 jjvvj.exe 1636 64262.exe 3040 ppjpv.exe 2084 hhbtnn.exe 2148 6040246.exe 268 882428.exe 2224 80066.exe 1868 jjdjd.exe 380 0828064.exe 2780 444862.exe 1340 m4288.exe 872 4206680.exe 1648 264840.exe 2436 pjddv.exe 1064 5nbhtn.exe 1640 pvjvj.exe 1916 8208406.exe 2580 hthttn.exe 1268 bnbnhn.exe 2144 nttbth.exe 1576 04228.exe 1328 082206.exe 2116 9dvvd.exe 2432 xxrrfxf.exe 2196 jjdjv.exe 2248 9xlfllr.exe 780 264640.exe 2720 8648440.exe 3052 c680206.exe 2888 btntbh.exe 2760 pjpvd.exe 2744 4284006.exe 1248 rrlflrf.exe 1044 3jvdd.exe 1812 nhbbbb.exe 2964 pdjdv.exe 2068 0424608.exe 1124 jvjjp.exe 1760 dpvdj.exe 1508 w46248.exe 1784 24280.exe 2412 ffllrll.exe 2008 0220082.exe 848 htnntt.exe 268 o066888.exe 684 5vvdp.exe 980 0042086.exe 1604 u640600.exe 380 jvddj.exe 1668 0840668.exe -
resource yara_rule behavioral1/memory/2392-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-71-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/3052-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/672-952-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-1082-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-1107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-1108-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1692-1142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-1191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-1218-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o200488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o480286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2040668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8682228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnntt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2636 2392 4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe 30 PID 2392 wrote to memory of 2636 2392 4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe 30 PID 2392 wrote to memory of 2636 2392 4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe 30 PID 2392 wrote to memory of 2636 2392 4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe 30 PID 2636 wrote to memory of 1268 2636 dpjdj.exe 31 PID 2636 wrote to memory of 1268 2636 dpjdj.exe 31 PID 2636 wrote to memory of 1268 2636 dpjdj.exe 31 PID 2636 wrote to memory of 1268 2636 dpjdj.exe 31 PID 1268 wrote to memory of 1444 1268 w80668.exe 32 PID 1268 wrote to memory of 1444 1268 w80668.exe 32 PID 1268 wrote to memory of 1444 1268 w80668.exe 32 PID 1268 wrote to memory of 1444 1268 w80668.exe 32 PID 1444 wrote to memory of 2264 1444 826840.exe 33 PID 1444 wrote to memory of 2264 1444 826840.exe 33 PID 1444 wrote to memory of 2264 1444 826840.exe 33 PID 1444 wrote to memory of 2264 1444 826840.exe 33 PID 2264 wrote to memory of 2832 2264 vpjpd.exe 34 PID 2264 wrote to memory of 2832 2264 vpjpd.exe 34 PID 2264 wrote to memory of 2832 2264 vpjpd.exe 34 PID 2264 wrote to memory of 2832 2264 vpjpd.exe 34 PID 2832 wrote to memory of 2836 2832 ttbbnt.exe 35 PID 2832 wrote to memory of 2836 2832 ttbbnt.exe 35 PID 2832 wrote to memory of 2836 2832 ttbbnt.exe 35 PID 2832 wrote to memory of 