Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe
-
Size
337KB
-
MD5
04ba193d6fd0f8ffd778b9bacb7cd8f6
-
SHA1
90e9d9540e6f8296404142a2a5698e373920d3da
-
SHA256
cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894
-
SHA512
89c8c5f0a36087ce87975f7333e137a0277c02073e4237f651c03e1c4dfa0a3e137c27a09637f32eb1b5ed69cef4aa43cd5b489a47fac73530edda41d7461bbb
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhd:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/1380-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-14-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2692-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-106-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1092-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-224-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/708-223-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/872-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-254-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/964-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-301-0x0000000077640000-0x000000007775F000-memory.dmp family_blackmoon behavioral1/memory/2412-316-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1960-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-460-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/780-523-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2036-537-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2456-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-635-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2772-674-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-712-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-746-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2196-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-754-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1844-824-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1780-841-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2300-859-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2812-906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-1008-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-1117-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2844-1256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2100 a4406.exe 3020 ppjpd.exe 2452 0484206.exe 2692 g2028.exe 2704 fxlfrfr.exe 2752 9nthbb.exe 2900 pddpp.exe 2832 84868.exe 2772 406008.exe 2500 24864.exe 1732 1ntttt.exe 1092 hbttbn.exe 1808 pvpjv.exe 2856 04688.exe 2160 426244.exe 1048 0004482.exe 1536 rrfrrff.exe 1760 hbthnn.exe 2956 vvppv.exe 2164 60424.exe 2328 fflxffx.exe 1676 a0082.exe 2584 844888.exe 708 68602.exe 1812 a8246.exe 872 24028.exe 916 tnnhnt.exe 964 5nhhnn.exe 1780 dppdv.exe 1396 frrxxrl.exe 1492 pdjdj.exe 900 jdpdp.exe 896 08280.exe 1324 0042084.exe 2412 xxrxlxr.exe 1960 08842.exe 3016 c220842.exe 2684 ppjjd.exe 380 882468.exe 2124 bbnbtb.exe 2796 lffrfff.exe 2824 644026.exe 2792 420060.exe 2636 64228.exe 2768 26462.exe 1668 88084.exe 2220 e26802.exe 1136 pvpvj.exe 1732 o824064.exe 2948 2082426.exe 2588 608022.exe 2844 k42282.exe 2136 m2864.exe 2424 4200240.exe 2024 fxrrffr.exe 1208 dvvdp.exe 1892 4484242.exe 1760 ddpvj.exe 2988 60200.exe 2148 jjjdv.exe 2364 82842.exe 2336 o606280.exe 876 02440.exe 1224 9jpdp.exe -
