Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 19:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
08135e419a9611033b74b4cee56d374da783ae605dead077269a4e9465abbe67.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
08135e419a9611033b74b4cee56d374da783ae605dead077269a4e9465abbe67.exe
-
Size
455KB
-
MD5
c7f1f4b8ae83f4a1949435c9192845a0
-
SHA1
7fc551e6b21a57f222aa3f10d744ea20b0b9ebbf
-
SHA256
08135e419a9611033b74b4cee56d374da783ae605dead077269a4e9465abbe67
-
SHA512
0c22de0dac2048c13cd8f44f1c46f009a981b85c1ea34a55708be5e857a24679e8c1141c94c9cf5ae2d9142eea5e231d1c96dc83ddf5b5e2d164dd219799ca34
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR4:q7Tc2NYHUrAwfMp3CDR4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2136-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1376-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-482-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2168-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/752-540-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1692-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-667-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2032-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-898-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-905-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2996-940-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2620-961-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2744 1xrrxxf.exe 2920 q02282.exe 2932 hbbbhn.exe 2344 c422822.exe 2352 m4622.exe 2636 i866884.exe 2756 fxxxxfr.exe 2532 hnbnhn.exe 2044 8088066.exe 2444 lxxfllr.exe 1476 vpddv.exe 3016 nhbbbb.exe 2908 64600.exe 1248 jvjpv.exe 1900 6028628.exe 1272 o800040.exe 1052 lxxxfxf.exe 2576 4848406.exe 2140 64620.exe 2512 4206664.exe 2320 rfxrffl.exe 1680 lfllxxl.exe 2588 424862.exe 696 tnbnbb.exe 776 pjvvj.exe 664 w86060.exe 1940 2422884.exe 1256 vpdjv.exe 2052 868282.exe 1968 vjppp.exe 1568 rfllxxf.exe 2092 hhbnbn.exe 2136 9lffrrx.exe 1564 9jjjp.exe 2916 hthnbh.exe 2852 nhtntt.exe 3068 htbbth.exe 2660 jjvvj.exe 2688 nbhhhh.exe 2644 pjvjv.exe 2628 5dvvd.exe 2464 7nhbbt.exe 2068 9xrxlrf.exe 2532 3jjdj.exe 2460 nbnttt.exe 2448 3hhhnt.exe 2176 6040224.exe 3008 86446.exe 3016 5fxlxfl.exe 2032 jvjpv.exe 2472 dpdjp.exe 1044 4240224.exe 900 jdvjv.exe 2020 480600.exe 1924 82024.exe 1776 3hbbbh.exe 2212 rlffxfx.exe 316 3jjjv.exe 2088 482826.exe 2340 nbnntt.exe 1376 8262804.exe 2172 2084000.exe 1148 8022006.exe 2588 dpvvv.exe -
