Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 20:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe
-
Size
455KB
-
MD5
b993acf5ccc1da6c3745f4c467a82a25
-
SHA1
ab8d1302822117db6868e5ea336a1a8f11252cfc
-
SHA256
23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5
-
SHA512
de34da31c4d447e0530356a30239309de61348bdcc282adf7b5f7aaa24cc19653253c7b74753e81862a11ee0e70442b3d65ef0fee27a4a1fdac2aa65a43adbb9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRQ:q7Tc2NYHUrAwfMp3CDRQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2156-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/744-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/444-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1100-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1128-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1128-394-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1128-392-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1384-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-469-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1756-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-1231-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1904-1278-0x00000000001E0000-0x000000000020A000-memory.dmp family_blackmoon behavioral1/memory/444-1285-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/1616-1357-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2132 jddjp.exe 2392 hbnbtt.exe 1620 nbntnb.exe 2232 04244.exe 2880 vpddd.exe 2844 642200.exe 584 824402.exe 3004 xrrxxfl.exe 2980 k24400.exe 2688 o088000.exe 2812 4868842.exe 2176 rllxrxl.exe 844 08002.exe 2680 ddvdv.exe 1956 dpjpd.exe 744 jdddj.exe 1960 2262840.exe 2916 e46402.exe 1240 2646846.exe 2780 48620.exe 2200 nhhhtt.exe 1740 44240.exe 1832 nhbtnt.exe 444 rllrxxl.exe 1800 xfxfxfr.exe 1732 202244.exe 1560 3tbnnt.exe 2356 9xxfrfr.exe 2224 8262846.exe 600 822240.exe 2204 202228.exe 1672 dvjjd.exe 2620 60886.exe 2432 260248.exe 1604 3nhnbb.exe 1656 9jjvd.exe 2508 q42248.exe 2316 k22466.exe 2232 82008.exe 2892 c224620.exe 2184 m4880.exe 2264 488406.exe 2716 48624.exe 2312 c862064.exe 2980 64000.exe 2744 7dvdv.exe 868 pjvdp.exe 1100 00406.exe 1128 486800.exe 2988 pjjvp.exe 3008 dpjjd.exe 2216 266628.exe 1148 604022.exe 1808 4828846.exe 1384 4886262.exe 2920 5pjvj.exe 1788 bhbnbt.exe 2120 dvpvj.exe 1836 648800.exe 3064 bbntbb.exe 1904 o022446.exe 1280 204066.exe 1544 xrrlxfx.exe 1772 thtthn.exe -
resource yara_rule behavioral1/memory/2156-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/744-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1128-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-402-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2216-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1128-933-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-1052-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-1065-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2156-1088-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-1113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-1157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-1232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-1251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-1324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-1364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-1371-0x00000000003A0000-0x00000000003CA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u428668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2006484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2132 