Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 06:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe
-
Size
453KB
-
MD5
77de7dca40d32bdf68aa05e5896c0927
-
SHA1
1c4de4d3137661ba3be3e862afe5cb5ee0ff16a6
-
SHA256
b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816
-
SHA512
c40def558feafd4f4ca74b4f3263da803daf3c49aa76486389c44ac8ec3d3dd230af08f40a48f77cb735bd8a0825b6684c0056bf9d37ae86bdc0a03bbb79f59f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/1304-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-56-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2932-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-86-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2720-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-185-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2624-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-198-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/836-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/112-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-417-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1632-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1120-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/740-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-553-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2764-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-712-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/1520-795-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2412-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-839-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2244-886-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3008-909-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2828-923-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2960-931-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-996-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1492-1004-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2200-1011-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/344-1031-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/288-1082-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1940-1137-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2832-1182-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2952-1209-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2732-1222-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1176-1248-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1616 4482024.exe 3016 pjddp.exe 1436 1htnth.exe 2768 886680.exe 2804 486840.exe 2932 1xxxllx.exe 2096 htbttn.exe 2888 tntthh.exe 2844 w82820.exe 2720 dvppj.exe 2544 ppppd.exe 2852 a0408.exe 3040 flrlfrr.exe 2900 444220.exe 2336 600824.exe 1492 o606444.exe 2716 xrfxfll.exe 2156 tttbbh.exe 2644 pjvpp.exe 2624 pjdjv.exe 2192 xrxlrfr.exe 448 6482888.exe 832 c800884.exe 620 4268440.exe 1236 266844.exe 1968 vjddj.exe 836 m6620.exe 1144 jjpdd.exe 2640 htbtbn.exe 1568 bbtbnb.exe 976 482844.exe 1748 vvpdp.exe 2368 ffxlfrr.exe 2572 ddjvv.exe 2104 026484.exe 112 vppdj.exe 2760 0664480.exe 2276 flfrlfl.exe 2436 000068.exe 536 jjvdj.exe 3004 ffxlxlx.exe 2808 jdjpd.exe 2976 1fxxrfr.exe 2864 60406.exe 2964 9lflflx.exe 2788 xxrxrxr.exe 2692 hhhnht.exe 2796 k00484.exe 1984 tbhnhn.exe 2544 0486022.exe 1176 lrxxxfx.exe 1632 8602884.exe 3040 66080.exe 1560 k26200.exe 1904 ttthnb.exe 1140 pdjvj.exe 2520 0068226.exe 2320 04842.exe 2064 hhbbnb.exe 1852 6264246.exe 2364 226628.exe 2084 dpvvv.exe 2468 7rfxllx.exe 1120 68466.exe -
