Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 21:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe
-
Size
453KB
-
MD5
69d35afa0f8e66aef8d7de5d121e1f01
-
SHA1
95e2f0d62cf580a004e4458935e3469c434804ca
-
SHA256
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f
-
SHA512
bd7861a3164dd892c9fd23457e68ef7418582f6965587998e32019b3f315cc070b2a82def4d75fa2d69cdce119263089e368198de920f08e957d6d2894eeca2b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetn:q7Tc2NYHUrAwfMp3CDtn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2612-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-74-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1900-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-137-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1208-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-158-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1980-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1020-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-307-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2924-328-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2840-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-392-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/864-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-444-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2268-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-535-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/624-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-664-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2528-727-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2412-848-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2436-855-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2904-862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-875-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2916-882-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-925-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2220-1081-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2856 64628.exe 2788 68624.exe 2696 hbthnn.exe 1752 o446486.exe 2660 7pddp.exe 2828 xlrfxlf.exe 1588 xxrxffx.exe 2484 7vvdd.exe 1900 5rllxfl.exe 1332 ppdpv.exe 1296 fxflxrr.exe 2884 hbnnht.exe 2748 08628.exe 536 jdddp.exe 1208 s6006.exe 2268 btntbn.exe 1980 226220.exe 1696 m8086.exe 2248 082866.exe 2212 a2424.exe 1676 04624.exe 1832 vjppp.exe 1104 4002266.exe 900 6400006.exe 1280 208866.exe 1660 5pjdj.exe 1984 88822.exe 624 tnhhnn.exe 1232 0208040.exe 1020 7vjjd.exe 1596 420022.exe 2804 g6402.exe 2916 a2400.exe 2316 ffrxllx.exe 2932 nhntnn.exe 2924 866204.exe 2684 bbnbhh.exe 2840 jdpvd.exe 2096 lfrlrrx.exe 2660 3xxfflr.exe 1548 g2464.exe 2988 260688.exe 1612 dddpd.exe 2756 q00484.exe 2272 ntnhnt.exe 3032 rxrlxxf.exe 864 bththh.exe 3020 60422.exe 3048 9jvvd.exe 2748 dvvpd.exe 604 08062.exe 2492 g4002.exe 2292 9ppvd.exe 2268 g8680.exe 1224 vvpdv.exe 1728 8206284.exe 1940 5llxxfl.exe 2248 w64422.exe 2440 m6628.exe 1572 20884.exe 2052 xrfrxrx.exe 1860 hhntnb.exe 2560 9fxxrxf.exe 1488 42824.exe -
resource yara_rule behavioral1/memory/2612-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-535-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/624-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-640-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1952-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-727-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/688-764-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/1096-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-834-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2436-855-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2904-862-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-932-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-977-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-1118-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0862842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u824620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2856 