resource yara_rule behavioral1/memory/1380-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-73-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2500-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/964-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-301-0x0000000077640000-0x000000007775F000-memory.dmp upx behavioral1/memory/2412-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-771-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-824-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2812-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-974-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-981-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-1008-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-1256-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8868468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e26802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fflxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 220822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8026042.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1380 wrote to memory of 2100 1380 cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe 30 PID 1380 wrote to memory of 2100 1380 cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe 30 PID 1380 wrote to memory of 2100 1380 cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe 30 PID 1380 wrote to memory of 2100 1380 cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe 30 PID 2100 wrote to memory of 3020 2100 a4406.exe 31 PID 2100 wrote to memory of 3020 2100 a4406.exe 31 PID 2100 wrote to memory of 3020 2100 a4406.exe 31 PID 2100 wrote to memory of 3020 2100 a4406.exe 31 PID 3020 wrote to memory of 2452 3020 ppjpd.exe 32 PID 3020 wrote to memory of 2452 3020 ppjpd.exe 32 PID 3020 wrote to memory of 2452 3020 ppjpd.exe 32 PID 3020 wrote to memory of 2452 3020 ppjpd.exe 32 PID 2452 wrote to memory of 2692 2452 0484206.exe 33 PID 2452 wrote to memory of 2692 2452 0484206.exe 33 PID 2452 wrote to memory of 2692 2452 0484206.exe 33 PID 2452 wrote to memory of 2692 2452 0484206.exe 33 PID 2692 wrote to memory of 2704 2692 g2028.exe 34 PID 2692 wrote to memory of 2704 2692 g2028.exe 34 PID 2692 wrote to memory of 2704 2692 g2028.exe 34 PID 2692 wrote to memory of 2704 2692 g2028.exe 34 PID 2704 wrote to memory of 2752 2704 fxlfrfr.exe 35 PID 2704 wrote to memory of 2752 2704 fxlfrfr.exe 35 PID 2704 wrote to memory of 2752 2704 fxlfrfr.exe 35 PID 2704 wrote to memory of 2752 2704 fxlfrfr.exe 35 PID 2752 wrote to memory of 2900 2752 9nthbb.exe 36 PID 2752 wrote to memory of 2900 2752 9nthbb.exe 36 PID 2752 wrote to memory of 2900 2752 9nthbb.exe 36 PID 2752 wrote to memory of 2900 2752 9nthbb.exe 36 PID 2900 wrote to memory of 2832 2900 pddpp.exe 37 PID 2900 wrote to memory of 2832 2900 pddpp.exe 37 PID 2900 wrote to memory of 2832 2900 pddpp.exe 37 PID 2900 wrote to memory of 2832 2900 pddpp.exe 37 PID 2832 wrote to memory of 2772 2832 84868.exe 38 PID 2832 wrote to memory of 2772 2832 84868.exe 38 PID 2832 wrote to memory of 2772 2832 84868.exe 38 PID 2832 wrote to memory of 2772 2832 84868.exe 38 PID 2772 wrote to memory of 2500 2772 406008.exe 39 PID 2772 wrote to memory of 2500 2772 406008.exe 39 PID 2772 wrote to memory of 2500 2772 406008.exe 39 PID 2772 wrote to memory of 2500 2772 406008.exe 39 PID 2500 wrote to memory of 1732 2500 24864.exe 40 PID 2500 wrote to memory of 1732 2500 24864.exe 40 PID 2500 wrote to memory of 1732 2500 24864.exe 40 PID 2500 wrote to memory of 1732 2500 24864.exe 40 PID 1732 wrote to memory of 1092 1732 1ntttt.exe 41 PID 1732 wrote to memory of 1092 1732 1ntttt.exe 41 PID 1732 wrote to memory of 1092 1732 1ntttt.exe 41 PID 1732 wrote to memory of 1092 1732 1ntttt.exe 41 PID 1092 wrote to memory of 1808 1092 hbttbn.exe 42 PID 1092 wrote to memory of 1808 1092 hbttbn.exe 42 PID 1092 wrote to memory of 1808 1092 hbttbn.exe 42 PID 1092 wrote to memory of 1808 1092 hbttbn.exe 42 PID 1808 wrote to memory of 2856 1808 pvpjv.exe 43 PID 1808 wrote to memory of 2856 1808 pvpjv.exe 43 PID 1808 wrote to memory of 2856 1808 pvpjv.exe 43 PID 1808 wrote to memory of 2856 1808 pvpjv.exe 43 PID 2856 wrote to memory of 2160 2856 04688.exe 44 PID 2856 wrote to memory of 2160 2856 04688.exe 44 PID 2856 wrote to memory of 2160 2856 04688.exe 44 PID 2856 wrote to memory of 2160 2856 04688.exe 44 PID 2160 wrote to memory of 1048 2160 426244.exe 45 PID 2160 wrote to memory of 1048 2160 426244.exe 45 PID 2160 wrote to memory of 1048 2160 426244.exe 45 PID 2160 wrote to memory of 1048 2160 426244.