Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 06:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f029c07d21d7eb4e551e2c42a2545fc6e6a4b341e7c6067e814b194d23ce004N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3f029c07d21d7eb4e551e2c42a2545fc6e6a4b341e7c6067e814b194d23ce004N.exe
-
Size
454KB
-
MD5
f99ddaccbeea903561f5be26c455bc00
-
SHA1
a2d901b16451e88047fb03f3093ded60cb77628e
-
SHA256
3f029c07d21d7eb4e551e2c42a2545fc6e6a4b341e7c6067e814b194d23ce004
-
SHA512
1eec37a400eb3ef38fe62540afdba967c2c132ea811c7c30e72c43f9ddbbd3f4dbac2bd6dcec5d1fef319296fe240feeef09df666f7275fffe7b5a7a9f1b3549
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral1/memory/2440-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-85-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2868-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-68-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2720-89-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2452-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-125-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1296-152-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1296-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-170-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1516-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-226-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1516-225-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2396-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-249-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2304-262-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2184-280-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2184-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-303-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2440-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-367-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/572-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-419-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2932-437-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1232-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-447-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2932-458-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2104-464-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2100-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-480-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/332-545-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2052-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-597-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2116-628-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/3052-639-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2720-648-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2452-657-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/580-707-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/720-785-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2456-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/788-828-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1908-865-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-933-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3012-966-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2592 