Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 06:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe
-
Size
453KB
-
MD5
e2670bece5d938d0400615cf7383c820
-
SHA1
c0abdeb1691e70e750cdc53c4b9adcf6e51f45e0
-
SHA256
7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780
-
SHA512
a9c75b1a0b42acf5e2e6850abef330f16efb8a1a05ec5137bd6595c506fa1b1b2a2a53bcd1f46b7b4872e7d355f41e70e2f28d49df3353f46366dbdbfa22923d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2140-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-483-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2972-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-432-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2196-419-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2324-394-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1928-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-380-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2648-367-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2208-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-341-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2888-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-301-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2200-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-254-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1984-237-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1084-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-168-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1812-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-59-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2400-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-623-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1644-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-822-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2656-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-906-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2564 bhtttn.exe 2604 48686.exe 2552 w04688.exe 2400 k08406.exe 2520 8206206.exe 2856 1rfrfxl.exe 2796 w48862.exe 2828 422608.exe 2736 266640.exe 2696 248888.exe 2692 q42466.exe 2700 a4246.exe 2052 jdjvj.exe 1928 djdvd.exe 1728 ppjpv.exe 1812 xrxxffx.exe 1340 pjjvj.exe 1948 3xrxrfx.exe 2196 lfxfflx.exe 3064 3rffffl.exe 2168 5rxlxfx.exe 2144 4824284.exe 1488 hbbntb.exe 1084 5rflxfr.exe 2396 4264808.exe 1984 66024.exe 1772 m0446.exe 2372 vpjjj.exe 2508 g8284.exe 836 jvpvd.exe 2312 tnnntb.exe 2200 vvjpv.exe 2140 5hbbbh.exe 2564 8206480.exe 1712 dvpjv.exe 2888 pjjjv.exe 2416 rlxxxfx.exe 2944 hbhhnt.exe 2732 vvpvj.exe 2656 o822886.exe 2248 6024620.exe 2208 xrflxxf.exe 2512 g0802.exe 2648 o084002.exe 2720 260684.exe 1928 7frffrf.exe 2280 xxffxxl.exe 2324 vddvv.exe 1512 4400082.exe 828 44842.exe 1276 6484224.exe 2196 6080224.exe 2456 ppjvd.exe 2972 04280.exe 1308 ddvpp.exe 1084 bhbthn.exe 2180 rrllffr.exe 916 btthnt.exe 1028 4866840.exe 1952 8226880.exe 2256 bthnhn.exe 2884 q04082.exe 1556 xxlfrfr.exe 1716 vpjjv.exe -
resource yara_rule behavioral1/memory/2564-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-394-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1928-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-237-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1084-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-906-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2740-953-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-1014-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-1136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-1203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-1224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-1283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