Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 09:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe
-
Size
454KB
-
MD5
5bdb15a4f914b7ce8d6859308024c80f
-
SHA1
34dffca373535f5cb4c97a085eb0feadfe343e64
-
SHA256
fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9
-
SHA512
67f76913a83e0b45d397acd3adaa23950236cb9e8aee178cb794e996f75861f0e47199788805dfcfd09821ed60b2f2db4a48f809f855a65e22df74b9b7c458d3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2212-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1060-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-440-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1820-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/700-494-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3008-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/992-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-951-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/916-958-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1424-1058-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1960-1097-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2080 c828480.exe 2852 m6068.exe 2968 3pddj.exe 2580 884666.exe 2060 rlrxffr.exe 2848 6088068.exe 2612 86002.exe 3052 420088.exe 564 64446.exe 2528 ffxfrrf.exe 916 4802402.exe 2040 w86800.exe 584 xrlrxfr.exe 2864 3vpvd.exe 1060 60806.exe 404 86402.exe 560 3httbh.exe 532 5vpdj.exe 2140 1vdjp.exe 2152 48040.exe 2240 0828620.exe 2024 8266068.exe 372 rlffllf.exe 1992 llrfffl.exe 1140 nhhhtb.exe 1552 pppdv.exe 2280 jvpdj.exe 2468 208848.exe 1752 bbthnn.exe 3024 q82288.exe 3032 9flxxll.exe 2508 e02284.exe 908 i466228.exe 2380 4688888.exe 2656 q04088.exe 1608 e46660.exe 2700 82064.exe 2552 7rflffx.exe 2808 7lfxllf.exe 2684 2646280.exe 2796 8668224.exe 2848 pjddj.exe 2716 nnttbh.exe 2188 jjdjp.exe 1584 vvpvv.exe 2992 0800044.exe 780 482844.exe 1860 4244828.exe 2936 08628.exe 2816 6040680.exe 2768 804244.exe 2864 864066.exe 1164 xxrxrxx.exe 2036 rffrlrf.exe 264 hbtthn.exe 604 9vpvd.exe 1820 3xxxlll.exe 2108 xflxxrx.exe 2156 bbtbbt.exe 1052 0484620.exe 2224 c060006.exe 1980 82402.exe 1040 7bhtbb.exe 700 hbhnnn.exe -
resource yara_rule behavioral1/memory/2080-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-494-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3008-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-932-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-991-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-1037-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/372-1059-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-1110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-1159-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frlrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4048264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4268440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0866824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2080 2212 fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe 30 PID 2212 wrote to memory of 2080 2212 fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe 30 PID 2212 wrote to memory of 2080 2212 fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe 30 PID 2212 wrote to memory of 2080 2212 fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe 30 PID 2080 wrote to memory of 2852 2080 c828480.exe 31 PID 2080 wrote to memory of 2852 2080 c828480.exe 