2156 23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe 30 PID 2156 wrote to memory of 2132 2156 23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe 30 PID 2156 wrote to memory of 2132 2156 23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe 30 PID 2156 wrote to memory of 2132 2156 23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe 30 PID 2132 wrote to memory of 2392 2132 jddjp.exe 31 PID 2132 wrote to memory of 2392 2132 jddjp.exe 31 PID 2132 wrote to memory of 2392 2132 jddjp.exe 31 PID 2132 wrote to memory of 2392 2132 jddjp.exe 31 PID 2392 wrote to memory of 1620 2392 hbnbtt.exe 32 PID 2392 wrote to memory of 1620 2392 hbnbtt.exe 32 PID 2392 wrote to memory of 1620 2392 hbnbtt.exe 32 PID 2392 wrote to memory of 1620 2392 hbnbtt.exe 32 PID 1620 wrote to memory of 2232 1620 nbntnb.exe 33 PID 1620 wrote to memory of 2232 1620 nbntnb.exe 33 PID 1620 wrote to memory of 2232 1620 nbntnb.exe 33 PID 1620 wrote to memory of 2232 1620 nbntnb.exe 33 PID 2232 wrote to memory of 2880 2232 04244.exe 34 PID 2232 wrote to memory of 2880 2232 04244.exe 34 PID 2232 wrote to memory of 2880 2232 04244.exe 34 PID 2232 wrote to memory of 2880 2232 04244.exe 34 PID 2880 wrote to memory of 2844 2880 vpddd.exe 35 PID 2880 wrote to memory of 2844 2880 vpddd.exe 35 PID 2880 wrote to memory of 2844 2880 vpddd.exe 35 PID 2880 wrote to memory of 2844 2880 vpddd.exe 35 PID 2844 wrote to memory of 584 2844 642200.exe 36 PID 2844 wrote to memory of 584 2844 642200.exe 36 PID 2844 wrote to memory of 584 2844 642200.exe 36 PID 2844 wrote to memory of 584 2844 642200.exe 36 PID 584 wrote to memory of 3004 584 824402.exe 37 PID 584 wrote to memory of 3004 584 824402.exe 37 PID 584 wrote to memory of 3004 584 824402.exe 37 PID 584 wrote to memory of 3004 584 824402.exe 37 PID 3004 wrote to memory of 2980 3004 xrrxxfl.exe 38 PID 3004 wrote to memory of 2980 3004 xrrxxfl.exe 38 PID 3004 wrote to memory of 2980 3004 xrrxxfl.exe 38 PID 3004 wrote to memory of 2980 3004 xrrxxfl.exe 38 PID 2980 wrote to memory of 2688 2980 k24400.exe 39 PID 2980 wrote to memory of 2688 2980 k24400.exe 39 PID 2980 wrote to memory of 2688 2980 k24400.exe 39 PID 2980 wrote to memory of 2688 2980 k24400.exe 39 PID 2688 wrote to memory of 2812 2688 o088000.exe 40 PID 2688 wrote to memory of 2812 2688 o088000.exe 40 PID 2688 wrote to memory of 2812 2688 o088000.exe 40 PID 2688 wrote to memory of 2812 2688 o088000.exe 40 PID 2812 wrote to memory of 2176 2812 4868842.exe 41 PID 2812 wrote to memory of 2176 2812 4868842.exe 41 PID 2812 wrote to memory of 2176 2812 4868842.exe 41 PID 2812 wrote to memory of 2176 2812 4868842.exe 41 PID 2176 wrote to memory of 844 2176 rllxrxl.exe 42 PID 2176 wrote to memory of 844 2176 rllxrxl.exe 42 PID 2176 wrote to memory of 844 2176 rllxrxl.exe 42 PID 2176 wrote to memory of 844 2176 rllxrxl.exe 42 PID 844 wrote to memory of 2680 844 08002.exe 43 PID 844 wrote to memory of 2680 844 08002.exe 43 PID 844 wrote to memory of 2680 844 08002.exe 43 PID 844 wrote to memory of 2680 844 08002.exe 43 PID 2680 wrote to memory of 1956 2680 ddvdv.exe 44 PID 2680 wrote to memory of 1956 2680 ddvdv.exe 44 PID 2680 wrote to memory of 1956 2680 ddvdv.exe 44 PID 2680 wrote to memory of 1956 2680 ddvdv.exe 44 PID 1956 wrote to memory of 744 1956 dpjpd.exe 45 PID 1956 wrote to memory of 744 1956 dpjpd.exe 45 PID 1956 wrote to memory of 744 1956 dpjpd.exe 45 PID 1956 wrote to memory of 744 1956 dpjpd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe"C:\Users\Admin\AppData\Local\Temp\23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\jddjp.exec:\jddjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\hbnbtt.exec:\hbnbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\nbntnb.exec:\nbntnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\04244.exec:\04244.