-1314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-1333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-1340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-1353-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4400082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q26840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q20622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4802064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8662446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q08466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2564 2140 7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe 63 PID 2140 wrote to memory of 2564 2140 7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe 63 PID 2140 wrote to memory of 2564 2140 7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe 63 PID 2140 wrote to memory of 2564 2140 7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe 63 PID 2564 wrote to memory of 2604 2564 bhtttn.exe 31 PID 2564 wrote to memory of 2604 2564 bhtttn.exe 31 PID 2564 wrote to memory of 2604 2564 bhtttn.exe 31 PID 2564 wrote to memory of 2604 2564 bhtttn.exe 31 PID 2604 wrote to memory of 2552 2604 48686.exe 32 PID 2604 wrote to memory of 2552 2604 48686.exe 32 PID 2604 wrote to memory of 2552 2604 48686.exe 32 PID 2604 wrote to memory of 2552 2604 48686.exe 32 PID 2552 wrote to memory of 2400 2552 w04688.exe 33 PID 2552 wrote to memory of 2400 2552 w04688.exe 33 PID 2552 wrote to memory of 2400 2552 w04688.exe 33 PID 2552 wrote to memory of 2400 2552 w04688.exe 33 PID 2400 wrote to memory of 2520 2400 k08406.exe 34 PID 2400 wrote to memory of 2520 2400 k08406.exe 34 PID 2400 wrote to memory of 2520 2400 k08406.exe 34 PID 2400 wrote to memory of 2520 2400 k08406.exe 34 PID 2520 wrote to memory of 2856 2520 8206206.exe 35 PID 2520 wrote to memory of 2856 2520 8206206.exe 35 PID 2520 wrote to memory of 2856 2520 8206206.exe 35 PID 2520 wrote to memory of 2856 2520 8206206.exe 35 PID 2856 wrote to memory of 2796 2856 1rfrfxl.exe 36 PID 2856 wrote to memory of 2796 2856 1rfrfxl.exe 36 PID 2856 wrote to memory of 2796 2856 1rfrfxl.exe 36 PID 2856 wrote to memory of 2796 2856 1rfrfxl.exe 36 PID 2796 wrote to memory of 2828 2796 w48862.exe 37 PID 2796 wrote to memory of 2828 2796 w48862.exe 37 PID 2796 wrote to memory of 2828 2796 w48862.exe 37 PID 2796 wrote to memory of 2828 2796 w48862.exe 37 PID 2828 wrote to memory of 2736 2828 422608.exe 38 PID 2828 wrote to memory of 2736 2828 422608.exe 38 PID 2828 wrote to memory of 2736 2828 422608.exe 38 PID 2828 wrote to memory of 2736 2828 422608.exe 38 PID 2736 wrote to memory of 2696 2736 266640.exe 39 PID 2736 wrote to memory of 2696 2736 266640.exe 39 PID 2736 wrote to memory of 2696 2736 266640.exe 39 PID 2736 wrote to memory of 2696 2736 266640.exe 39 PID 2696 wrote to memory of 2692 2696 248888.exe 40 PID 2696 wrote to memory of 2692 2696 248888.exe 40 PID 2696 wrote to memory of 2692 2696 248888.exe 40 PID 2696 wrote to memory of 2692 2696 248888.exe 40 PID 2692 wrote to memory of 2700 2692 q42466.exe 41 PID 2692 wrote to memory of 2700 2692 q42466.exe 41 PID 2692 wrote to memory of 2700 2692 q42466.exe 41 PID 2692 wrote to memory of 2700 2692 q42466.exe 41 PID 2700 wrote to memory of 2052 2700 a4246.exe 42 PID 2700 wrote to memory of 2052 2700 a4246.exe 42 PID 2700 wrote to memory of 2052 2700 a4246.exe 42 PID 2700 wrote to memory of 2052 2700 a4246.exe 42 PID 2052 wrote to memory of 1928 2052 jdjvj.exe 43 PID 2052 wrote to memory of 1928 2052 jdjvj.exe 43 PID 2052 wrote to memory of 1928 2052 jdjvj.exe 43 PID 2052 wrote to memory of 1928 2052 jdjvj.exe 43 PID 1928 wrote to memory of 1728 1928 djdvd.exe 44 PID 1928 wrote to memory of 1728 1928 djdvd.exe 44 PID 1928 wrote to memory of 1728 1928 djdvd.exe 44 PID 1928 wrote to memory of 1728 1928 djdvd.exe 44 PID 1728 wrote to memory of 1812 1728 ppjpv.exe 45 PID 1728 wrote to memory of 1812 1728 ppjpv.exe 45 PID 1728 wrote to memory of 1812 1728 ppjpv.exe 45 PID 1728 wrote to memory of 1812 1728 ppjpv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe"C:\Users\Admin\AppData\Local\Temp\7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\bhtttn.exec:\bhtttn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\48686.exec:\48686.