resource yara_rule behavioral1/memory/1304-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-886-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2828-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-950-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1492-997-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-1018-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-1189-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q02260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0280086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0288482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0404262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428046.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1304 wrote to memory of 1616 1304 b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe 30 PID 1304 wrote to memory of 1616 1304 b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe 30 PID 1304 wrote to memory of 1616 1304 b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe 30 PID 1304 wrote to memory of 1616 1304 b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe 30 PID 1616 wrote to memory of 3016 1616 4482024.exe 31 PID 1616 wrote to memory of 3016 1616 4482024.exe 31 PID 1616 wrote to memory of 3016 1616 4482024.exe 31 PID 1616 wrote to memory of 3016 1616 4482024.exe 31 PID 3016 wrote to memory of 1436 3016 pjddp.exe 32 PID 3016 wrote to memory of 1436 3016 pjddp.exe 32 PID 3016 wrote to memory of 1436 3016 pjddp.exe 32 PID 3016 wrote to memory of 1436 3016 pjddp.exe 32 PID 1436 wrote to memory of 2768 1436 1htnth.exe 33 PID 1436 wrote to memory of 2768 1436 1htnth.exe 33 PID 1436 wrote to memory of 2768 1436 1htnth.exe 33 PID 1436 wrote to memory of 2768 1436 1htnth.exe 33 PID 2768 wrote to memory of 2804 2768 886680.exe 34 PID 2768 wrote to memory of 2804 2768 886680.exe 34 PID 2768 wrote to memory of 2804 2768 886680.exe 34 PID 2768 wrote to memory of 2804 2768 886680.exe 34 PID 2804 wrote to memory of 2932 2804 486840.exe 35 PID 2804 wrote to memory of 2932 2804 486840.exe 35 PID 2804 wrote to memory of 2932 2804 486840.exe 35 PID 2804 wrote to memory of 2932 2804 486840.exe 35 PID 2932 wrote to memory of 2096 2932 1xxxllx.exe 36 PID 2932 wrote to memory of 2096 2932 1xxxllx.exe 36 PID 2932 wrote to memory of 2096 2932 1xxxllx.exe 36 PID 2932 wrote to memory of 2096 2932 1xxxllx.exe 36 PID 2096 wrote to memory of 2888 2096 htbttn.exe 37 PID 2096 wrote to memory of 2888 2096 htbttn.exe 37 PID 2096 wrote to memory of 2888 2096 htbttn.exe 37 PID 2096 wrote to memory of 2888 2096 htbttn.exe 37 PID 2888 wrote to memory of 2844 2888 tntthh.exe 38 PID 2888 wrote to memory of 2844 2888 tntthh.exe 38 PID 2888 wrote to memory of 2844 2888 tntthh.exe 38 PID 2888 wrote to memory of 2844 2888 tntthh.exe 38 PID 2844 wrote to memory of 2720 2844 w82820.exe 39 PID 2844 wrote to memory of 2720 2844 w82820.exe 39 PID 2844 wrote to memory of 2720 2844 w82820.exe 39 PID 2844 wrote to memory of 2720 2844 w82820.exe 39 PID 2720 wrote to memory of 2544 2720 dvppj.exe 40 PID 2720 wrote to memory of 2544 2720 dvppj.exe 40 PID 2720 wrote to memory of 2544 2720 dvppj.exe 40 PID 2720 wrote to memory of 2544 2720 dvppj.exe 40 PID 2544 wrote to memory of 2852 2544 ppppd.exe 41 PID 2544 wrote to memory of 2852 2544 ppppd.exe 41 PID 2544 wrote to memory of 2852 2544 ppppd.exe 41 PID 2544 wrote to memory of 2852 2544 ppppd.exe 41 PID 2852 wrote to memory of 3040 2852 a0408.exe 42 PID 2852 wrote to memory of 3040 2852 a0408.exe 42 PID 2852 wrote to memory of 3040 2852 a0408.exe 42 PID 2852 wrote to memory of 3040 2852 a0408.exe 42 PID 3040 wrote to memory of 2900 3040 flrlfrr.exe 43 PID 3040 wrote to memory of 2900 3040 flrlfrr.exe 43 PID 3040 wrote to memory of 2900 3040 flrlfrr.exe 43 PID 3040 wrote to memory of 2900 3040 flrlfrr.exe 43 PID 2900 wrote to memory of 2336 2900 444220.exe 44 PID 2900 wrote to memory of 2336 2900 444220.exe 44 PID 2900 wrote to memory of 2336 2900 444220.exe 44 PID 2900 wrote to memory of 2336 2900 444220.exe 44 PID 2336 wrote to memory of 1492 2336 600824.exe 45 PID 2336 wrote to memory of 1492 2336 600824.exe 45 PID 2336 wrote to memory of 1492 2336 600824.exe 45 PID 2336 wrote to memory of 1492 2336 600824.