resource yara_rule behavioral1/memory/2136-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-898-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-987-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-1012-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-1063-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-1070-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-1138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-1236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-1286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-1299-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0080222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o046404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2640626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8866886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0846000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2744 2136 08135e419a9611033b74b4cee56d374da783ae605dead077269a4e9465abbe67.exe 31 PID 2136 wrote to memory of 2744 2136 08135e419a9611033b74b4cee56d374da783ae605dead077269a4e9465abbe67.exe 31 PID 2136 wrote to memory of 2744 2136 08135e419a9611033b74b4cee56d374da783ae605dead077269a4e9465abbe67.exe 31 PID 2136 wrote to memory of 2744 2136 08135e419a9611033b74b4cee56d374da783ae605dead077269a4e9465abbe67.exe 31 PID 2744 wrote to memory of 2920 2744 1xrrxxf.exe 32 PID 2744 wrote to memory of 2920 2744 1xrrxxf.exe 32 PID 2744 wrote to memory of 2920 2744 1xrrxxf.exe 32 PID 2744 wrote to memory of 2920 2744 1xrrxxf.exe 32 PID 2920 wrote to memory of 2932 2920 q02282.exe 33 PID 2920 wrote to memory of 2932 2920 q02282.exe 33 PID 2920 wrote to memory of 2932 2920 q02282.exe 33 PID 2920 wrote to memory of 2932 2920 q02282.exe 33 PID 2932 wrote to memory of 2344 2932 hbbbhn.exe 34 PID 2932 wrote to memory of 2344 2932 hbbbhn.exe 34 PID 2932 wrote to memory of 2344 2932 hbbbhn.exe 34 PID 2932 wrote to memory of 2344 2932 hbbbhn.exe 34 PID 2344 wrote to memory of 2352 2344 c422822.exe 35 PID 2344 wrote to memory of 2352 2344 c422822.exe 35 PID 2344 wrote to memory of 2352 2344 c422822.exe 35 PID 2344 wrote to memory of 2352 2344 c422822.exe 35 PID 2352 wrote to memory of 2636 2352 m4622.exe 36 PID 2352 wrote to memory of 2636 2352 m4622.exe 36 PID 2352 wrote to memory of 2636 2352 m4622.exe 36 PID 2352 wrote to memory of 2636 2352 m4622.exe 36 PID 2636 wrote to memory of 2756 2636 i866884.exe 37 PID 2636 wrote to memory of 2756 2636 i866884.exe 37 PID 2636 wrote to memory of 2756 2636 i866884.exe 37 PID 2636 wrote to memory of 2756 2636 i866884.exe 37 PID 2756 wrote to memory of 2532 2756 fxxxxfr.exe 38 PID 2756 wrote to memory of 2532 2756 fxxxxfr.exe 38 PID 2756 wrote to memory of 2532 2756 fxxxxfr.exe 38 PID 2756 wrote to memory of 2532 2756 fxxxxfr.exe 38 PID 2532 wrote to memory of 2044 2532 hnbnhn.exe 39 PID 2532 wrote to memory of 2044 2532 hnbnhn.exe 39 PID 2532 wrote to memory of 2044 2532 hnbnhn.exe 39 PID 2532 wrote to memory of 2044 2532 hnbnhn.exe 39 PID 2044 wrote to memory of 2444 2044 8088066.exe 40 PID 2044 wrote to memory of 2444 2044 8088066.exe 40 PID 2044 wrote to memory of 2444 2044 8088066.exe 40 PID 2044 wrote