Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 01:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe
-
Size
453KB
-
MD5
6f15a998b54aa1da248ae4e9f5881417
-
SHA1
fa2fdacc0902d688f6f7ec88d7d42ab38cde75e6
-
SHA256
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9
-
SHA512
d9ae53aeffb4e018661274b9b7757e6d03782902cebe00bf6dcd2d489fa7b0ed3b6af9210eb6f1aba9c31e660f8ab9af7b09bad1c9f4d78bafc5562c1ff9e62e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
resource yara_rule behavioral1/memory/2412-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-35-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1660-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-108-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2904-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-299-0x0000000076E10000-0x0000000076F2F000-memory.dmp family_blackmoon behavioral1/memory/1712-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/576-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-599-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1156-630-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2804-643-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2884-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-697-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2572-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/692-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-392-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1632-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-241-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2564-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-717-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/316-732-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1536-787-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1480-800-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-816-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/892-835-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2392-865-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1376-980-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1540-991-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1500-1127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2664-1141-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1544-1154-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1264-1158-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2844-1168-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1240 08086.exe 1908 9bhhnn.exe 1660 i842266.exe 780 4682824.exe 2832 pdjjp.exe 2960 tnbhbn.exe 2700 080622.exe 2980 dvjjp.exe 2856 264428.exe 2704 0806280.exe 1280 20880.exe 2904 864460.exe 2908 208288.exe 840 9lflrlx.exe 3060 u460666.exe 1552 0844440.exe 2560 604066.exe 2152 thtbnt.exe 2376 64262.exe 1192 k42804.exe 1256 fffrllr.exe 2172 7xffrxl.exe 960 6466888.exe 2564 424400.exe 2200 i684062.exe 896 bnbntn.exe 1572 3jvvd.exe 1632 pjvvv.exe 2640 82008.exe 2488 468284.exe 2056 2462884.exe 2444 k02888.exe 1028 9ppjp.exe 1712 q42248.exe 1984 20602.exe 2612 i644028.exe 2496 k44806.exe 2928 xrffllx.exe 2940 hbhnnn.exe 576 0862406.exe 2816 pdvvd.exe 2840 68000.exe 2452 s4668.exe 1948 dvjdv.exe 2864 o806606.exe 3056 42624.exe 844 i240084.exe 2900 9fxrxxf.exe 692 q46688.exe 1820 xrflrxf.exe 768 646660.exe 316 5fffrlr.exe 1540 68062.exe 2524 pdvvd.exe 2572 80824.exe 1060 frflrrx.exe 2492 jvdpp.exe 2996 s6844.exe 1792 xlxrxrr.exe 2168 thtbnt.exe 2280 5rxxrrr.exe 956 i040662.exe 848 ffxxllr.exe 2008 fxffllx.exe -