2836 2832 ttbbnt.exe 35 PID 2836 wrote to memory of 2800 2836 246622.exe 36 PID 2836 wrote to memory of 2800 2836 246622.exe 36 PID 2836 wrote to memory of 2800 2836 246622.exe 36 PID 2836 wrote to memory of 2800 2836 246622.exe 36 PID 2800 wrote to memory of 3052 2800 rlfxfff.exe 37 PID 2800 wrote to memory of 3052 2800 rlfxfff.exe 37 PID 2800 wrote to memory of 3052 2800 rlfxfff.exe 37 PID 2800 wrote to memory of 3052 2800 rlfxfff.exe 37 PID 3052 wrote to memory of 2724 3052 xxrxfxf.exe 38 PID 3052 wrote to memory of 2724 3052 xxrxfxf.exe 38 PID 3052 wrote to memory of 2724 3052 xxrxfxf.exe 38 PID 3052 wrote to memory of 2724 3052 xxrxfxf.exe 38 PID 2724 wrote to memory of 2712 2724 c644062.exe 39 PID 2724 wrote to memory of 2712 2724 c644062.exe 39 PID 2724 wrote to memory of 2712 2724 c644062.exe 39 PID 2724 wrote to memory of 2712 2724 c644062.exe 39 PID 2712 wrote to memory of 2728 2712 042862.exe 40 PID 2712 wrote to memory of 2728 2712 042862.exe 40 PID 2712 wrote to memory of 2728 2712 042862.exe 40 PID 2712 wrote to memory of 2728 2712 042862.exe 40 PID 2728 wrote to memory of 1812 2728 rlflxfl.exe 42 PID 2728 wrote to memory of 1812 2728 rlflxfl.exe 42 PID 2728 wrote to memory of 1812 2728 rlflxfl.exe 42 PID 2728 wrote to memory of 1812 2728 rlflxfl.exe 42 PID 1812 wrote to memory of 2964 1812 22068.exe 43 PID 1812 wrote to memory of 2964 1812 22068.exe 43 PID 1812 wrote to memory of 2964 1812 22068.exe 43 PID 1812 wrote to memory of 2964 1812 22068.exe 43 PID 2964 wrote to memory of 2076 2964 fxxxlrf.exe 44 PID 2964 wrote to memory of 2076 2964 fxxxlrf.exe 44 PID 2964 wrote to memory of 2076 2964 fxxxlrf.exe 44 PID 2964 wrote to memory of 2076 2964 fxxxlrf.exe 44 PID 2076 wrote to memory of 2000 2076 642844.exe 45 PID 2076 wrote to memory of 2000 2076 642844.exe 45 PID 2076 wrote to memory of 2000 2076 642844.exe 45 PID 2076 wrote to memory of 2000 2076 642844.exe 45 PID 2000 wrote to memory of 1636 2000 jjvvj.exe 46 PID 2000 wrote to memory of 1636 2000 jjvvj.exe 46 PID 2000 wrote to memory of 1636 2000 jjvvj.exe 46 PID 2000 wrote to memory of 1636 2000 jjvvj.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe"C:\Users\Admin\AppData\Local\Temp\4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\dpjdj.exec:\dpjdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\w80668.exec:\w80668.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\826840.exec:\826840.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\vpjpd.exec:\vpjpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\ttbbnt.exec:\ttbbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\246622.exec:\246622.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\rlfxfff.exec:\rlfxfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\xxrxfxf.exec:\xxrxfxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\c644062.exec:\c644062.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\042862.exec:\042862.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\rlflxfl.exec:\rlflxfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\22068.exec:\22068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\fxxxlrf.exec:\fxxxlrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\642844.exec:\642844.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\jjvvj.exec:\jjvvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\64262.exec:\64262.exe17⤵