208000.exe 2472 5hnntt.exe 2140 868244.exe 2808 642844.exe 2980 5ntthb.exe 1916 602888.exe 2116 08406.exe 2868 vpdpv.exe 2720 6084040.exe 2452 5jvdp.exe 2916 c080668.exe 884 i806884.exe 2996 htbbbb.exe 2936 fxlffxf.exe 2884 42000.exe 1296 2088888.exe 1276 u824008.exe 1032 86888.exe 2596 rlxlrlr.exe 1516 260688.exe 2620 nhbntn.exe 2684 ddpdd.exe 2224 0064422.exe 2396 6860460.exe 1968 042244.exe 1716 82028.exe 1468 4488846.exe 2304 1dppj.exe 1652 hhhnbh.exe 2184 602806.exe 2440 9xfxflx.exe 2496 xxxrllx.exe 2516 nnhnbh.exe 2312 jdpvd.exe 2956 6044286.exe 2952 lrxfflx.exe 1932 1xffllf.exe 2564 8806840.exe 1916 i660442.exe 2732 20802.exe 380 tbtbnn.exe 2780 8644662.exe 608 u062442.exe 2412 tthnbh.exe 3004 bbbhtt.exe 912 ffrflxf.exe 572 u824802.exe 2792 lllrflx.exe 2904 20246.exe 2328 7flrrxf.exe 2260 pppvd.exe 2932 lxrrlrf.exe 1232 e60802.exe 1780 xrlxlxf.exe 1028 ppjjd.exe 2104 rxllxxl.exe 2644 1frxflx.exe 2100 jjdvd.exe 1512 g8280.exe 1524 ddvdp.exe 2004 ddpvd.exe 1412 6646868.exe 2232 jjdjv.exe 2284 4260242.exe -
resource yara_rule behavioral1/memory/2440-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-142-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1296-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-388-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/572-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-897-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u804446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c446808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e08024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbtb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2592 2440 3f029c07d21d7eb4e551e2c42a2545fc6e6a4b341e7c6067e814b194d23ce004N.exe 30 PID 2440 wrote to memory of 2592 2440 3f029c07d21d7eb4e551e2c42a2545fc6e6a4b341e7c6067e814b194d23ce004N.exe 30 PID 2440 wrote to memory of 2592 2440 3f029c07d21d7eb4e551e2c42a2545fc6e6a4b341e7c6067e814b194d23ce004N.exe 30 PID 2440 wrote to memory of 2592 2440 3f029c07d21d7eb4e551e2c42a2545fc6e6a4b341e7c6067e814b194d23ce004N.exe 30 PID 2592 wrote to memory of 2472 2592 208000.exe 31 PID 2592 wrote to memory of 2472 2592 208000.exe 31 PID 2592 wrote to memory of 2472 2592 208000.exe 31 PID 2592 wrote to memory of 2472 2592 208000.exe 31 PID 2472 wrote to memory of 2140 2472 5hnntt.exe 32 PID 2472 wrote to memory of 2140 2472 5hnntt.exe 32 PID 2472 wrote to memory of 2140 2472 5hnntt.exe 32 PID 2472 wrote to memory of 2140 2472 5hnntt.exe 32 PID 2140 wrote to memory of 2808 2140 868244.exe 33 PID 2140 wrote to memory of 2808 2140 868244.exe 33 PID 2140 wrote to memory of 2808 2140 868244.exe 33 PID 2140 wrote to memory of 2808 2140 868244.exe 33 PID 2808 wrote to memory of 2980 2808 642844.exe 34 PID 2808 wrote to memory of 2980 2808 642844.exe 34 PID 2808 wrote to memory of 2980 2808 642844.exe 34 PID 2808 wrote to memory of 2980 2808 642844.exe 34 PID 2980 wrote to memory of 1916 2980 5ntthb.exe 35 PID 2980 wrote to memory of 1916 2980 