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\vpddd.exec:\vpddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\642200.exec:\642200.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\824402.exec:\824402.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\xrrxxfl.exec:\xrrxxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\k24400.exec:\k24400.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\o088000.exec:\o088000.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\4868842.exec:\4868842.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\rllxrxl.exec:\rllxrxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\08002.exec:\08002.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\ddvdv.exec:\ddvdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\dpjpd.exec:\dpjpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\jdddj.exec:\jdddj.exe17⤵
- Executes dropped EXE
PID:744 -
\??\c:\2262840.exec:\2262840.exe18⤵
- Executes dropped EXE
PID:1960 -
\??\c:\e46402.exec:\e46402.exe19⤵
- Executes dropped EXE
PID:2916 -
\??\c:\2646846.exec:\2646846.exe20⤵
- Executes dropped EXE
PID:1240 -
\??\c:\48620.exec:\48620.exe21⤵
- Executes dropped EXE
PID:2780 -
\??\c:\nhhhtt.exec:\nhhhtt.exe22⤵
- Executes dropped EXE
PID:2200 -
\??\c:\44240.exec:\44240.exe23⤵
- Executes dropped EXE
PID:1740 -
\??\c:\nhbtnt.exec:\nhbtnt.exe24⤵
- Executes dropped EXE
PID:1832 -
\??\c:\rllrxxl.exec:\rllrxxl.exe25⤵
- Executes dropped EXE
PID:444 -
\??\c:\xfxfxfr.exec:\xfxfxfr.exe26⤵
- Executes dropped EXE
PID:1800 -
\??\c:\202244.exec:\202244.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
\??\c:\3tbnnt.exec:\3tbnnt.exe28⤵
- Executes dropped EXE
PID:1560 -
\??\c:\9xxfrfr.exec:\9xxfrfr.exe29⤵
- Executes dropped EXE
PID:2356 -
\??\c:\8262846.exec:\8262846.exe30⤵
- Executes dropped EXE
PID:2224 -
\??\c:\822240.exec:\822240.exe31⤵
- Executes dropped EXE
PID:600 -
\??\c:\202228.exec:\202228.exe32⤵
- Executes dropped EXE
PID:2204 -
\??\c:\dvjjd.exec:\dvjjd.exe33⤵
- Executes dropped EXE
PID:1672 -
\??\c:\60886.exec:\60886.exe34⤵
- Executes dropped EXE
PID:2620 -
\??\c:\260248.exec:\260248.exe35⤵
- Executes dropped EXE
PID:2432 -
\??\c:\3nhnbb.exec:\3nhnbb.exe36⤵
- Executes dropped EXE
PID:1604 -
\??\c:\9jjvd.exec:\9jjvd.exe37⤵
- Executes dropped EXE
PID:1656 -
\??\c:\q42248.exec:\q42248.exe38⤵
- Executes dropped EXE
PID:2508 -
\??\c:\k22466.exec:\k22466.exe39⤵
- Executes dropped EXE
PID:2316 -
\??\c:\82008.exec:\82008.exe40⤵
- Executes dropped EXE
PID:2232 -
\??\c:\c224620.exec:\c224620.exe41⤵
- Executes dropped EXE
PID:2892 -
\??\c:\m4880.exec:\m4880.exe42⤵
- Executes dropped EXE
PID:2184 -
\??\c:\488406.exec:\488406.exe43⤵
- Executes dropped EXE
PID:2264 -
\??\c:\48624.exec:\48624.exe44⤵
- Executes dropped EXE
PID:2716 -
\??\c:\c862064.exec:\c862064.exe45⤵
- Executes dropped EXE
PID:2312 -
\??\c:\64000.exec:\64000.exe46⤵
- Executes dropped EXE
PID:2980 -
\??\c:\7dvdv.exec:\7dvdv.exe47⤵
- Executes dropped EXE
PID:2744 -
\??\c:\pjvdp.exec:\pjvdp.exe48⤵
- Executes dropped EXE
PID:868 -
\??\c:\00406.exec:\00406.exe49⤵
- Executes dropped EXE
PID:1100 -
\??\c:\486800.exec:\486800.exe50⤵
- Executes dropped EXE
PID:1128 -
\??\c:\pjjvp.exec:\pjjvp.exe51⤵
- Executes dropped EXE