2612 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 30 PID 2612 wrote to memory of 2856 2612 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 30 PID 2612 wrote to memory of 2856 2612 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 30 PID 2612 wrote to memory of 2856 2612 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 30 PID 2856 wrote to memory of 2788 2856 64628.exe 31 PID 2856 wrote to memory of 2788 2856 64628.exe 31 PID 2856 wrote to memory of 2788 2856 64628.exe 31 PID 2856 wrote to memory of 2788 2856 64628.exe 31 PID 2788 wrote to memory of 2696 2788 68624.exe 32 PID 2788 wrote to memory of 2696 2788 68624.exe 32 PID 2788 wrote to memory of 2696 2788 68624.exe 32 PID 2788 wrote to memory of 2696 2788 68624.exe 32 PID 2696 wrote to memory of 1752 2696 hbthnn.exe 33 PID 2696 wrote to memory of 1752 2696 hbthnn.exe 33 PID 2696 wrote to memory of 1752 2696 hbthnn.exe 33 PID 2696 wrote to memory of 1752 2696 hbthnn.exe 33 PID 1752 wrote to memory of 2660 1752 o446486.exe 34 PID 1752 wrote to memory of 2660 1752 o446486.exe 34 PID 1752 wrote to memory of 2660 1752 o446486.exe 34 PID 1752 wrote to memory of 2660 1752 o446486.exe 34 PID 2660 wrote to memory of 2828 2660 7pddp.exe 35 PID 2660 wrote to memory of 2828 2660 7pddp.exe 35 PID 2660 wrote to memory of 2828 2660 7pddp.exe 35 PID 2660 wrote to memory of 2828 2660 7pddp.exe 35 PID 2828 wrote to memory of 1588 2828 xlrfxlf.exe 36 PID 2828 wrote to memory of 1588 2828 xlrfxlf.exe 36 PID 2828 wrote to memory of 1588 2828 xlrfxlf.exe 36 PID 2828 wrote to memory of 1588 2828 xlrfxlf.exe 36 PID 1588 wrote to memory of 2484 1588 xxrxffx.exe 37 PID 1588 wrote to memory of 2484 1588 xxrxffx.exe 37 PID 1588 wrote to memory of 2484 1588 xxrxffx.exe 37 PID 1588 wrote to memory of 2484 1588 xxrxffx.exe 37 PID 2484 wrote to memory of 1900 2484 7vvdd.exe 38 PID 2484 wrote to memory of 1900 2484 7vvdd.exe 38 PID 2484 wrote to memory of 1900 2484 7vvdd.exe 38 PID 2484 wrote to memory of 1900 2484 7vvdd.exe 38 PID 1900 wrote to memory of 1332 1900 5rllxfl.exe 39 PID 1900 wrote to memory of 1332 1900 5rllxfl.exe 39 PID 1900 wrote to memory of 1332 1900 5rllxfl.exe 39 PID 1900 wrote to memory of 1332 1900 5rllxfl.exe 39 PID 1332 wrote to memory of 1296 1332 ppdpv.exe 40 PID 1332 wrote to memory of 1296 1332 ppdpv.exe 40 PID 1332 wrote to memory of 1296 1332 ppdpv.exe 40 PID 1332 wrote to memory of 1296 1332 ppdpv.exe 40 PID 1296 wrote to memory of 2884 1296 fxflxrr.exe 41 PID 1296 wrote to memory of 2884 1296 fxflxrr.exe 41 PID 1296 wrote to memory of 2884 1296 fxflxrr.exe 41 PID 1296 wrote to memory of 2884 1296 fxflxrr.exe 41 PID 2884 wrote to memory of 2748 2884 hbnnht.exe 42 PID 2884 wrote to memory of 2748 2884 hbnnht.exe 42 PID 2884 wrote to memory of 2748 2884 hbnnht.exe 42 PID 2884 wrote to memory of 2748 2884 hbnnht.exe 42 PID 2748 wrote to memory of 536 2748 08628.exe 43 PID 2748 wrote to memory of 536 2748 08628.exe 43 PID 2748 wrote to memory of 536 2748 08628.exe 43 PID 2748 wrote to memory of 536 2748 08628.exe 43 PID 536 wrote to memory of 1208 536 jdddp.exe 44 PID 536 wrote to memory of 1208 536 jdddp.exe 44 PID 536 wrote to memory of 1208 536 jdddp.exe 44 PID 536 wrote to memory of 1208 536 jdddp.exe 44 PID 1208 wrote to memory of 2268 1208 s6006.exe 45 PID 1208 wrote to memory of 2268 1208 s6006.exe 45 PID 1208 wrote to memory of 2268 1208 s6006.exe 45 PID 1208 wrote to memory of 2268 1208 s6006.