- Executes dropped EXE
PID:1636 -
\??\c:\ppjpv.exec:\ppjpv.exe18⤵
- Executes dropped EXE
PID:3040 -
\??\c:\hhbtnn.exec:\hhbtnn.exe19⤵
- Executes dropped EXE
PID:2084 -
\??\c:\6040246.exec:\6040246.exe20⤵
- Executes dropped EXE
PID:2148 -
\??\c:\882428.exec:\882428.exe21⤵
- Executes dropped EXE
PID:268 -
\??\c:\80066.exec:\80066.exe22⤵
- Executes dropped EXE
PID:2224 -
\??\c:\jjdjd.exec:\jjdjd.exe23⤵
- Executes dropped EXE
PID:1868 -
\??\c:\0828064.exec:\0828064.exe24⤵
- Executes dropped EXE
PID:380 -
\??\c:\444862.exec:\444862.exe25⤵
- Executes dropped EXE
PID:2780 -
\??\c:\m4288.exec:\m4288.exe26⤵
- Executes dropped EXE
PID:1340 -
\??\c:\4206680.exec:\4206680.exe27⤵
- Executes dropped EXE
PID:872 -
\??\c:\264840.exec:\264840.exe28⤵
- Executes dropped EXE
PID:1648 -
\??\c:\pjddv.exec:\pjddv.exe29⤵
- Executes dropped EXE
PID:2436 -
\??\c:\5nbhtn.exec:\5nbhtn.exe30⤵
- Executes dropped EXE
PID:1064 -
\??\c:\pvjvj.exec:\pvjvj.exe31⤵
- Executes dropped EXE
PID:1640 -
\??\c:\8208406.exec:\8208406.exe32⤵
- Executes dropped EXE
PID:1916 -
\??\c:\hthttn.exec:\hthttn.exe33⤵
- Executes dropped EXE
PID:2580 -
\??\c:\bnbnhn.exec:\bnbnhn.exe34⤵
- Executes dropped EXE
PID:1268 -
\??\c:\nttbth.exec:\nttbth.exe35⤵
- Executes dropped EXE
PID:2144 -
\??\c:\04228.exec:\04228.exe36⤵
- Executes dropped EXE
PID:1576 -
\??\c:\082206.exec:\082206.exe37⤵
- Executes dropped EXE
PID:1328 -
\??\c:\9dvvd.exec:\9dvvd.exe38⤵
- Executes dropped EXE
PID:2116 -
\??\c:\xxrrfxf.exec:\xxrrfxf.exe39⤵
- Executes dropped EXE
PID:2432 -
\??\c:\jjdjv.exec:\jjdjv.exe40⤵
- Executes dropped EXE
PID:2196 -
\??\c:\9xlfllr.exec:\9xlfllr.exe41⤵
- Executes dropped EXE
PID:2248 -
\??\c:\264640.exec:\264640.exe42⤵
- Executes dropped EXE
PID:780 -
\??\c:\8648440.exec:\8648440.exe43⤵
- Executes dropped EXE
PID:2720 -
\??\c:\c680206.exec:\c680206.exe44⤵
- Executes dropped EXE
PID:3052 -
\??\c:\btntbh.exec:\btntbh.exe45⤵
- Executes dropped EXE
PID:2888 -
\??\c:\pjpvd.exec:\pjpvd.exe46⤵
- Executes dropped EXE
PID:2760 -
\??\c:\4284006.exec:\4284006.exe47⤵
- Executes dropped EXE
PID:2744 -
\??\c:\rrlflrf.exec:\rrlflrf.exe48⤵
- Executes dropped EXE
PID:1248 -
\??\c:\3jvdd.exec:\3jvdd.exe49⤵
- Executes dropped EXE
PID:1044 -
\??\c:\nhbbbb.exec:\nhbbbb.exe50⤵
- Executes dropped EXE
PID:1812 -
\??\c:\pdjdv.exec:\pdjdv.exe51⤵
- Executes dropped EXE
PID:2964 -
\??\c:\0424608.exec:\0424608.exe52⤵
- Executes dropped EXE
PID:2068 -
\??\c:\jvjjp.exec:\jvjjp.exe53⤵
- Executes dropped EXE
PID:1124 -
\??\c:\dpvdj.exec:\dpvdj.exe54⤵
- Executes dropped EXE
PID:1760 -
\??\c:\w46248.exec:\w46248.exe55⤵
- Executes dropped EXE
PID:1508 -
\??\c:\24280.exec:\24280.exe56⤵
- Executes dropped EXE
PID:1784 -
\??\c:\ffllrll.exec:\ffllrll.exe57⤵
- Executes dropped EXE
PID:2412 -
\??\c:\0220082.exec:\0220082.exe58⤵
- Executes dropped EXE