31 PID 2080 wrote to memory of 2852 2080 c828480.exe 31 PID 2080 wrote to memory of 2852 2080 c828480.exe 31 PID 2852 wrote to memory of 2968 2852 m6068.exe 32 PID 2852 wrote to memory of 2968 2852 m6068.exe 32 PID 2852 wrote to memory of 2968 2852 m6068.exe 32 PID 2852 wrote to memory of 2968 2852 m6068.exe 32 PID 2968 wrote to memory of 2580 2968 3pddj.exe 33 PID 2968 wrote to memory of 2580 2968 3pddj.exe 33 PID 2968 wrote to memory of 2580 2968 3pddj.exe 33 PID 2968 wrote to memory of 2580 2968 3pddj.exe 33 PID 2580 wrote to memory of 2060 2580 884666.exe 34 PID 2580 wrote to memory of 2060 2580 884666.exe 34 PID 2580 wrote to memory of 2060 2580 884666.exe 34 PID 2580 wrote to memory of 2060 2580 884666.exe 34 PID 2060 wrote to memory of 2848 2060 rlrxffr.exe 35 PID 2060 wrote to memory of 2848 2060 rlrxffr.exe 35 PID 2060 wrote to memory of 2848 2060 rlrxffr.exe 35 PID 2060 wrote to memory of 2848 2060 rlrxffr.exe 35 PID 2848 wrote to memory of 2612 2848 6088068.exe 36 PID 2848 wrote to memory of 2612 2848 6088068.exe 36 PID 2848 wrote to memory of 2612 2848 6088068.exe 36 PID 2848 wrote to memory of 2612 2848 6088068.exe 36 PID 2612 wrote to memory of 3052 2612 86002.exe 37 PID 2612 wrote to memory of 3052 2612 86002.exe 37 PID 2612 wrote to memory of 3052 2612 86002.exe 37 PID 2612 wrote to memory of 3052 2612 86002.exe 37 PID 3052 wrote to memory of 564 3052 420088.exe 38 PID 3052 wrote to memory of 564 3052 420088.exe 38 PID 3052 wrote to memory of 564 3052 420088.exe 38 PID 3052 wrote to memory of 564 3052 420088.exe 38 PID 564 wrote to memory of 2528 564 64446.exe 39 PID 564 wrote to memory of 2528 564 64446.exe 39 PID 564 wrote to memory of 2528 564 64446.exe 39 PID 564 wrote to memory of 2528 564 64446.exe 39 PID 2528 wrote to memory of 916 2528 ffxfrrf.exe 40 PID 2528 wrote to memory of 916 2528 ffxfrrf.exe 40 PID 2528 wrote to memory of 916 2528 ffxfrrf.exe 40 PID 2528 wrote to memory of 916 2528 ffxfrrf.exe 40 PID 916 wrote to memory of 2040 916 4802402.exe 41 PID 916 wrote to memory of 2040 916 4802402.exe 41 PID 916 wrote to memory of 2040 916 4802402.exe 41 PID 916 wrote to memory of 2040 916 4802402.exe 41 PID 2040 wrote to memory of 584 2040 w86800.exe 42 PID 2040 wrote to memory of 584 2040 w86800.exe 42 PID 2040 wrote to memory of 584 2040 w86800.exe 42 PID 2040 wrote to memory of 584 2040 w86800.exe 42 PID 584 wrote to memory of 2864 584 xrlrxfr.exe 43 PID 584 wrote to memory of 2864 584 xrlrxfr.exe 43 PID 584 wrote to memory of 2864 584 xrlrxfr.exe 43 PID 584 wrote to memory of 2864 584 xrlrxfr.exe 43 PID 2864 wrote to memory of 1060 2864 3vpvd.exe 44 PID 2864 wrote to memory of 1060 2864 3vpvd.exe 44 PID 2864 wrote to memory of 1060 2864 3vpvd.exe 44 PID 2864 wrote to memory of 1060 2864 3vpvd.exe 44 PID 1060 wrote to memory of 404 1060 60806.exe 45 PID 1060 wrote to memory of 404 1060 60806.exe 45 PID 1060 wrote to memory of 404 1060 60806.exe 45 PID 1060 wrote to memory of 404 1060 60806.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe"C:\Users\Admin\AppData\Local\Temp\fb2266f7496cc1b937711f335176cc97709b3de82913c4edf9831641922afde9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\c828480.exec:\c828480.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\m6068.exec:\m6068.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\3pddj.exec:\3pddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\884666.exec:\884666.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\rlrxffr.exec:\rlrxffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\6088068.exec:\6088068.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\86002.exec:\86002.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\420088.exec:\420088.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\64446.exec:\64446.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