5ntthb.exe 35 PID 2980 wrote to memory of 1916 2980 5ntthb.exe 35 PID 2980 wrote to memory of 1916 2980 5ntthb.exe 35 PID 1916 wrote to memory of 2116 1916 602888.exe 36 PID 1916 wrote to memory of 2116 1916 602888.exe 36 PID 1916 wrote to memory of 2116 1916 602888.exe 36 PID 1916 wrote to memory of 2116 1916 602888.exe 36 PID 2116 wrote to memory of 2868 2116 08406.exe 37 PID 2116 wrote to memory of 2868 2116 08406.exe 37 PID 2116 wrote to memory of 2868 2116 08406.exe 37 PID 2116 wrote to memory of 2868 2116 08406.exe 37 PID 2868 wrote to memory of 2720 2868 vpdpv.exe 38 PID 2868 wrote to memory of 2720 2868 vpdpv.exe 38 PID 2868 wrote to memory of 2720 2868 vpdpv.exe 38 PID 2868 wrote to memory of 2720 2868 vpdpv.exe 38 PID 2720 wrote to memory of 2452 2720 6084040.exe 39 PID 2720 wrote to memory of 2452 2720 6084040.exe 39 PID 2720 wrote to memory of 2452 2720 6084040.exe 39 PID 2720 wrote to memory of 2452 2720 6084040.exe 39 PID 2452 wrote to memory of 2916 2452 5jvdp.exe 40 PID 2452 wrote to memory of 2916 2452 5jvdp.exe 40 PID 2452 wrote to memory of 2916 2452 5jvdp.exe 40 PID 2452 wrote to memory of 2916 2452 5jvdp.exe 40 PID 2916 wrote to memory of 884 2916 c080668.exe 41 PID 2916 wrote to memory of 884 2916 c080668.exe 41 PID 2916 wrote to memory of 884 2916 c080668.exe 41 PID 2916 wrote to memory of 884 2916 c080668.exe 41 PID 884 wrote to memory of 2996 884 i806884.exe 42 PID 884 wrote to memory of 2996 884 i806884.exe 42 PID 884 wrote to memory of 2996 884 i806884.exe 42 PID 884 wrote to memory of 2996 884 i806884.exe 42 PID 2996 wrote to memory of 2936 2996 htbbbb.exe 43 PID 2996 wrote to memory of 2936 2996 htbbbb.exe 43 PID 2996 wrote to memory of 2936 2996 htbbbb.exe 43 PID 2996 wrote to memory of 2936 2996 htbbbb.exe 43 PID 2936 wrote to memory of 2884 2936 fxlffxf.exe 44 PID 2936 wrote to memory of 2884 2936 fxlffxf.exe 44 PID 2936 wrote to memory of 2884 2936 fxlffxf.exe 44 PID 2936 wrote to memory of 2884 2936 fxlffxf.exe 44 PID 2884 wrote to memory of 1296 2884 42000.exe 45 PID 2884 wrote to memory of 1296 2884 42000.exe 45 PID 2884 wrote to memory of 1296 2884 42000.exe 45 PID 2884 wrote to memory of 1296 2884 42000.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f029c07d21d7eb4e551e2c42a2545fc6e6a4b341e7c6067e814b194d23ce004N.exe"C:\Users\Admin\AppData\Local\Temp\3f029c07d21d7eb4e551e2c42a2545fc6e6a4b341e7c6067e814b194d23ce004N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\208000.exec:\208000.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\5hnntt.exec:\5hnntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\868244.exec:\868244.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\642844.exec:\642844.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\5ntthb.exec:\5ntthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\602888.exec:\602888.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\08406.exec:\08406.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\vpdpv.exec:\vpdpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\6084040.exec:\6084040.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\5jvdp.exec:\5jvdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\c080668.exec:\c080668.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\i806884.exec:\i806884.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\htbbbb.exec:\htbbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\fxlffxf.exec:\fxlffxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\42000.exec:\42000.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\2088888.exec:\2088888.exe17⤵