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\w04688.exec:\w04688.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\k08406.exec:\k08406.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\8206206.exec:\8206206.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\1rfrfxl.exec:\1rfrfxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\w48862.exec:\w48862.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\422608.exec:\422608.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\266640.exec:\266640.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\248888.exec:\248888.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\q42466.exec:\q42466.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\a4246.exec:\a4246.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\jdjvj.exec:\jdjvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\djdvd.exec:\djdvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\ppjpv.exec:\ppjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\xrxxffx.exec:\xrxxffx.exe17⤵
- Executes dropped EXE
PID:1812 -
\??\c:\pjjvj.exec:\pjjvj.exe18⤵
- Executes dropped EXE
PID:1340 -
\??\c:\3xrxrfx.exec:\3xrxrfx.exe19⤵
- Executes dropped EXE
PID:1948 -
\??\c:\lfxfflx.exec:\lfxfflx.exe20⤵
- Executes dropped EXE
PID:2196 -
\??\c:\3rffffl.exec:\3rffffl.exe21⤵
- Executes dropped EXE
PID:3064 -
\??\c:\5rxlxfx.exec:\5rxlxfx.exe22⤵
- Executes dropped EXE
PID:2168 -
\??\c:\4824284.exec:\4824284.exe23⤵
- Executes dropped EXE
PID:2144 -
\??\c:\hbbntb.exec:\hbbntb.exe24⤵
- Executes dropped EXE
PID:1488 -
\??\c:\5rflxfr.exec:\5rflxfr.exe25⤵
- Executes dropped EXE
PID:1084 -
\??\c:\4264808.exec:\4264808.exe26⤵
- Executes dropped EXE
PID:2396 -
\??\c:\66024.exec:\66024.exe27⤵
- Executes dropped EXE
PID:1984 -
\??\c:\m0446.exec:\m0446.exe28⤵
- Executes dropped EXE
PID:1772 -
\??\c:\vpjjj.exec:\vpjjj.exe29⤵
- Executes dropped EXE
PID:2372 -
\??\c:\g8284.exec:\g8284.exe30⤵
- Executes dropped EXE
PID:2508 -
\??\c:\jvpvd.exec:\jvpvd.exe31⤵
- Executes dropped EXE
PID:836 -
\??\c:\tnnntb.exec:\tnnntb.exe32⤵
- Executes dropped EXE
PID:2312 -
\??\c:\vvjpv.exec:\vvjpv.exe33⤵
- Executes dropped EXE
PID:2200 -
\??\c:\5hbbbh.exec:\5hbbbh.exe34⤵
- Executes dropped EXE
PID:2140 -
\??\c:\8206480.exec:\8206480.exe35⤵
- Executes dropped EXE
PID:2564 -
\??\c:\dvpjv.exec:\dvpjv.exe36⤵
- Executes dropped EXE
PID:1712 -
\??\c:\pjjjv.exec:\pjjjv.exe37⤵
- Executes dropped EXE
PID:2888 -
\??\c:\rlxxxfx.exec:\rlxxxfx.exe38⤵
- Executes dropped EXE
PID:2416 -
\??\c:\hbhhnt.exec:\hbhhnt.exe39⤵
- Executes dropped EXE
PID:2944 -
\??\c:\vvpvj.exec:\vvpvj.exe40⤵
- Executes dropped EXE
PID:2732 -
\??\c:\o822886.exec:\o822886.exe41⤵
- Executes dropped EXE
PID:2656 -
\??\c:\6024620.exec:\6024620.exe42⤵
- Executes dropped EXE
PID:2248 -
\??\c:\xrflxxf.exec:\xrflxxf.exe43⤵
- Executes dropped EXE
PID:2208 -
\??\c:\g0802.exec:\g0802.exe44⤵
- Executes dropped EXE
PID:2512 -
\??\c:\o084002.exec:\o084002.exe45⤵
- Executes dropped EXE
PID:2648 -
\??\c:\260684.exec:\260684.exe46⤵
- Executes dropped EXE
PID:2720 -
\??\c:\7frffrf.exec:\7frffrf.exe47⤵
- Executes dropped EXE
PID:1928 -
\??\c:\xxffxxl.exec:\xxffxxl.exe48⤵
- Executes dropped EXE
PID:2280 -