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe"C:\Users\Admin\AppData\Local\Temp\b4f3c48ca7895db0f92f30c10a6aa457a8c4e796d97c59be7ccb550ab3978816.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\4482024.exec:\4482024.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\pjddp.exec:\pjddp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\1htnth.exec:\1htnth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\886680.exec:\886680.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\486840.exec:\486840.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\1xxxllx.exec:\1xxxllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\htbttn.exec:\htbttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\tntthh.exec:\tntthh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\w82820.exec:\w82820.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\dvppj.exec:\dvppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\ppppd.exec:\ppppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\a0408.exec:\a0408.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\flrlfrr.exec:\flrlfrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\444220.exec:\444220.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\600824.exec:\600824.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\o606444.exec:\o606444.exe17⤵
- Executes dropped EXE
PID:1492 -
\??\c:\xrfxfll.exec:\xrfxfll.exe18⤵
- Executes dropped EXE
PID:2716 -
\??\c:\tttbbh.exec:\tttbbh.exe19⤵
- Executes dropped EXE
PID:2156 -
\??\c:\pjvpp.exec:\pjvpp.exe20⤵
- Executes dropped EXE
PID:2644 -
\??\c:\pjdjv.exec:\pjdjv.exe21⤵
- Executes dropped EXE
PID:2624 -
\??\c:\xrxlrfr.exec:\xrxlrfr.exe22⤵
- Executes dropped EXE
PID:2192 -
\??\c:\6482888.exec:\6482888.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\c800884.exec:\c800884.exe24⤵
- Executes dropped EXE
PID:832 -
\??\c:\4268440.exec:\4268440.exe25⤵
- Executes dropped EXE
PID:620 -
\??\c:\266844.exec:\266844.exe26⤵
- Executes dropped EXE
PID:1236 -
\??\c:\vjddj.exec:\vjddj.exe27⤵
- Executes dropped EXE
PID:1968 -
\??\c:\m6620.exec:\m6620.exe28⤵
- Executes dropped EXE
PID:836 -
\??\c:\jjpdd.exec:\jjpdd.exe29⤵
- Executes dropped EXE
PID:1144 -
\??\c:\htbtbn.exec:\htbtbn.exe30⤵
- Executes dropped EXE
PID:2640 -
\??\c:\bbtbnb.exec:\bbtbnb.exe31⤵
- Executes dropped EXE
PID:1568 -
\??\c:\482844.exec:\482844.exe32⤵
- Executes dropped EXE
PID:976 -
\??\c:\vvpdp.exec:\vvpdp.exe33⤵
- Executes dropped EXE
PID:1748 -
\??\c:\ffxlfrr.exec:\ffxlfrr.exe34⤵
- Executes dropped EXE
PID:2368 -
\??\c:\ddjvv.exec:\ddjvv.exe35⤵
- Executes dropped EXE
PID:2572 -
\??\c:\026484.exec:\026484.exe36⤵
- Executes dropped EXE
PID:2104 -
\??\c:\vppdj.exec:\vppdj.exe37⤵
- Executes dropped EXE
PID:112 -
\??\c:\0664480.exec:\0664480.exe38⤵
- Executes dropped EXE
PID:2760 -
\??\c:\flfrlfl.exec:\flfrlfl.exe39⤵
- Executes dropped EXE
PID:2276 -
\??\c:\000068.exec:\000068.exe40⤵
- Executes dropped EXE
PID:2436 -
\??\c:\jjvdj.exec:\jjvdj.exe41⤵
- Executes dropped EXE
PID:536 -
\??\c:\ffxlxlx.exec:\ffxlxlx.exe42⤵
- Executes dropped EXE
PID:3004 -
\??\c:\jdjpd.exec:\jdjpd.exe43⤵
- Executes dropped EXE
PID:2808 -
\??\c:\1fxxrfr.exec:\1fxxrfr.exe44⤵
- Executes dropped EXE
PID:2976 -
\??\c:\60406.exec:\60406.exe45⤵
- Executes dropped EXE
PID:2864 -
\??\c:\9lflflx.exec:\9lflflx.exe46⤵
- Executes dropped EXE
PID:2964 -
\??\c:\xxrxrxr.exec:\xxrxrxr.exe47⤵
- Executes dropped EXE
PID:2788 -
\??\c:\hhhnht.exec:\hhhnht.exe48⤵
- Executes dropped EXE
PID:2692 -