- Executes dropped EXE
PID:1296 -
\??\c:\u824008.exec:\u824008.exe18⤵
- Executes dropped EXE
PID:1276 -
\??\c:\86888.exec:\86888.exe19⤵
- Executes dropped EXE
PID:1032 -
\??\c:\rlxlrlr.exec:\rlxlrlr.exe20⤵
- Executes dropped EXE
PID:2596 -
\??\c:\260688.exec:\260688.exe21⤵
- Executes dropped EXE
PID:1516 -
\??\c:\nhbntn.exec:\nhbntn.exe22⤵
- Executes dropped EXE
PID:2620 -
\??\c:\ddpdd.exec:\ddpdd.exe23⤵
- Executes dropped EXE
PID:2684 -
\??\c:\0064422.exec:\0064422.exe24⤵
- Executes dropped EXE
PID:2224 -
\??\c:\6860460.exec:\6860460.exe25⤵
- Executes dropped EXE
PID:2396 -
\??\c:\042244.exec:\042244.exe26⤵
- Executes dropped EXE
PID:1968 -
\??\c:\82028.exec:\82028.exe27⤵
- Executes dropped EXE
PID:1716 -
\??\c:\4488846.exec:\4488846.exe28⤵
- Executes dropped EXE
PID:1468 -
\??\c:\1dppj.exec:\1dppj.exe29⤵
- Executes dropped EXE
PID:2304 -
\??\c:\hhhnbh.exec:\hhhnbh.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
\??\c:\602806.exec:\602806.exe31⤵
- Executes dropped EXE
PID:2184 -
\??\c:\9xfxflx.exec:\9xfxflx.exe32⤵
- Executes dropped EXE
PID:2440 -
\??\c:\xxxrllx.exec:\xxxrllx.exe33⤵
- Executes dropped EXE
PID:2496 -
\??\c:\nnhnbh.exec:\nnhnbh.exe34⤵
- Executes dropped EXE
PID:2516 -
\??\c:\jdpvd.exec:\jdpvd.exe35⤵
- Executes dropped EXE
PID:2312 -
\??\c:\6044286.exec:\6044286.exe36⤵
- Executes dropped EXE
PID:2956 -
\??\c:\lrxfflx.exec:\lrxfflx.exe37⤵
- Executes dropped EXE
PID:2952 -
\??\c:\1xffllf.exec:\1xffllf.exe38⤵
- Executes dropped EXE
PID:1932 -
\??\c:\8806840.exec:\8806840.exe39⤵
- Executes dropped EXE
PID:2564 -
\??\c:\i660442.exec:\i660442.exe40⤵
- Executes dropped EXE
PID:1916 -
\??\c:\20802.exec:\20802.exe41⤵
- Executes dropped EXE
PID:2732 -
\??\c:\tbtbnn.exec:\tbtbnn.exe42⤵
- Executes dropped EXE
PID:380 -
\??\c:\8644662.exec:\8644662.exe43⤵
- Executes dropped EXE
PID:2780 -
\??\c:\u062442.exec:\u062442.exe44⤵
- Executes dropped EXE
PID:608 -
\??\c:\tthnbh.exec:\tthnbh.exe45⤵
- Executes dropped EXE
PID:2412 -
\??\c:\bbbhtt.exec:\bbbhtt.exe46⤵
- Executes dropped EXE
PID:3004 -
\??\c:\ffrflxf.exec:\ffrflxf.exe47⤵
- Executes dropped EXE
PID:912 -
\??\c:\u824802.exec:\u824802.exe48⤵
- Executes dropped EXE
PID:572 -
\??\c:\lllrflx.exec:\lllrflx.exe49⤵
- Executes dropped EXE
PID:2792 -
\??\c:\20246.exec:\20246.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904 -
\??\c:\7flrrxf.exec:\7flrrxf.exe51⤵
- Executes dropped EXE
PID:2328 -
\??\c:\pppvd.exec:\pppvd.exe52⤵
- Executes dropped EXE
PID:2260 -
\??\c:\lxrrlrf.exec:\lxrrlrf.exe53⤵
- Executes dropped EXE
PID:2932 -
\??\c:\e60802.exec:\e60802.exe54⤵
- Executes dropped EXE
PID:1232 -
\??\c:\xrlxlxf.exec:\xrlxlxf.exe55⤵
- Executes dropped EXE
PID:1780 -
\??\c:\ppjjd.exec:\ppjjd.exe56⤵
- Executes dropped EXE