resource yara_rule behavioral1/memory/2412-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-35-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1660-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-299-0x0000000076E10000-0x0000000076F2F000-memory.dmp upx behavioral1/memory/1712-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-917-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-973-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-981-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-991-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1964-1129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-1154-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2844-1168-0x00000000001B0000-0x00000000001DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8880846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4688440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u262446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k60066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2084006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1240 2412 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 30 PID 2412 wrote to memory of 1240 2412 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 30 PID 2412 wrote to memory of 1240 2412 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 30 PID 2412 wrote to memory of 1240 2412 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 30 PID 1240 wrote to memory of 1908 1240 08086.exe 31 PID 1240 wrote to memory of 1908 1240 08086.exe 31 PID 1240 wrote to memory of 1908 1240 08086.exe 31 PID 1240 wrote to memory of 1908 1240 08086.exe 31 PID 1908 wrote to memory of 1660 1908 9bhhnn.exe 32 PID 1908 wrote to memory of 1660 1908 9bhhnn.exe 32 PID 1908 wrote to memory of 1660 1908 9bhhnn.exe 32 PID 1908 wrote to memory of 1660 1908 9bhhnn.exe 32 PID 1660 wrote to memory of 780 1660 i842266.exe 33 PID 1660 wrote to memory of 780 1660 i842266.exe 33 PID 1660 wrote to memory of 780 1660 i842266.exe 33 PID 1660 wrote to memory of 780 1660 i842266.exe 33 PID 780 wrote to memory of 2832 780 4682824.exe 34 PID 780 wrote to memory of 2832 780 4682824.exe 34 PID 780 wrote to memory of 2832 780 4682824.exe 34 PID 780 wrote to memory of 2832 780 4682824.exe 34 PID 2832 wrote to memory of 2960 2832 pdjjp.exe 35 PID 2832 wrote to memory of 2960 2832 pdjjp.exe 35 PID 2832 wrote to memory of 2960 2832 pdjjp.exe 35 PID 2832 wrote to memory of 2960 2832 pdjjp.exe 35 PID 2960 wrote to memory of 2700 2960 tnbhbn.exe 114 PID 2960 wrote to memory of 2700 2960 tnbhbn.exe 114 PID 2960 wrote to memory of 2700 2960 tnbhbn.exe 114 PID 2960 wrote to memory of 2700 2960 tnbhbn.exe 114 PID 2700 wrote to memory of 2980 2700 080622.exe 37 PID 2700 wrote to memory of 2980 2700 080622.exe 37 PID 2700 wrote to memory of 2980 2700 080622.exe 37 PID 2700 wrote to memory of 2980 2700 080622.exe 37 PID 2980 wrote to memory of 2856 2980 dvjjp.exe 38 PID 2980 wrote to memory of 2856 2980 dvjjp.exe 38 PID 2980 wrote to memory of 2856 2980 dvjjp.exe 38 PID 2980 wrote to memory of 2856 2980 dvjjp.exe 38 PID 2856 wrote to memory of 2704 2856 264428.exe 39 PID 2856 wrote to memory of 2704 2856 264428.exe 39 PID 2856 wrote to memory of 2704 2856 264428.exe 39 PID 2856 wrote to memory of 2704 2856 264428.exe 39 PID 2704 wrote to memory of 1280 2704 