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe"C:\Users\Admin\AppData\Local\Temp\cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\a4406.exec:\a4406.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\ppjpd.exec:\ppjpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\0484206.exec:\0484206.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\g2028.exec:\g2028.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\fxlfrfr.exec:\fxlfrfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\9nthbb.exec:\9nthbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\pddpp.exec:\pddpp.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\84868.exec:\84868.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\406008.exec:\406008.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\24864.exec:\24864.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\1ntttt.exec:\1ntttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\hbttbn.exec:\hbttbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\pvpjv.exec:\pvpjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\04688.exec:\04688.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\426244.exec:\426244.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\0004482.exec:\0004482.exe17⤵
- Executes dropped EXE
PID:1048 -
\??\c:\rrfrrff.exec:\rrfrrff.exe18⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hbthnn.exec:\hbthnn.exe19⤵
- Executes dropped EXE
PID:1760 -
\??\c:\vvppv.exec:\vvppv.exe20⤵
- Executes dropped EXE
PID:2956 -
\??\c:\60424.exec:\60424.exe21⤵
- Executes dropped EXE
PID:2164 -
\??\c:\fflxffx.exec:\fflxffx.exe22⤵
- Executes dropped EXE
PID:2328 -
\??\c:\a0082.exec:\a0082.exe23⤵
- Executes dropped EXE
PID:1676 -
\??\c:\844888.exec:\844888.exe24⤵
- Executes dropped EXE
PID:2584 -
\??\c:\68602.exec:\68602.exe25⤵
- Executes dropped EXE
PID:708 -
\??\c:\a8246.exec:\a8246.exe26⤵
- Executes dropped EXE
PID:1812 -
\??\c:\24028.exec:\24028.exe27⤵
- Executes dropped EXE
PID:872 -
\??\c:\tnnhnt.exec:\tnnhnt.exe28⤵
- Executes dropped EXE
PID:916 -
\??\c:\5nhhnn.exec:\5nhhnn.exe29⤵
- Executes dropped EXE
PID:964 -
\??\c:\dppdv.exec:\dppdv.exe30⤵
- Executes dropped EXE
PID:1780 -
\??\c:\frrxxrl.exec:\frrxxrl.exe31⤵
- Executes dropped EXE
PID:1396 -
\??\c:\pdjdj.exec:\pdjdj.exe32⤵
- Executes dropped EXE
PID:1492 -
\??\c:\jdpdp.exec:\jdpdp.exe33⤵
- Executes dropped EXE
PID:900 -
\??\c:\08280.exec:\08280.exe34⤵
- Executes dropped EXE
PID:896 -
\??\c:\0042084.exec:\0042084.exe35⤵
- Executes dropped EXE
PID:1324 -
\??\c:\lfrrxlr.exec:\lfrrxlr.exe36⤵
- System Location Discovery: System Language Discovery
PID:1564 -
\??\c:\xxrxlxr.exec:\xxrxlxr.exe37⤵
- Executes dropped EXE
PID:2412 -
\??\c:\08842.exec:\08842.exe38⤵
- Executes dropped EXE
PID:1960 -
\??\c:\c220842.exec:\c220842.exe39⤵
- Executes dropped EXE
PID:3016 -
\??\c:\ppjjd.exec:\ppjjd.exe40⤵
- Executes dropped EXE
PID:2684 -
\??\c:\882468.exec:\882468.exe41⤵
- Executes dropped EXE
PID:380 -
\??\c:\bbnbtb.exec:\bbnbtb.exe42⤵
- Executes dropped EXE
PID:2124 -
\??\c:\lffrfff.exec:\lffrfff.exe43⤵
- Executes dropped EXE
PID:2796 -
\??\c:\644026.exec:\644026.exe44⤵
- Executes dropped EXE
PID:2824 -
\??\c:\420060.exec:\420060.exe45⤵
- Executes dropped EXE
PID:2792 -
\??\c:\64228.exec:\64228.exe46⤵
- Executes dropped EXE
PID:2636 -
\??\c:\26462.exec:\26462.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768 -
\??\c:\88084.exec:\88084.exe48⤵
- Executes dropped EXE
PID:1668 -