to memory of 2444 2044 8088066.exe 40 PID 2444 wrote to memory of 1476 2444 lxxfllr.exe 41 PID 2444 wrote to memory of 1476 2444 lxxfllr.exe 41 PID 2444 wrote to memory of 1476 2444 lxxfllr.exe 41 PID 2444 wrote to memory of 1476 2444 lxxfllr.exe 41 PID 1476 wrote to memory of 3016 1476 vpddv.exe 42 PID 1476 wrote to memory of 3016 1476 vpddv.exe 42 PID 1476 wrote to memory of 3016 1476 vpddv.exe 42 PID 1476 wrote to memory of 3016 1476 vpddv.exe 42 PID 3016 wrote to memory of 2908 3016 nhbbbb.exe 43 PID 3016 wrote to memory of 2908 3016 nhbbbb.exe 43 PID 3016 wrote to memory of 2908 3016 nhbbbb.exe 43 PID 3016 wrote to memory of 2908 3016 nhbbbb.exe 43 PID 2908 wrote to memory of 1248 2908 64600.exe 44 PID 2908 wrote to memory of 1248 2908 64600.exe 44 PID 2908 wrote to memory of 1248 2908 64600.exe 44 PID 2908 wrote to memory of 1248 2908 64600.exe 44 PID 1248 wrote to memory of 1900 1248 jvjpv.exe 45 PID 1248 wrote to memory of 1900 1248 jvjpv.exe 45 PID 1248 wrote to memory of 1900 1248 jvjpv.exe 45 PID 1248 wrote to memory of 1900 1248 jvjpv.exe 45 PID 1900 wrote to memory of 1272 1900 6028628.exe 46 PID 1900 wrote to memory of 1272 1900 6028628.exe 46 PID 1900 wrote to memory of 1272 1900 6028628.exe 46 PID 1900 wrote to memory of 1272 1900 6028628.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\08135e419a9611033b74b4cee56d374da783ae605dead077269a4e9465abbe67.exe"C:\Users\Admin\AppData\Local\Temp\08135e419a9611033b74b4cee56d374da783ae605dead077269a4e9465abbe67.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\1xrrxxf.exec:\1xrrxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\q02282.exec:\q02282.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\hbbbhn.exec:\hbbbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\c422822.exec:\c422822.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\m4622.exec:\m4622.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\i866884.exec:\i866884.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\fxxxxfr.exec:\fxxxxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\hnbnhn.exec:\hnbnhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\8088066.exec:\8088066.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\lxxfllr.exec:\lxxfllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\vpddv.exec:\vpddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\nhbbbb.exec:\nhbbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\64600.exec:\64600.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\jvjpv.exec:\jvjpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\6028628.exec:\6028628.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\o800040.exec:\o800040.exe17⤵
- Executes dropped EXE
PID:1272 -
\??\c:\lxxxfxf.exec:\lxxxfxf.exe18⤵
- Executes dropped EXE
PID:1052 -
\??\c:\4848406.exec:\4848406.exe19⤵
- Executes dropped EXE