0806280.exe 40 PID 2704 wrote to memory of 1280 2704 0806280.exe 40 PID 2704 wrote to memory of 1280 2704 0806280.exe 40 PID 2704 wrote to memory of 1280 2704 0806280.exe 40 PID 1280 wrote to memory of 2904 1280 20880.exe 41 PID 1280 wrote to memory of 2904 1280 20880.exe 41 PID 1280 wrote to memory of 2904 1280 20880.exe 41 PID 1280 wrote to memory of 2904 1280 20880.exe 41 PID 2904 wrote to memory of 2908 2904 864460.exe 42 PID 2904 wrote to memory of 2908 2904 864460.exe 42 PID 2904 wrote to memory of 2908 2904 864460.exe 42 PID 2904 wrote to memory of 2908 2904 864460.exe 42 PID 2908 wrote to memory of 840 2908 208288.exe 43 PID 2908 wrote to memory of 840 2908 208288.exe 43 PID 2908 wrote to memory of 840 2908 208288.exe 43 PID 2908 wrote to memory of 840 2908 208288.exe 43 PID 840 wrote to memory of 3060 840 9lflrlx.exe 44 PID 840 wrote to memory of 3060 840 9lflrlx.exe 44 PID 840 wrote to memory of 3060 840 9lflrlx.exe 44 PID 840 wrote to memory of 3060 840 9lflrlx.exe 44 PID 3060 wrote to memory of 1552 3060 u460666.exe 45 PID 3060 wrote to memory of 1552 3060 u460666.exe 45 PID 3060 wrote to memory of 1552 3060 u460666.exe 45 PID 3060 wrote to memory of 1552 3060 u460666.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe"C:\Users\Admin\AppData\Local\Temp\a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\08086.exec:\08086.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\9bhhnn.exec:\9bhhnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\i842266.exec:\i842266.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\4682824.exec:\4682824.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\pdjjp.exec:\pdjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\tnbhbn.exec:\tnbhbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\080622.exec:\080622.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\dvjjp.exec:\dvjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\264428.exec:\264428.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\0806280.exec:\0806280.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\20880.exec:\20880.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\864460.exec:\864460.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\208288.exec:\208288.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\9lflrlx.exec:\9lflrlx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\u460666.exec:\u460666.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\0844440.exec:\0844440.exe17⤵
- Executes dropped EXE
PID:1552 -
\??\c:\604066.exec:\604066.exe18⤵
- Executes dropped EXE
PID:2560 -
\??\c:\thtbnt.exec:\thtbnt.exe19⤵
- Executes dropped EXE
PID:2152 -
\??\c:\64262.exec:\64262.exe20⤵
- Executes dropped EXE
PID:2376 -
\??\c:\k42804.exec:\k42804.exe21⤵
- Executes dropped EXE
PID:1192 -
\??\c:\fffrllr.exec:\fffrllr.exe22⤵
- Executes dropped EXE
PID:1256 -
\??\c:\7xffrxl.exec:\7xffrxl.exe23⤵
- Executes dropped EXE
PID:2172 -
\??\c:\6466888.exec:\6466888.exe24⤵
- Executes dropped EXE
PID:960 -
\??\c:\424400.exec:\424400.exe25⤵
- Executes dropped EXE
PID:2564 -
\??\c:\i684062.exec:\i684062.exe26⤵
- Executes dropped EXE
PID:2200 -
\??\c:\bnbntn.exec:\bnbntn.exe27⤵
- Executes dropped EXE
PID:896 -
\??\c:\3jvvd.exec:\3jvvd.exe28⤵
- Executes dropped EXE
PID:1572 -
\??\c:\pjvvv.exec:\pjvvv.exe29⤵
- Executes dropped EXE
PID:1632 -
\??\c:\82008.exec:\82008.exe30⤵
- Executes dropped EXE
PID:2640 -
\??\c:\468284.exec:\468284.exe31⤵
- Executes dropped EXE