PID:2988 -
\??\c:\dpjjd.exec:\dpjjd.exe52⤵
- Executes dropped EXE
PID:3008 -
\??\c:\266628.exec:\266628.exe53⤵
- Executes dropped EXE
PID:2216 -
\??\c:\604022.exec:\604022.exe54⤵
- Executes dropped EXE
PID:1148 -
\??\c:\4828846.exec:\4828846.exe55⤵
- Executes dropped EXE
PID:1808 -
\??\c:\4886262.exec:\4886262.exe56⤵
- Executes dropped EXE
PID:1384 -
\??\c:\5pjvj.exec:\5pjvj.exe57⤵
- Executes dropped EXE
PID:2920 -
\??\c:\bhbnbt.exec:\bhbnbt.exe58⤵
- Executes dropped EXE
PID:1788 -
\??\c:\dvpvj.exec:\dvpvj.exe59⤵
- Executes dropped EXE
PID:2120 -
\??\c:\648800.exec:\648800.exe60⤵
- Executes dropped EXE
PID:1836 -
\??\c:\bbntbb.exec:\bbntbb.exe61⤵
- Executes dropped EXE
PID:3064 -
\??\c:\o022446.exec:\o022446.exe62⤵
- Executes dropped EXE
PID:1904 -
\??\c:\204066.exec:\204066.exe63⤵
- Executes dropped EXE
PID:1280 -
\??\c:\xrrlxfx.exec:\xrrlxfx.exe64⤵
- Executes dropped EXE
PID:1544 -
\??\c:\thtthn.exec:\thtthn.exe65⤵
- Executes dropped EXE
PID:1772 -
\??\c:\602808.exec:\602808.exe66⤵PID:1756
-
\??\c:\bbttnn.exec:\bbttnn.exe67⤵PID:2196
-
\??\c:\m2620.exec:\m2620.exe68⤵PID:2060
-
\??\c:\4802006.exec:\4802006.exe69⤵PID:764
-
\??\c:\fxrxlxl.exec:\fxrxlxl.exe70⤵PID:2424
-
\??\c:\48686.exec:\48686.exe71⤵PID:1396
-
\??\c:\lflrxxx.exec:\lflrxxx.exe72⤵PID:2656
-
\??\c:\486684.exec:\486684.exe73⤵PID:2644
-
\??\c:\3dddd.exec:\3dddd.exe74⤵PID:2116
-
\??\c:\86022.exec:\86022.exe75⤵PID:2052
-
\??\c:\48808.exec:\48808.exe76⤵PID:2248
-
\??\c:\046806.exec:\046806.exe77⤵PID:2772
-
\??\c:\1jdpv.exec:\1jdpv.exe78⤵PID:2476
-
\??\c:\486688.exec:\486688.exe79⤵PID:2556
-
\??\c:\602884.exec:\602884.exe80⤵PID:2848
-
\??\c:\lrrxlfx.exec:\lrrxlfx.exe81⤵PID:2880
-
\??\c:\pvppp.exec:\pvppp.exe82⤵PID:2716
-
\??\c:\3rfrxlx.exec:\3rfrxlx.exe83⤵PID:3028
-
\??\c:\268446.exec:\268446.exe84⤵PID:2832
-
\??\c:\bthbhb.exec:\bthbhb.exe85⤵PID:2560
-
\??\c:\04246.exec:\04246.exe86⤵PID:2704
-
\??\c:\xfllrxr.exec:\xfllrxr.exe87⤵PID:1936
-
\??\c:\e28602.exec:\e28602.exe88⤵PID:2724
-
\??\c:\420024.exec:\420024.exe89⤵PID:2308
-
\??\c:\080462.exec:\080462.exe90⤵PID:1720
-
\??\c:\dvdjv.exec:\dvdjv.exe91⤵PID:2484
-
\??\c:\bnbbnn.exec:\bnbbnn.exe92⤵PID:2680
-
\??\c:\btnbtn.exec:\btnbtn.exe93⤵PID:1840
-
\??\c:\ddjjv.exec:\ddjjv.exe94⤵PID:784
-
\??\c:\ppvdd.exec:\ppvdd.exe95⤵PID:2792
-
\??\c:\8880240.exec:\8880240.exe96⤵PID:852
-
\??\c:\u428444.exec:\u428444.exe97⤵PID:1928
-
\??\c:\btnthn.exec:\btnthn.exe98⤵PID:1808
-
\??\c:\5vjpd.exec:\5vjpd.exe99⤵PID:1240
-
\??\c:\1nbbtt.exec:\1nbbtt.exe100⤵PID:1760
-
\??\c:\tnbhnb.exec:\tnbhnb.exe101⤵PID:2276
-
\??\c:\pjppj.exec:\pjppj.exe102⤵PID:2324
-
\??\c:\hbnthb.exec:\hbnthb.exe103⤵PID:320
-
\??\c:\204628.exec:\204628.exe104⤵PID:1248
-
\??\c:\420066.exec:\420066.exe105⤵PID:444
-
\??\c:\280288.exec:\280288.exe106⤵PID:1800
-
\??\c:\pvjpj.exec:\pvjpj.exe107⤵PID:1352
-
\??\c:\hhbntn.exec:\hhbntn.exe108⤵PID:1544
-
\??\c:\tnhthn.exec:\tnhthn.exe109⤵PID:1772
-
\??\c:\7ddpd.exec:\7ddpd.exe110⤵PID:1756
-
\??\c:\1rrrlxr.exec:\1rrrlxr.exe111⤵PID:972
-
\??\c:\s4468.exec:\s4468.exe112⤵PID:756
-
\??\c:\g2086.exec:\g2086.exe113⤵PID:764
-
\??\c:\042800.exec:\042800.exe114⤵PID:772
-
\??\c:\c040624.exec:\c040624.exe115⤵PID:2100
-
\??\c:\rxfrfxl.exec:\rxfrfxl.exe116⤵PID:1580
-
\??\c:\vpjpd.exec:\vpjpd.exe117⤵
- System Location Discovery: System Language Discovery
PID:2156 -
\??\c:\044248.exec:\044248.exe118⤵PID:2116
-
\??\c:\ppvdp.exec:\ppvdp.exe119⤵PID:2056
-
\??\c:\o866846.exec:\o866846.exe120⤵PID:2248
-
\??\c:\2084662.exec:\2084662.exe121⤵PID:2068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-