PID:1028 -
\??\c:\rxllxxl.exec:\rxllxxl.exe57⤵
- Executes dropped EXE
PID:2104 -
\??\c:\1frxflx.exec:\1frxflx.exe58⤵
- Executes dropped EXE
PID:2644 -
\??\c:\jjdvd.exec:\jjdvd.exe59⤵
- Executes dropped EXE
PID:2100 -
\??\c:\g8280.exec:\g8280.exe60⤵
- Executes dropped EXE
PID:1512 -
\??\c:\ddvdp.exec:\ddvdp.exe61⤵
- Executes dropped EXE
PID:1524 -
\??\c:\ddpvd.exec:\ddpvd.exe62⤵
- Executes dropped EXE
PID:2004 -
\??\c:\6646868.exec:\6646868.exe63⤵
- Executes dropped EXE
PID:1412 -
\??\c:\jjdjv.exec:\jjdjv.exe64⤵
- Executes dropped EXE
PID:2232 -
\??\c:\4260242.exec:\4260242.exe65⤵
- Executes dropped EXE
PID:2284 -
\??\c:\s4880.exec:\s4880.exe66⤵PID:2292
-
\??\c:\042244.exec:\042244.exe67⤵PID:2092
-
\??\c:\08620.exec:\08620.exe68⤵PID:1904
-
\??\c:\264246.exec:\264246.exe69⤵PID:332
-
\??\c:\lfrxrrr.exec:\lfrxrrr.exe70⤵PID:1756
-
\??\c:\644608.exec:\644608.exe71⤵PID:2052
-
\??\c:\c640886.exec:\c640886.exe72⤵PID:1980
-
\??\c:\nhttbh.exec:\nhttbh.exe73⤵PID:2496
-
\??\c:\008022.exec:\008022.exe74⤵PID:1708
-
\??\c:\5ntttb.exec:\5ntttb.exe75⤵PID:2248
-
\??\c:\1xlxllf.exec:\1xlxllf.exe76⤵PID:2180
-
\??\c:\04808.exec:\04808.exe77⤵PID:3044
-
\??\c:\ddjvj.exec:\ddjvj.exe78⤵PID:2536
-
\??\c:\dvjpd.exec:\dvjpd.exe79⤵PID:2712
-
\??\c:\xrxlrrf.exec:\xrxlrrf.exe80⤵PID:2980
-
\??\c:\82002.exec:\82002.exe81⤵PID:2752
-
\??\c:\ttbhbh.exec:\ttbhbh.exe82⤵PID:2116
-
\??\c:\2040284.exec:\2040284.exe83⤵PID:2740
-
\??\c:\bbttbn.exec:\bbttbn.exe84⤵PID:3052
-
\??\c:\xfxfxrf.exec:\xfxfxrf.exe85⤵PID:2720
-
\??\c:\1fllrxl.exec:\1fllrxl.exe86⤵PID:2136
-
\??\c:\7nnthn.exec:\7nnthn.exe87⤵PID:2452
-
\??\c:\6422400.exec:\6422400.exe88⤵PID:1492
-
\??\c:\642200.exec:\642200.exe89⤵PID:2928
-
\??\c:\0446880.exec:\0446880.exe90⤵PID:2908
-
\??\c:\rlxflrf.exec:\rlxflrf.exe91⤵PID:580
-
\??\c:\88008.exec:\88008.exe92⤵PID:3024
-
\??\c:\flfxlrr.exec:\flfxlrr.exe93⤵PID:2336
-
\??\c:\880622.exec:\880622.exe94⤵PID:2260
-
\??\c:\824400.exec:\824400.exe95⤵PID:1544
-
\??\c:\9pvpv.exec:\9pvpv.exe96⤵PID:2744
-
\??\c:\82066.exec:\82066.exe97⤵PID:2216
-
\??\c:\1hbbhh.exec:\1hbbhh.exe98⤵PID:2596
-
\??\c:\42684.exec:\42684.exe99⤵PID:1516
-
\??\c:\dpddp.exec:\dpddp.exe100⤵PID:2644
-
\??\c:\04662.exec:\04662.exe101⤵PID:2100
-
\??\c:\4206628.exec:\4206628.exe102⤵PID:2576
-
\??\c:\5httbb.exec:\5httbb.exe103⤵PID:292
-
\??\c:\42660.exec:\42660.exe104⤵PID:1212
-
\??\c:\02002.exec:\02002.exe105⤵PID:960
-
\??\c:\48028.exec:\48028.exe106⤵PID:720
-
\??\c:\q42806.exec:\q42806.exe107⤵PID:2476
-
\??\c:\7jdjv.exec:\7jdjv.exe108⤵PID:308
-
\??\c:\e04464.exec:\e04464.exe109⤵PID:1692
-
\??\c:\rfxrxrf.exec:\rfxrxrf.exe110⤵PID:552
-
\??\c:\vpvdj.exec:\vpvdj.exe111⤵PID:1348
-
\??\c:\lxxlllr.exec:\lxxlllr.exe112⤵PID:2456
-
\??\c:\fxlllrf.exec:\fxlllrf.exe113⤵PID:788
-
\??\c:\88040.exec:\88040.exe114⤵PID:2440
-
\??\c:\2662068.exec:\2662068.exe115⤵PID:2472
-
\??\c:\8640264.exec:\8640264.exe116⤵PID:1964
-
\??\c:\82400.exec:\82400.exe117⤵PID:2888
-
\??\c:\3xlxlxf.exec:\3xlxlxf.exe118⤵PID:2808
-
\??\c:\hhhntb.exec:\hhhntb.exe119⤵PID:1908
-
\??\c:\26406.exec:\26406.exe120⤵PID:3040
-
\??\c:\9ppdp.exec:\9ppdp.exe121⤵PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-