\??\c:\ffxfrrf.exec:\ffxfrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\4802402.exec:\4802402.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\w86800.exec:\w86800.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\xrlrxfr.exec:\xrlrxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\3vpvd.exec:\3vpvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\60806.exec:\60806.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\86402.exec:\86402.exe17⤵
- Executes dropped EXE
PID:404 -
\??\c:\3httbh.exec:\3httbh.exe18⤵
- Executes dropped EXE
PID:560 -
\??\c:\5vpdj.exec:\5vpdj.exe19⤵
- Executes dropped EXE
PID:532 -
\??\c:\1vdjp.exec:\1vdjp.exe20⤵
- Executes dropped EXE
PID:2140 -
\??\c:\48040.exec:\48040.exe21⤵
- Executes dropped EXE
PID:2152 -
\??\c:\0828620.exec:\0828620.exe22⤵
- Executes dropped EXE
PID:2240 -
\??\c:\8266068.exec:\8266068.exe23⤵
- Executes dropped EXE
PID:2024 -
\??\c:\rlffllf.exec:\rlffllf.exe24⤵
- Executes dropped EXE
PID:372 -
\??\c:\llrfffl.exec:\llrfffl.exe25⤵
- Executes dropped EXE
PID:1992 -
\??\c:\nhhhtb.exec:\nhhhtb.exe26⤵
- Executes dropped EXE
PID:1140 -
\??\c:\pppdv.exec:\pppdv.exe27⤵
- Executes dropped EXE
PID:1552 -
\??\c:\jvpdj.exec:\jvpdj.exe28⤵
- Executes dropped EXE
PID:2280 -
\??\c:\208848.exec:\208848.exe29⤵
- Executes dropped EXE
PID:2468 -
\??\c:\bbthnn.exec:\bbthnn.exe30⤵
- Executes dropped EXE
PID:1752 -
\??\c:\q82288.exec:\q82288.exe31⤵
- Executes dropped EXE
PID:3024 -
\??\c:\9flxxll.exec:\9flxxll.exe32⤵
- Executes dropped EXE
PID:3032 -
\??\c:\e02284.exec:\e02284.exe33⤵
- Executes dropped EXE
PID:2508 -
\??\c:\i466228.exec:\i466228.exe34⤵
- Executes dropped EXE
PID:908 -
\??\c:\4688888.exec:\4688888.exe35⤵
- Executes dropped EXE
PID:2380 -
\??\c:\q04088.exec:\q04088.exe36⤵
- Executes dropped EXE
PID:2656 -
\??\c:\e46660.exec:\e46660.exe37⤵
- Executes dropped EXE
PID:1608 -
\??\c:\82064.exec:\82064.exe38⤵
- Executes dropped EXE
PID:2700 -
\??\c:\7rflffx.exec:\7rflffx.exe39⤵
- Executes dropped EXE
PID:2552 -
\??\c:\7lfxllf.exec:\7lfxllf.exe40⤵
- Executes dropped EXE
PID:2808 -
\??\c:\2646280.exec:\2646280.exe41⤵
- Executes dropped EXE
PID:2684 -
\??\c:\8668224.exec:\8668224.exe42⤵
- Executes dropped EXE
PID:2796 -
\??\c:\pjddj.exec:\pjddj.exe43⤵
- Executes dropped EXE
PID:2848 -
\??\c:\nnttbh.exec:\nnttbh.exe44⤵
- Executes dropped EXE
PID:2716 -
\??\c:\jjdjp.exec:\jjdjp.exe45⤵
- Executes dropped EXE
PID:2188 -
\??\c:\vvpvv.exec:\vvpvv.exe46⤵
- Executes dropped EXE
PID:1584 -
\??\c:\0800044.exec:\0800044.exe47⤵
- Executes dropped EXE
PID:2992 -
\??\c:\482844.exec:\482844.exe48⤵
- Executes dropped EXE
PID:780 -
\??\c:\4244828.exec:\4244828.exe49⤵
- Executes dropped EXE
PID:1860 -
\??\c:\08628.exec:\08628.exe50⤵
- Executes dropped EXE
PID:2936 -
\??\c:\6040680.exec:\6040680.exe51⤵
- Executes dropped EXE
PID:2816 -
\??\c:\804244.exec:\804244.exe52⤵
- Executes dropped EXE
PID:2768 -
\??\c:\864066.exec:\864066.exe53⤵
- Executes dropped EXE
PID:2864 -