\??\c:\e26802.exec:\e26802.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2220 -
\??\c:\pvpvj.exec:\pvpvj.exe50⤵
- Executes dropped EXE
PID:1136 -
\??\c:\o824064.exec:\o824064.exe51⤵
- Executes dropped EXE
PID:1732 -
\??\c:\2082426.exec:\2082426.exe52⤵
- Executes dropped EXE
PID:2948 -
\??\c:\608022.exec:\608022.exe53⤵
- Executes dropped EXE
PID:2588 -
\??\c:\k42282.exec:\k42282.exe54⤵
- Executes dropped EXE
PID:2844 -
\??\c:\m2864.exec:\m2864.exe55⤵
- Executes dropped EXE
PID:2136 -
\??\c:\4200240.exec:\4200240.exe56⤵
- Executes dropped EXE
PID:2424 -
\??\c:\fxrrffr.exec:\fxrrffr.exe57⤵
- Executes dropped EXE
PID:2024 -
\??\c:\dvvdp.exec:\dvvdp.exe58⤵
- Executes dropped EXE
PID:1208 -
\??\c:\4484242.exec:\4484242.exe59⤵
- Executes dropped EXE
PID:1892 -
\??\c:\ddpvj.exec:\ddpvj.exe60⤵
- Executes dropped EXE
PID:1760 -
\??\c:\60200.exec:\60200.exe61⤵
- Executes dropped EXE
PID:2988 -
\??\c:\jjjdv.exec:\jjjdv.exe62⤵
- Executes dropped EXE
PID:2148 -
\??\c:\82842.exec:\82842.exe63⤵
- Executes dropped EXE
PID:2364 -
\??\c:\o606280.exec:\o606280.exe64⤵
- Executes dropped EXE
PID:2336 -
\??\c:\02440.exec:\02440.exe65⤵
- Executes dropped EXE
PID:876 -
\??\c:\9jpdp.exec:\9jpdp.exe66⤵
- Executes dropped EXE
PID:1224 -
\??\c:\20820.exec:\20820.exe67⤵PID:1604
-
\??\c:\ffflrfr.exec:\ffflrfr.exe68⤵PID:1792
-
\??\c:\frfxxlf.exec:\frfxxlf.exe69⤵PID:780
-
\??\c:\nhhbbb.exec:\nhhbbb.exe70⤵PID:1316
-
\??\c:\046808.exec:\046808.exe71⤵PID:2036
-
\??\c:\9nbnnn.exec:\9nbnnn.exe72⤵PID:1008
-
\??\c:\48024.exec:\48024.exe73⤵PID:1364
-
\??\c:\9vvpv.exec:\9vvpv.exe74⤵PID:2388
-
\??\c:\204404.exec:\204404.exe75⤵PID:1728
-
\??\c:\vvjdd.exec:\vvjdd.exe76⤵PID:1360
-
\??\c:\44266.exec:\44266.exe77⤵PID:632
-
\??\c:\jjjdp.exec:\jjjdp.exe78⤵PID:2288
-
\??\c:\62062.exec:\62062.exe79⤵PID:2544
-
\??\c:\86406.exec:\86406.exe80⤵PID:1324
-
\??\c:\hbnnth.exec:\hbnnth.exe81⤵PID:1716
-
\??\c:\608806.exec:\608806.exe82⤵PID:2100
-
\??\c:\tnnbnt.exec:\tnnbnt.exe83⤵PID:2680
-
\??\c:\2624204.exec:\2624204.exe84⤵PID:2576
-
\??\c:\622808.exec:\622808.exe85⤵PID:2456
-
\??\c:\62286.exec:\62286.exe86⤵PID:2684
-
\??\c:\4428446.exec:\4428446.exe87⤵PID:2920
-
\??\c:\0024624.exec:\0024624.exe88⤵PID:2608
-
\??\c:\ppjdp.exec:\ppjdp.exe89⤵PID:2888
-
\??\c:\262024.exec:\262024.exe90⤵PID:2896
-
\??\c:\jvpjd.exec:\jvpjd.exe91⤵PID:2628
-
\??\c:\9nthth.exec:\9nthth.exe92⤵PID:2712
-
\??\c:\608846.exec:\608846.exe93⤵PID:2772
-
\??\c:\rfxrrff.exec:\rfxrrff.exe94⤵PID:2720
-
\??\c:\44646.exec:\44646.exe95⤵PID:688
-
\??\c:\486862.exec:\486862.exe96⤵PID:928
-
\??\c:\lxrffrf.exec:\lxrffrf.exe97⤵
- System Location Discovery: System Language Discovery
PID:1576 -
\??\c:\w48424.exec:\w48424.exe98⤵PID:1520
-
\??\c:\8662828.exec:\8662828.exe99⤵PID:2784
-
\??\c:\0428804.exec:\0428804.exe100⤵PID:340
-
\??\c:\0860224.exec:\0860224.exe101⤵PID:2868
-
\??\c:\26028.exec:\26028.exe102⤵PID:2028
-
\??\c:\g8080.exec:\g8080.exe103⤵
- System Location Discovery: System Language Discovery
PID:1868 -
\??\c:\pjvvd.exec:\pjvvd.exe104⤵PID:1208
-
\??\c:\202468.exec:\202468.exe105⤵PID:2196
-
\??\c:\226664.exec:\226664.exe106⤵PID:1760
-
\??\c:\2202402.exec:\2202402.exe107⤵PID:1168
-
\??\c:\864602.exec:\864602.exe108⤵PID:2080
-
\??\c:\rrxrflx.exec:\rrxrflx.exe109⤵PID:448
-
\??\c:\jjvvj.exec:\jjvvj.exe110⤵PID:1904
-
\??\c:\m8820.exec:\m8820.exe111⤵PID:2572
-
\??\c:\226028.exec:\226028.exe112⤵PID:708
-
\??\c:\0480620.exec:\0480620.exe113⤵PID:672
-
\??\c:\3lflflx.exec:\3lflflx.exe114⤵PID:3068
-
\??\c:\djdvd.exec:\djdvd.exe115⤵PID:1416
-
\??\c:\1xrflrf.exec:\1xrflrf.exe116⤵PID:1984
-
\??\c:\7bhhnt.exec:\7bhhnt.exe117⤵PID:1844
-
\??\c:\482462.exec:\482462.exe118⤵PID:2516
-
\??\c:\tbbnnn.exec:\tbbnnn.exe119⤵PID:1780
-
\??\c:\tnbbht.exec:\tnbbht.exe120⤵PID:1000
-
\??\c:\666868.exec:\666868.exe121⤵PID:1500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-