\??\c:\k00484.exec:\k00484.exe49⤵
- Executes dropped EXE
PID:2796 -
\??\c:\tbhnhn.exec:\tbhnhn.exe50⤵
- Executes dropped EXE
PID:1984 -
\??\c:\0486022.exec:\0486022.exe51⤵
- Executes dropped EXE
PID:2544 -
\??\c:\lrxxxfx.exec:\lrxxxfx.exe52⤵
- Executes dropped EXE
PID:1176 -
\??\c:\8602884.exec:\8602884.exe53⤵
- Executes dropped EXE
PID:1632 -
\??\c:\66080.exec:\66080.exe54⤵
- Executes dropped EXE
PID:3040 -
\??\c:\k26200.exec:\k26200.exe55⤵
- Executes dropped EXE
PID:1560 -
\??\c:\ttthnb.exec:\ttthnb.exe56⤵
- Executes dropped EXE
PID:1904 -
\??\c:\pdjvj.exec:\pdjvj.exe57⤵
- Executes dropped EXE
PID:1140 -
\??\c:\0068226.exec:\0068226.exe58⤵
- Executes dropped EXE
PID:2520 -
\??\c:\04842.exec:\04842.exe59⤵
- Executes dropped EXE
PID:2320 -
\??\c:\hhbbnb.exec:\hhbbnb.exe60⤵
- Executes dropped EXE
PID:2064 -
\??\c:\6264246.exec:\6264246.exe61⤵
- Executes dropped EXE
PID:1852 -
\??\c:\226628.exec:\226628.exe62⤵
- Executes dropped EXE
PID:2364 -
\??\c:\dpvvv.exec:\dpvvv.exe63⤵
- Executes dropped EXE
PID:2084 -
\??\c:\7rfxllx.exec:\7rfxllx.exe64⤵
- Executes dropped EXE
PID:2468 -
\??\c:\68466.exec:\68466.exe65⤵
- Executes dropped EXE
PID:1120 -
\??\c:\3frfxrf.exec:\3frfxrf.exe66⤵PID:2656
-
\??\c:\66686.exec:\66686.exe67⤵PID:1112
-
\??\c:\60284.exec:\60284.exe68⤵PID:1744
-
\??\c:\22882.exec:\22882.exe69⤵PID:288
-
\??\c:\2440026.exec:\2440026.exe70⤵PID:3032
-
\??\c:\888080.exec:\888080.exe71⤵PID:740
-
\??\c:\06644.exec:\06644.exe72⤵PID:2452
-
\??\c:\8288640.exec:\8288640.exe73⤵PID:2428
-
\??\c:\00800.exec:\00800.exe74⤵PID:748
-
\??\c:\6224808.exec:\6224808.exe75⤵PID:1568
-
\??\c:\648806.exec:\648806.exe76⤵PID:600
-
\??\c:\8400080.exec:\8400080.exe77⤵PID:1944
-
\??\c:\xxxrrll.exec:\xxxrrll.exe78⤵PID:1028
-
\??\c:\6028006.exec:\6028006.exe79⤵PID:1208
-
\??\c:\2608064.exec:\2608064.exe80⤵PID:1572
-
\??\c:\xrlxxrf.exec:\xrlxxrf.exe81⤵PID:768
-
\??\c:\480684.exec:\480684.exe82⤵PID:2756
-
\??\c:\264462.exec:\264462.exe83⤵PID:3016
-
\??\c:\bntthh.exec:\bntthh.exe84⤵
- System Location Discovery: System Language Discovery
PID:628 -
\??\c:\608846.exec:\608846.exe85⤵PID:2768
-
\??\c:\3frrflr.exec:\3frrflr.exe86⤵PID:2944
-
\??\c:\ttnnnt.exec:\ttnnnt.exe87⤵PID:2816
-
\??\c:\266864.exec:\266864.exe88⤵PID:2828
-
\??\c:\hnnhbh.exec:\hnnhbh.exe89⤵PID:332
-
\??\c:\jjvdp.exec:\jjvdp.exe90⤵PID:2896
-
\??\c:\080200.exec:\080200.exe91⤵PID:2984
-
\??\c:\2268062.exec:\2268062.exe92⤵PID:2688
-
\??\c:\pppjj.exec:\pppjj.exe93⤵PID:2752
-
\??\c:\dppvd.exec:\dppvd.exe94⤵PID:2720
-
\??\c:\48620.exec:\48620.exe95⤵PID:2764
-
\??\c:\flxffll.exec:\flxffll.exe96⤵PID:864
-
\??\c:\m4286.exec:\m4286.exe97⤵PID:2920
-
\??\c:\608262.exec:\608262.exe98⤵PID:3044
-
\??\c:\bbnthb.exec:\bbnthb.exe99⤵PID:3068
-
\??\c:\4224684.exec:\4224684.exe100⤵PID:1020
-
\??\c:\rrxrfrl.exec:\rrxrfrl.exe101⤵PID:2296
-
\??\c:\006428.exec:\006428.exe102⤵PID:1752
-
\??\c:\fxxlxlf.exec:\fxxlxlf.exe103⤵PID:2196
-
\??\c:\ttntbh.exec:\ttntbh.exe104⤵PID:1720
-
\??\c:\2466220.exec:\2466220.exe105⤵PID:2332
-
\??\c:\lfrrxfr.exec:\lfrrxfr.exe106⤵PID:2088
-
\??\c:\hhbtnb.exec:\hhbtnb.exe107⤵PID:2172
-
\??\c:\88882.exec:\88882.exe108⤵PID:1072
-
\??\c:\6046848.exec:\6046848.exe109⤵PID:1792
-
\??\c:\0446686.exec:\0446686.exe110⤵PID:956
-
\??\c:\g2602.exec:\g2602.exe111⤵PID:832
-
\??\c:\vvdvd.exec:\vvdvd.exe112⤵PID:1520
-
\??\c:\88280.exec:\88280.exe113⤵PID:796
-
\??\c:\pjvvj.exec:\pjvvj.exe114⤵PID:1668
-
\??\c:\220626.exec:\220626.exe115⤵PID:1504
-
\??\c:\7ttbbh.exec:\7ttbbh.exe116⤵PID:744
-
\??\c:\tnnhtb.exec:\tnnhtb.exe117⤵PID:2412
-
\??\c:\000822.exec:\000822.exe118⤵PID:2620
-
\??\c:\ttnhbh.exec:\ttnhbh.exe119⤵PID:2640
-
\??\c:\2280046.exec:\2280046.exe120⤵PID:328
-
\??\c:\fxrfrxl.exec:\fxrfrxl.exe121⤵PID:1740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-