\??\c:\xxrxrxx.exec:\xxrxrxx.exe54⤵
- Executes dropped EXE
PID:1164 -
\??\c:\rffrlrf.exec:\rffrlrf.exe55⤵
- Executes dropped EXE
PID:2036 -
\??\c:\hbtthn.exec:\hbtthn.exe56⤵
- Executes dropped EXE
PID:264 -
\??\c:\9vpvd.exec:\9vpvd.exe57⤵
- Executes dropped EXE
PID:604 -
\??\c:\3xxxlll.exec:\3xxxlll.exe58⤵
- Executes dropped EXE
PID:1820 -
\??\c:\xflxxrx.exec:\xflxxrx.exe59⤵
- Executes dropped EXE
PID:2108 -
\??\c:\bbtbbt.exec:\bbtbbt.exe60⤵
- Executes dropped EXE
PID:2156 -
\??\c:\0484620.exec:\0484620.exe61⤵
- Executes dropped EXE
PID:1052 -
\??\c:\c060006.exec:\c060006.exe62⤵
- Executes dropped EXE
PID:2224 -
\??\c:\82402.exec:\82402.exe63⤵
- Executes dropped EXE
PID:1980 -
\??\c:\7bhtbb.exec:\7bhtbb.exe64⤵
- Executes dropped EXE
PID:1040 -
\??\c:\hbhnnn.exec:\hbhnnn.exe65⤵
- Executes dropped EXE
PID:700 -
\??\c:\u884226.exec:\u884226.exe66⤵PID:2208
-
\??\c:\3rflrxf.exec:\3rflrxf.exe67⤵PID:328
-
\??\c:\606688.exec:\606688.exe68⤵PID:2252
-
\??\c:\nhbttn.exec:\nhbttn.exe69⤵PID:888
-
\??\c:\864640.exec:\864640.exe70⤵PID:1728
-
\??\c:\nhthtb.exec:\nhthtb.exe71⤵PID:1812
-
\??\c:\ffrrlfl.exec:\ffrrlfl.exe72⤵PID:2216
-
\??\c:\g8842.exec:\g8842.exe73⤵PID:464
-
\??\c:\bhbhtt.exec:\bhbhtt.exe74⤵PID:3008
-
\??\c:\frflrrf.exec:\frflrrf.exe75⤵PID:992
-
\??\c:\7bttbb.exec:\7bttbb.exe76⤵
- System Location Discovery: System Language Discovery
PID:1776 -
\??\c:\vpdjp.exec:\vpdjp.exe77⤵PID:1496
-
\??\c:\tnbttt.exec:\tnbttt.exe78⤵PID:2000
-
\??\c:\m6400.exec:\m6400.exe79⤵PID:2180
-
\??\c:\jdvpv.exec:\jdvpv.exe80⤵PID:1868
-
\??\c:\c082480.exec:\c082480.exe81⤵PID:1608
-
\??\c:\pjvvv.exec:\pjvvv.exe82⤵PID:2696
-
\??\c:\rlxlxfl.exec:\rlxlxfl.exe83⤵PID:2968
-
\??\c:\602660.exec:\602660.exe84⤵PID:2676
-
\??\c:\80066.exec:\80066.exe85⤵PID:2724
-
\??\c:\3xllflx.exec:\3xllflx.exe86⤵PID:1760
-
\??\c:\lllxflx.exec:\lllxflx.exe87⤵PID:2624
-
\??\c:\046284.exec:\046284.exe88⤵PID:2564
-
\??\c:\pjvpv.exec:\pjvpv.exe89⤵PID:1260
-
\??\c:\lllrflf.exec:\lllrflf.exe90⤵PID:2200
-
\??\c:\26624.exec:\26624.exe91⤵PID:2980
-
\??\c:\vppdj.exec:\vppdj.exe92⤵PID:916
-
\??\c:\pdppp.exec:\pdppp.exe93⤵PID:2888
-
\??\c:\0284006.exec:\0284006.exe94⤵PID:1304
-
\??\c:\s0802.exec:\s0802.exe95⤵PID:2800
-
\??\c:\flrrlxx.exec:\flrrlxx.exe96⤵PID:2920
-
\??\c:\o262880.exec:\o262880.exe97⤵PID:2028
-
\??\c:\4468628.exec:\4468628.exe98⤵PID:2780
-
\??\c:\482866.exec:\482866.exe99⤵PID:1164
-
\??\c:\btntnn.exec:\btntnn.exe100⤵PID:2772
-
\??\c:\rrrfrrl.exec:\rrrfrrl.exe101⤵PID:2348
-
\??\c:\2688848.exec:\2688848.exe102⤵PID:1996
-
\??\c:\hhtbht.exec:\hhtbht.exe103⤵PID:2448
-
\??\c:\4862862.exec:\4862862.exe104⤵PID:1792
-
\??\c:\dpdpv.exec:\dpdpv.exe105⤵PID:2324
-
\??\c:\w66460.exec:\w66460.exe106⤵PID:2152
-
\??\c:\4840268.exec:\4840268.exe107⤵PID:1720
-
\??\c:\7tnbnh.exec:\7tnbnh.exe108⤵PID:2504
-
\??\c:\26400.exec:\26400.exe109⤵PID:2024
-
\??\c:\7tthht.exec:\7tthht.exe110⤵PID:2440
-
\??\c:\7btttb.exec:\7btttb.exe111⤵PID:2268
-
\??\c:\4422402.exec:\4422402.exe112⤵PID:1992
-
\??\c:\5tntht.exec:\5tntht.exe113⤵PID:1804
-
\??\c:\648866.exec:\648866.exe114⤵PID:1944
-
\??\c:\0080880.exec:\0080880.exe115⤵PID:2604
-
\??\c:\08240.exec:\08240.exe116⤵PID:1636
-
\??\c:\60802.exec:\60802.exe117⤵PID:2216
-
\??\c:\2040628.exec:\2040628.exe118⤵PID:464
-
\??\c:\6404026.exec:\6404026.exe119⤵PID:2444
-
\??\c:\820624.exec:\820624.exe120⤵PID:1048
-
\??\c:\hhnttb.exec:\hhnttb.exe121⤵PID:1776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-