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe"C:\Users\Admin\AppData\Local\Temp\40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\64628.exec:\64628.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\68624.exec:\68624.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\hbthnn.exec:\hbthnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\o446486.exec:\o446486.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\7pddp.exec:\7pddp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\xlrfxlf.exec:\xlrfxlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\xxrxffx.exec:\xxrxffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\7vvdd.exec:\7vvdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\5rllxfl.exec:\5rllxfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\ppdpv.exec:\ppdpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\fxflxrr.exec:\fxflxrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\hbnnht.exec:\hbnnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\08628.exec:\08628.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\jdddp.exec:\jdddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\s6006.exec:\s6006.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\btntbn.exec:\btntbn.exe17⤵
- Executes dropped EXE
PID:2268 -
\??\c:\226220.exec:\226220.exe18⤵
- Executes dropped EXE
PID:1980 -
\??\c:\m8086.exec:\m8086.exe19⤵
- Executes dropped EXE
PID:1696 -
\??\c:\082866.exec:\082866.exe20⤵
- Executes dropped EXE
PID:2248 -
\??\c:\a2424.exec:\a2424.exe21⤵
- Executes dropped EXE
PID:2212 -
\??\c:\04624.exec:\04624.exe22⤵
- Executes dropped EXE
PID:1676 -
\??\c:\vjppp.exec:\vjppp.exe23⤵
- Executes dropped EXE
PID:1832 -
\??\c:\4002266.exec:\4002266.exe24⤵
- Executes dropped EXE
PID:1104 -
\??\c:\6400006.exec:\6400006.exe25⤵
- Executes dropped EXE
PID:900 -
\??\c:\208866.exec:\208866.exe26⤵
- Executes dropped EXE
PID:1280 -
\??\c:\5pjdj.exec:\5pjdj.exe27⤵
- Executes dropped EXE
PID:1660 -
\??\c:\88822.exec:\88822.exe28⤵
- Executes dropped EXE
PID:1984 -
\??\c:\tnhhnn.exec:\tnhhnn.exe29⤵
- Executes dropped EXE
PID:624 -
\??\c:\0208040.exec:\0208040.exe30⤵
- Executes dropped EXE
PID:1232 -
\??\c:\7vjjd.exec:\7vjjd.exe31⤵
- Executes dropped EXE
PID:1020 -
\??\c:\420022.exec:\420022.exe32⤵
- Executes dropped EXE
PID:1596 -
\??\c:\g6402.exec:\g6402.exe33⤵
- Executes dropped EXE
PID:2804 -
\??\c:\a2400.exec:\a2400.exe34⤵
- Executes dropped EXE
PID:2916 -
\??\c:\ffrxllx.exec:\ffrxllx.exe35⤵
- Executes dropped EXE
PID:2316 -
\??\c:\nhntnn.exec:\nhntnn.exe36⤵
- Executes dropped EXE
PID:2932 -
\??\c:\866204.exec:\866204.exe37⤵
- Executes dropped EXE
PID:2924 -
\??\c:\bbnbhh.exec:\bbnbhh.exe38⤵
- Executes dropped EXE
PID:2684 -
\??\c:\jdpvd.exec:\jdpvd.exe39⤵
- Executes dropped EXE
PID:2840 -
\??\c:\lfrlrrx.exec:\lfrlrrx.exe40⤵
- Executes dropped EXE
PID:2096 -
\??\c:\3xxfflr.exec:\3xxfflr.exe41⤵
- Executes dropped EXE
PID:2660 -
\??\c:\g2464.exec:\g2464.exe42⤵
- Executes dropped EXE
PID:1548 -
\??\c:\260688.exec:\260688.exe43⤵
- Executes dropped EXE
PID:2988 -
\??\c:\dddpd.exec:\dddpd.exe44⤵
- Executes dropped EXE
PID:1612 -
\??\c:\q00484.exec:\q00484.exe45⤵
- Executes dropped EXE
PID:2756 -
\??\c:\ntnhnt.exec:\ntnhnt.exe46⤵
- Executes dropped EXE
PID:2272 -
\??\c:\rxrlxxf.exec:\rxrlxxf.exe47⤵
- Executes dropped EXE
PID:3032 -
\??\c:\bththh.exec:\bththh.exe48⤵
- Executes dropped EXE
PID:864 -
\??\c:\60422.exec:\60422.exe49⤵