PID:2576 -
\??\c:\64620.exec:\64620.exe20⤵
- Executes dropped EXE
PID:2140 -
\??\c:\4206664.exec:\4206664.exe21⤵
- Executes dropped EXE
PID:2512 -
\??\c:\rfxrffl.exec:\rfxrffl.exe22⤵
- Executes dropped EXE
PID:2320 -
\??\c:\lfllxxl.exec:\lfllxxl.exe23⤵
- Executes dropped EXE
PID:1680 -
\??\c:\424862.exec:\424862.exe24⤵
- Executes dropped EXE
PID:2588 -
\??\c:\tnbnbb.exec:\tnbnbb.exe25⤵
- Executes dropped EXE
PID:696 -
\??\c:\pjvvj.exec:\pjvvj.exe26⤵
- Executes dropped EXE
PID:776 -
\??\c:\w86060.exec:\w86060.exe27⤵
- Executes dropped EXE
PID:664 -
\??\c:\2422884.exec:\2422884.exe28⤵
- Executes dropped EXE
PID:1940 -
\??\c:\vpdjv.exec:\vpdjv.exe29⤵
- Executes dropped EXE
PID:1256 -
\??\c:\868282.exec:\868282.exe30⤵
- Executes dropped EXE
PID:2052 -
\??\c:\vjppp.exec:\vjppp.exe31⤵
- Executes dropped EXE
PID:1968 -
\??\c:\rfllxxf.exec:\rfllxxf.exe32⤵
- Executes dropped EXE
PID:1568 -
\??\c:\hhbnbn.exec:\hhbnbn.exe33⤵
- Executes dropped EXE
PID:2092 -
\??\c:\9lffrrx.exec:\9lffrrx.exe34⤵
- Executes dropped EXE
PID:2136 -
\??\c:\9jjjp.exec:\9jjjp.exe35⤵
- Executes dropped EXE
PID:1564 -
\??\c:\hthnbh.exec:\hthnbh.exe36⤵
- Executes dropped EXE
PID:2916 -
\??\c:\nhtntt.exec:\nhtntt.exe37⤵
- Executes dropped EXE
PID:2852 -
\??\c:\htbbth.exec:\htbbth.exe38⤵
- Executes dropped EXE
PID:3068 -
\??\c:\jjvvj.exec:\jjvvj.exe39⤵
- Executes dropped EXE
PID:2660 -
\??\c:\nbhhhh.exec:\nbhhhh.exe40⤵
- Executes dropped EXE
PID:2688 -
\??\c:\pjvjv.exec:\pjvjv.exe41⤵
- Executes dropped EXE
PID:2644 -
\??\c:\5dvvd.exec:\5dvvd.exe42⤵
- Executes dropped EXE
PID:2628 -
\??\c:\7nhbbt.exec:\7nhbbt.exe43⤵
- Executes dropped EXE
PID:2464 -
\??\c:\9xrxlrf.exec:\9xrxlrf.exe44⤵
- Executes dropped EXE
PID:2068 -
\??\c:\3jjdj.exec:\3jjdj.exe45⤵
- Executes dropped EXE
PID:2532 -
\??\c:\nbnttt.exec:\nbnttt.exe46⤵
- Executes dropped EXE
PID:2460 -
\??\c:\3hhhnt.exec:\3hhhnt.exe47⤵
- Executes dropped EXE
PID:2448 -
\??\c:\6040224.exec:\6040224.exe48⤵
- Executes dropped EXE
PID:2176 -
\??\c:\86446.exec:\86446.exe49⤵
- Executes dropped EXE
PID:3008 -
\??\c:\5fxlxfl.exec:\5fxlxfl.exe50⤵
- Executes dropped EXE
PID:3016 -
\??\c:\jvjpv.exec:\jvjpv.exe51⤵
- Executes dropped EXE
PID:2032 -
\??\c:\dpdjp.exec:\dpdjp.exe52⤵
- Executes dropped EXE
PID:2472 -
\??\c:\4240224.exec:\4240224.exe53⤵
- Executes dropped EXE
PID:1044 -
\??\c:\jdvjv.exec:\jdvjv.exe54⤵
- Executes dropped EXE
PID:900 -
\??\c:\480600.exec:\480600.exe55⤵
- Executes dropped EXE
PID:2020 -
\??\c:\82024.exec:\82024.exe56⤵
- Executes dropped EXE
PID:1924 -
\??\c:\3hbbbh.exec:\3hbbbh.exe57⤵
- Executes dropped EXE
PID:1776 -
\??\c:\rlffxfx.exec:\rlffxfx.exe58⤵
- Executes dropped EXE
PID:2212 -
\??\c:\3jjjv.exec:\3jjjv.exe59⤵
- Executes dropped EXE
PID:316 -
\??\c:\482826.exec:\482826.exe60⤵
- Executes dropped EXE
PID:2088 -
\??\c:\nbnntt.exec:\nbnntt.exe61⤵