\??\c:\vddvv.exec:\vddvv.exe49⤵
- Executes dropped EXE
PID:2324 -
\??\c:\4400082.exec:\4400082.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512 -
\??\c:\44842.exec:\44842.exe51⤵
- Executes dropped EXE
PID:828 -
\??\c:\6484224.exec:\6484224.exe52⤵
- Executes dropped EXE
PID:1276 -
\??\c:\6080224.exec:\6080224.exe53⤵
- Executes dropped EXE
PID:2196 -
\??\c:\ppjvd.exec:\ppjvd.exe54⤵
- Executes dropped EXE
PID:2456 -
\??\c:\04280.exec:\04280.exe55⤵
- Executes dropped EXE
PID:2972 -
\??\c:\ddvpp.exec:\ddvpp.exe56⤵
- Executes dropped EXE
PID:1308 -
\??\c:\bhbthn.exec:\bhbthn.exe57⤵
- Executes dropped EXE
PID:1084 -
\??\c:\rrllffr.exec:\rrllffr.exe58⤵
- Executes dropped EXE
PID:2180 -
\??\c:\btthnt.exec:\btthnt.exe59⤵
- Executes dropped EXE
PID:916 -
\??\c:\4866840.exec:\4866840.exe60⤵
- Executes dropped EXE
PID:1028 -
\??\c:\8226880.exec:\8226880.exe61⤵
- Executes dropped EXE
PID:1952 -
\??\c:\bthnhn.exec:\bthnhn.exe62⤵
- Executes dropped EXE
PID:2256 -
\??\c:\q04082.exec:\q04082.exe63⤵
- Executes dropped EXE
PID:2884 -
\??\c:\xxlfrfr.exec:\xxlfrfr.exe64⤵
- Executes dropped EXE
PID:1556 -
\??\c:\vpjjv.exec:\vpjjv.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716 -
\??\c:\5frxflx.exec:\5frxflx.exe66⤵PID:1236
-
\??\c:\jdvvd.exec:\jdvvd.exe67⤵PID:2628
-
\??\c:\dvpvp.exec:\dvpvp.exe68⤵PID:2660
-
\??\c:\g4228.exec:\g4228.exe69⤵PID:320
-
\??\c:\o640242.exec:\o640242.exe70⤵PID:1932
-
\??\c:\bhtbnn.exec:\bhtbnn.exe71⤵PID:1664
-
\??\c:\5jjvj.exec:\5jjvj.exe72⤵PID:2100
-
\??\c:\68880.exec:\68880.exe73⤵PID:2308
-
\??\c:\464444.exec:\464444.exe74⤵PID:1584
-
\??\c:\420066.exec:\420066.exe75⤵PID:2476
-
\??\c:\g2406.exec:\g2406.exe76⤵PID:2588
-
\??\c:\dpdjj.exec:\dpdjj.exe77⤵PID:2400
-
\??\c:\thhhtn.exec:\thhhtn.exe78⤵PID:2852
-
\??\c:\20824.exec:\20824.exe79⤵PID:2652
-
\??\c:\9thntb.exec:\9thntb.exe80⤵PID:2876
-
\??\c:\tnhhnt.exec:\tnhhnt.exe81⤵PID:1908
-
\??\c:\7rllflr.exec:\7rllflr.exe82⤵PID:2680
-
\??\c:\o084284.exec:\o084284.exe83⤵PID:2976
-
\??\c:\0806884.exec:\0806884.exe84⤵PID:288
-
\??\c:\lrxrrrx.exec:\lrxrrrx.exe85⤵PID:2052
-
\??\c:\s2402.exec:\s2402.exe86⤵PID:1656
-
\??\c:\e48600.exec:\e48600.exe87⤵PID:796
-
\??\c:\bnbhnt.exec:\bnbhnt.exe88⤵PID:1644
-
\??\c:\frflrxx.exec:\frflrxx.exe89⤵PID:2460
-
\??\c:\3vpdp.exec:\3vpdp.exe90⤵PID:2144
-
\??\c:\vpdjd.exec:\vpdjd.exe91⤵PID:2160
-
\??\c:\9jdpj.exec:\9jdpj.exe92⤵PID:2316
-
\??\c:\vpjvd.exec:\vpjvd.exe93⤵PID:1280
-
\??\c:\bthttb.exec:\bthttb.exe94⤵PID:1788
-
\??\c:\000662.exec:\000662.exe95⤵PID:608
-
\??\c:\7nbbnb.exec:\7nbbnb.exe96⤵PID:1848
-
\??\c:\488648.exec:\488648.exe97⤵PID:1636
-
\??\c:\04226.exec:\04226.exe98⤵PID:2084
-
\??\c:\866800.exec:\866800.exe99⤵PID:2956
-
\??\c:\8206842.exec:\8206842.exe100⤵PID:2188
-
\??\c:\048428.exec:\048428.exe101⤵PID:2256
-
\??\c:\q88884.exec:\q88884.exe102⤵PID:1772
-
\??\c:\jdddv.exec:\jdddv.exe103⤵PID:2884
-
\??\c:\dvvjj.exec:\dvvjj.exe104⤵PID:1776
-
\??\c:\48246.exec:\48246.exe105⤵PID:2904
-
\??\c:\xrllffx.exec:\xrllffx.exe106⤵PID:900
-
\??\c:\ttntbh.exec:\ttntbh.exe107⤵
- System Location Discovery: System Language Discovery
PID:760 -
\??\c:\rlflrrx.exec:\rlflrrx.exe108⤵PID:1544
-
\??\c:\g2248.exec:\g2248.exe109⤵PID:1388
-
\??\c:\g8006.exec:\g8006.exe110⤵PID:2380
-
\??\c:\pvvvj.exec:\pvvvj.exe111⤵PID:2440
-
\??\c:\s0424.exec:\s0424.exe112⤵PID:988
-
\??\c:\ffxflrl.exec:\ffxflrl.exe113⤵PID:788
-
\??\c:\pjdpj.exec:\pjdpj.exe114⤵PID:2468
-
\??\c:\pjpjp.exec:\pjpjp.exe115⤵PID:1988
-
\??\c:\s6062.exec:\s6062.exe116⤵PID:2944
-
\??\c:\nnnbht.exec:\nnnbht.exe117⤵PID:2732
-
\??\c:\tttthh.exec:\tttthh.exe118⤵PID:2656
-
\??\c:\frfrlrl.exec:\frfrlrl.exe119⤵PID:2760
-
\??\c:\8866880.exec:\8866880.exe120⤵PID:2404
-
\??\c:\nhbbhn.exec:\nhbbhn.exe121⤵PID:2008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-