- Executes dropped EXE
PID:3020 -
\??\c:\9jvvd.exec:\9jvvd.exe50⤵
- Executes dropped EXE
PID:3048 -
\??\c:\dvvpd.exec:\dvvpd.exe51⤵
- Executes dropped EXE
PID:2748 -
\??\c:\08062.exec:\08062.exe52⤵
- Executes dropped EXE
PID:604 -
\??\c:\g4002.exec:\g4002.exe53⤵
- Executes dropped EXE
PID:2492 -
\??\c:\9ppvd.exec:\9ppvd.exe54⤵
- Executes dropped EXE
PID:2292 -
\??\c:\g8680.exec:\g8680.exe55⤵
- Executes dropped EXE
PID:2268 -
\??\c:\vvpdv.exec:\vvpdv.exe56⤵
- Executes dropped EXE
PID:1224 -
\??\c:\8206284.exec:\8206284.exe57⤵
- Executes dropped EXE
PID:1728 -
\??\c:\5llxxfl.exec:\5llxxfl.exe58⤵
- Executes dropped EXE
PID:1940 -
\??\c:\w64422.exec:\w64422.exe59⤵
- Executes dropped EXE
PID:2248 -
\??\c:\m6628.exec:\m6628.exe60⤵
- Executes dropped EXE
PID:2440 -
\??\c:\20884.exec:\20884.exe61⤵
- Executes dropped EXE
PID:1572 -
\??\c:\xrfrxrx.exec:\xrfrxrx.exe62⤵
- Executes dropped EXE
PID:2052 -
\??\c:\hhntnb.exec:\hhntnb.exe63⤵
- Executes dropped EXE
PID:1860 -
\??\c:\9fxxrxf.exec:\9fxxrxf.exe64⤵
- Executes dropped EXE
PID:2560 -
\??\c:\42824.exec:\42824.exe65⤵
- Executes dropped EXE
PID:1488 -
\??\c:\82840.exec:\82840.exe66⤵PID:836
-
\??\c:\dpdpv.exec:\dpdpv.exe67⤵PID:1280
-
\??\c:\64666.exec:\64666.exe68⤵PID:1664
-
\??\c:\c200228.exec:\c200228.exe69⤵PID:568
-
\??\c:\u862402.exec:\u862402.exe70⤵PID:2396
-
\??\c:\rrfxlll.exec:\rrfxlll.exe71⤵PID:624
-
\??\c:\vpjjj.exec:\vpjjj.exe72⤵PID:1232
-
\??\c:\046688.exec:\046688.exe73⤵PID:2028
-
\??\c:\666026.exec:\666026.exe74⤵PID:1884
-
\??\c:\5xrlfxf.exec:\5xrlfxf.exe75⤵PID:2800
-
\??\c:\046622.exec:\046622.exe76⤵PID:1536
-
\??\c:\nbnntb.exec:\nbnntb.exe77⤵PID:1512
-
\??\c:\c028664.exec:\c028664.exe78⤵PID:2792
-
\??\c:\6426442.exec:\6426442.exe79⤵PID:2860
-
\??\c:\1vppj.exec:\1vppj.exe80⤵PID:2696
-
\??\c:\42662.exec:\42662.exe81⤵PID:2716
-
\??\c:\08064.exec:\08064.exe82⤵PID:1752
-
\??\c:\862600.exec:\862600.exe83⤵PID:2908
-
\??\c:\424848.exec:\424848.exe84⤵PID:2444
-
\??\c:\pvdvv.exec:\pvdvv.exe85⤵PID:2240
-
\??\c:\20268.exec:\20268.exe86⤵PID:2508
-
\??\c:\dpdvv.exec:\dpdvv.exe87⤵PID:2108
-
\??\c:\dvjjp.exec:\dvjjp.exe88⤵PID:2404
-
\??\c:\xlxfllx.exec:\xlxfllx.exe89⤵PID:2080
-
\??\c:\3hbbhh.exec:\3hbbhh.exe90⤵PID:1952
-
\??\c:\rxlrllf.exec:\rxlrllf.exe91⤵PID:2868
-
\??\c:\3xlfllr.exec:\3xlfllr.exe92⤵PID:3052
-
\??\c:\o466262.exec:\o466262.exe93⤵PID:2984
-
\??\c:\jjpvj.exec:\jjpvj.exe94⤵PID:484
-
\??\c:\64846.exec:\64846.exe95⤵PID:888
-
\??\c:\jvppj.exec:\jvppj.exe96⤵PID:1092
-
\??\c:\046666.exec:\046666.exe97⤵PID:2480
-
\??\c:\208882.exec:\208882.exe98⤵PID:2528
-
\??\c:\4862408.exec:\4862408.exe99⤵PID:1892
-
\??\c:\a2024.exec:\a2024.exe100⤵PID:2172
-
\??\c:\jjvvv.exec:\jjvvv.exe101⤵PID:716
-
\??\c:\vjvdp.exec:\vjvdp.exe102⤵PID:560
-
\??\c:\1nhnnn.exec:\1nhnnn.exe103⤵PID:2896
-
\??\c:\hbhhtn.exec:\hbhhtn.exe104⤵PID:688
-
\??\c:\2682066.exec:\2682066.exe105⤵PID:1416
-
\??\c:\1rrfrrr.exec:\1rrfrrr.exe106⤵PID:1096
-
\??\c:\3lfflrf.exec:\3lfflrf.exe107⤵PID:1168
-
\??\c:\llxffxl.exec:\llxffxl.exe108⤵PID:2100
-
\??\c:\bnhbbb.exec:\bnhbbb.exe109⤵PID:1276
-
\??\c:\nhtthh.exec:\nhtthh.exe110⤵PID:900
-
\??\c:\pjddp.exec:\pjddp.exe111⤵PID:1644
-
\??\c:\lfxfrfx.exec:\lfxfrfx.exe112⤵PID:2132
-
\??\c:\7fxxflx.exec:\7fxxflx.exe113⤵PID:2020
-
\??\c:\nhnntn.exec:\nhnntn.exe114⤵PID:2412
-
\??\c:\4606268.exec:\4606268.exe115⤵PID:1872
-
\??\c:\ddvjv.exec:\ddvjv.exe116⤵PID:1216
-
\??\c:\82406.exec:\82406.exe117⤵PID:1448
-
\??\c:\i246668.exec:\i246668.exe118⤵PID:2436
-
\??\c:\a8008.exec:\a8008.exe119⤵PID:2904
-
\??\c:\xxxflrf.exec:\xxxflrf.exe120⤵PID:2668
-
\??\c:\3htntb.exec:\3htntb.exe121⤵PID:2448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-