- Executes dropped EXE
PID:2340 -
\??\c:\8262804.exec:\8262804.exe62⤵
- Executes dropped EXE
PID:1376 -
\??\c:\2084000.exec:\2084000.exe63⤵
- Executes dropped EXE
PID:2172 -
\??\c:\8022006.exec:\8022006.exe64⤵
- Executes dropped EXE
PID:1148 -
\??\c:\dpvvv.exec:\dpvvv.exe65⤵
- Executes dropped EXE
PID:2588 -
\??\c:\nnnbnt.exec:\nnnbnt.exe66⤵PID:952
-
\??\c:\djdvd.exec:\djdvd.exe67⤵PID:2204
-
\??\c:\nhbbnn.exec:\nhbbnn.exe68⤵PID:1760
-
\??\c:\60242.exec:\60242.exe69⤵PID:2196
-
\??\c:\6644662.exec:\6644662.exe70⤵PID:1756
-
\??\c:\g4048.exec:\g4048.exe71⤵PID:2168
-
\??\c:\s2020.exec:\s2020.exe72⤵PID:752
-
\??\c:\646200.exec:\646200.exe73⤵PID:1804
-
\??\c:\4686268.exec:\4686268.exe74⤵PID:1672
-
\??\c:\6868468.exec:\6868468.exe75⤵PID:1692
-
\??\c:\c640220.exec:\c640220.exe76⤵PID:324
-
\??\c:\46888.exec:\46888.exe77⤵PID:2836
-
\??\c:\7hnhnn.exec:\7hnhnn.exe78⤵PID:1588
-
\??\c:\vdjjj.exec:\vdjjj.exe79⤵PID:2828
-
\??\c:\7rxxlfl.exec:\7rxxlfl.exe80⤵PID:2844
-
\??\c:\ddvvd.exec:\ddvvd.exe81⤵PID:2932
-
\??\c:\o640622.exec:\o640622.exe82⤵PID:3068
-
\??\c:\s4844.exec:\s4844.exe83⤵PID:3032
-
\??\c:\868444.exec:\868444.exe84⤵PID:2940
-
\??\c:\pjvjp.exec:\pjvjp.exe85⤵PID:2648
-
\??\c:\nhnhnn.exec:\nhnhnn.exe86⤵PID:1300
-
\??\c:\fxlrlrx.exec:\fxlrlrx.exe87⤵PID:2296
-
\??\c:\nnhtbb.exec:\nnhtbb.exe88⤵PID:2256
-
\??\c:\7dpvv.exec:\7dpvv.exe89⤵PID:2452
-
\??\c:\k04622.exec:\k04622.exe90⤵PID:2928
-
\??\c:\6406266.exec:\6406266.exe91⤵PID:2444
-
\??\c:\ffrflxf.exec:\ffrflxf.exe92⤵PID:2896
-
\??\c:\jpjpd.exec:\jpjpd.exe93⤵PID:2876
-
\??\c:\vdpdp.exec:\vdpdp.exe94⤵PID:3016
-
\??\c:\86880.exec:\86880.exe95⤵PID:2032
-
\??\c:\rffxflf.exec:\rffxflf.exe96⤵PID:2276
-
\??\c:\dvjpv.exec:\dvjpv.exe97⤵PID:1984
-
\??\c:\pddvj.exec:\pddvj.exe98⤵PID:3004
-
\??\c:\hnhhnn.exec:\hnhhnn.exe99⤵PID:2388
-
\??\c:\208640.exec:\208640.exe100⤵PID:2376
-
\??\c:\1dppp.exec:\1dppp.exe101⤵PID:840
-
\??\c:\1fllllx.exec:\1fllllx.exe102⤵PID:1132
-
\??\c:\vpvvd.exec:\vpvvd.exe103⤵PID:2332
-
\??\c:\nbbthb.exec:\nbbthb.exe104⤵PID:2288
-
\??\c:\88280.exec:\88280.exe105⤵PID:2520
-
\??\c:\jdddd.exec:\jdddd.exe106⤵PID:1096
-
\??\c:\1bbtnn.exec:\1bbtnn.exe107⤵PID:1500
-
\??\c:\64660.exec:\64660.exe108⤵PID:2412
-
\??\c:\a8224.exec:\a8224.exe109⤵PID:1772
-
\??\c:\tthnbb.exec:\tthnbb.exe110⤵PID:1532
-
\??\c:\q08468.exec:\q08468.exe111⤵PID:2324
-
\??\c:\42624.exec:\42624.exe112⤵PID:2516
-
\??\c:\4862442.exec:\4862442.exe113⤵PID:2552
-
\??\c:\tbbnnn.exec:\tbbnnn.exe114⤵PID:2240
-
\??\c:\64224.exec:\64224.exe115⤵PID:2052
-
\??\c:\2002406.exec:\2002406.exe116⤵PID:3064
-
\??\c:\fxrxlrx.exec:\fxrxlrx.exe117⤵PID:3060
-
\??\c:\4806002.exec:\4806002.exe118⤵PID:1676
-
\??\c:\6066606.exec:\6066606.exe119⤵PID:2776
-
\??\c:\ddjvp.exec:\ddjvp.exe120⤵PID:2136
-
\??\c:\60846.exec:\60846.exe121⤵PID:1564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-