PID:2008 -
\??\c:\htnntt.exec:\htnntt.exe59⤵
- Executes dropped EXE
PID:848 -
\??\c:\o066888.exec:\o066888.exe60⤵
- Executes dropped EXE
PID:268 -
\??\c:\5vvdp.exec:\5vvdp.exe61⤵
- Executes dropped EXE
PID:684 -
\??\c:\0042086.exec:\0042086.exe62⤵
- Executes dropped EXE
PID:980 -
\??\c:\u640600.exec:\u640600.exe63⤵
- Executes dropped EXE
PID:1604 -
\??\c:\jvddj.exec:\jvddj.exe64⤵
- Executes dropped EXE
PID:380 -
\??\c:\0840668.exec:\0840668.exe65⤵
- Executes dropped EXE
PID:1668 -
\??\c:\6002026.exec:\6002026.exe66⤵PID:2192
-
\??\c:\64440.exec:\64440.exe67⤵PID:1768
-
\??\c:\dpdjd.exec:\dpdjd.exe68⤵PID:924
-
\??\c:\6406644.exec:\6406644.exe69⤵PID:2168
-
\??\c:\20228.exec:\20228.exe70⤵PID:2080
-
\??\c:\lxxfffl.exec:\lxxfffl.exe71⤵PID:1780
-
\??\c:\1xllffl.exec:\1xllffl.exe72⤵PID:1064
-
\??\c:\2640224.exec:\2640224.exe73⤵PID:880
-
\??\c:\8246884.exec:\8246884.exe74⤵PID:2032
-
\??\c:\u466662.exec:\u466662.exe75⤵PID:2600
-
\??\c:\08444.exec:\08444.exe76⤵PID:2124
-
\??\c:\5vppv.exec:\5vppv.exe77⤵PID:2268
-
\??\c:\3bttth.exec:\3bttth.exe78⤵PID:2028
-
\??\c:\9jdvj.exec:\9jdvj.exe79⤵PID:1580
-
\??\c:\k42288.exec:\k42288.exe80⤵PID:2812
-
\??\c:\nnbtbb.exec:\nnbtbb.exe81⤵PID:2932
-
\??\c:\bnbntt.exec:\bnbntt.exe82⤵PID:2936
-
\??\c:\8606262.exec:\8606262.exe83⤵PID:2688
-
\??\c:\884248.exec:\884248.exe84⤵PID:2904
-
\??\c:\7rfflff.exec:\7rfflff.exe85⤵PID:2944
-
\??\c:\462282.exec:\462282.exe86⤵PID:2872
-
\??\c:\684404.exec:\684404.exe87⤵PID:2680
-
\??\c:\ffrxxfl.exec:\ffrxxfl.exe88⤵PID:308
-
\??\c:\tthtbh.exec:\tthtbh.exe89⤵PID:2804
-
\??\c:\thbhnt.exec:\thbhnt.exe90⤵PID:2296
-
\??\c:\m4020.exec:\m4020.exe91⤵PID:1744
-
\??\c:\82242.exec:\82242.exe92⤵PID:1852
-
\??\c:\fxlrxfr.exec:\fxlrxfr.exe93⤵PID:1304
-
\??\c:\k26026.exec:\k26026.exe94⤵PID:2996
-
\??\c:\1rllrrr.exec:\1rllrrr.exe95⤵PID:2076
-
\??\c:\640000.exec:\640000.exe96⤵PID:1540
-
\??\c:\642068.exec:\642068.exe97⤵PID:2040
-
\??\c:\s6466.exec:\s6466.exe98⤵PID:2540
-
\??\c:\0866880.exec:\0866880.exe99⤵PID:2616
-
\??\c:\btbhnt.exec:\btbhnt.exe100⤵PID:1152
-
\??\c:\042066.exec:\042066.exe101⤵PID:2412
-
\??\c:\6468224.exec:\6468224.exe102⤵PID:2612
-
\??\c:\bhnnnb.exec:\bhnnnb.exe103⤵PID:2332
-
\??\c:\864066.exec:\864066.exe104⤵PID:2024
-
\??\c:\pdvpd.exec:\pdvpd.exe105⤵PID:684
-
\??\c:\m2440.exec:\m2440.exe106⤵PID:1868
-
\??\c:\6462006.exec:\6462006.exe107⤵PID:1604
-
\??\c:\0468468.exec:\0468468.exe108⤵PID:1860
-
\??\c:\s6440.exec:\s6440.exe109⤵PID:1668
-
\??\c:\1tbtnn.exec:\1tbtnn.exe110⤵PID:1808
-
\??\c:\642884.exec:\642884.exe111⤵PID:1768
-
\??\c:\ffrlllf.exec:\ffrlllf.exe112⤵PID:2204
-
\??\c:\646628.exec:\646628.exe113⤵PID:1720
-
\??\c:\42260.exec:\42260.exe114⤵PID:1804
-
\??\c:\9jjjd.exec:\9jjjd.exe115⤵PID:2232
-
\??\c:\bnbbbb.exec:\bnbbbb.exe116⤵PID:1052
-
\??\c:\nnnhbt.exec:\nnnhbt.exe117⤵PID:1952
-
\??\c:\2040668.exec:\2040668.exe118⤵
- System Location Discovery: System Language Discovery
PID:2584 -
\??\c:\5hnhhh.exec:\5hnhhh.exe119⤵PID:1444
-
\??\c:\9jpjp.exec:\9jpjp.exe120⤵PID:1976
-
\??\c:\3vjjj.exec:\3vjjj.exe121⤵PID:2144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-