PID:2488 -
\??\c:\2462884.exec:\2462884.exe32⤵
- Executes dropped EXE
PID:2056 -
\??\c:\k02888.exec:\k02888.exe33⤵
- Executes dropped EXE
PID:2444 -
\??\c:\nbtnhh.exec:\nbtnhh.exe34⤵PID:1600
-
\??\c:\9ppjp.exec:\9ppjp.exe35⤵
- Executes dropped EXE
PID:1028 -
\??\c:\q42248.exec:\q42248.exe36⤵
- Executes dropped EXE
PID:1712 -
\??\c:\20602.exec:\20602.exe37⤵
- Executes dropped EXE
PID:1984 -
\??\c:\i644028.exec:\i644028.exe38⤵
- Executes dropped EXE
PID:2612 -
\??\c:\k44806.exec:\k44806.exe39⤵
- Executes dropped EXE
PID:2496 -
\??\c:\xrffllx.exec:\xrffllx.exe40⤵
- Executes dropped EXE
PID:2928 -
\??\c:\hbhnnn.exec:\hbhnnn.exe41⤵
- Executes dropped EXE
PID:2940 -
\??\c:\0862406.exec:\0862406.exe42⤵
- Executes dropped EXE
PID:576 -
\??\c:\pdvvd.exec:\pdvvd.exe43⤵
- Executes dropped EXE
PID:2816 -
\??\c:\68000.exec:\68000.exe44⤵
- Executes dropped EXE
PID:2840 -
\??\c:\s4668.exec:\s4668.exe45⤵
- Executes dropped EXE
PID:2452 -
\??\c:\dvjdv.exec:\dvjdv.exe46⤵
- Executes dropped EXE
PID:1948 -
\??\c:\o806606.exec:\o806606.exe47⤵
- Executes dropped EXE
PID:2864 -
\??\c:\42624.exec:\42624.exe48⤵
- Executes dropped EXE
PID:3056 -
\??\c:\i240084.exec:\i240084.exe49⤵
- Executes dropped EXE
PID:844 -
\??\c:\9fxrxxf.exec:\9fxrxxf.exe50⤵
- Executes dropped EXE
PID:2900 -
\??\c:\q46688.exec:\q46688.exe51⤵
- Executes dropped EXE
PID:692 -
\??\c:\xrflrxf.exec:\xrflrxf.exe52⤵
- Executes dropped EXE
PID:1820 -
\??\c:\646660.exec:\646660.exe53⤵
- Executes dropped EXE
PID:768 -
\??\c:\5fffrlr.exec:\5fffrlr.exe54⤵
- Executes dropped EXE
PID:316 -
\??\c:\68062.exec:\68062.exe55⤵
- Executes dropped EXE
PID:1540 -
\??\c:\pdvvd.exec:\pdvvd.exe56⤵
- Executes dropped EXE
PID:2524 -
\??\c:\80824.exec:\80824.exe57⤵
- Executes dropped EXE
PID:2572 -
\??\c:\frflrrx.exec:\frflrrx.exe58⤵
- Executes dropped EXE
PID:1060 -
\??\c:\jvdpp.exec:\jvdpp.exe59⤵
- Executes dropped EXE
PID:2492 -
\??\c:\s6844.exec:\s6844.exe60⤵
- Executes dropped EXE
PID:2996 -
\??\c:\xlxrxrr.exec:\xlxrxrr.exe61⤵
- Executes dropped EXE
PID:1792 -
\??\c:\thtbnt.exec:\thtbnt.exe62⤵
- Executes dropped EXE
PID:2168 -
\??\c:\5rxxrrr.exec:\5rxxrrr.exe63⤵
- Executes dropped EXE
PID:2280 -
\??\c:\i040662.exec:\i040662.exe64⤵
- Executes dropped EXE
PID:956 -
\??\c:\ffxxllr.exec:\ffxxllr.exe65⤵
- Executes dropped EXE
PID:848 -
\??\c:\fxffllx.exec:\fxffllx.exe66⤵
- Executes dropped EXE
PID:2008 -
\??\c:\680006.exec:\680006.exe67⤵PID:1140
-
\??\c:\o482284.exec:\o482284.exe68⤵PID:1764
-
\??\c:\vjppv.exec:\vjppv.exe69⤵PID:700
-
\??\c:\tnhhnn.exec:\tnhhnn.exe70⤵PID:1688
-
\??\c:\s8606.exec:\s8606.exe71⤵PID:1716
-
\??\c:\686000.exec:\686000.exe72⤵PID:2232
-
\??\c:\jvvjp.exec:\jvvjp.exe73⤵PID:1748
-
\??\c:\fxxlfrr.exec:\fxxlfrr.exe74⤵PID:2488
-
\??\c:\9ttttn.exec:\9ttttn.exe75⤵PID:1588
-
\??\c:\vjdvj.exec:\vjdvj.exe76⤵PID:772
-
\??\c:\1vdjp.exec:\1vdjp.exe77⤵PID:1420
-
\??\c:\pdjjj.exec:\pdjjj.exe78⤵PID:2388
-
\??\c:\5rllrlr.exec:\5rllrlr.exe79⤵PID:1712
-
\??\c:\60280.exec:\60280.exe80⤵PID:2000
-
\??\c:\208286.exec:\208286.exe81⤵PID:1476
-
\??\c:\rfrxlll.exec:\rfrxlll.exe82⤵PID:2944
-
\??\c:\04628.exec:\04628.exe83⤵PID:2020
-
\??\c:\82606.exec:\82606.exe84⤵PID:2824
-
\??\c:\bnbbbb.exec:\bnbbbb.exe85⤵PID:1156
-
\??\c:\6428044.exec:\6428044.exe86⤵PID:2700
-
\??\c:\m4062.exec:\m4062.exe87⤵PID:2804
-
\??\c:\04062.exec:\04062.exe88⤵
- System Location Discovery: System Language Discovery
PID:2884 -
\??\c:\64602.exec:\64602.exe89⤵PID:2744
-
\??\c:\820688.exec:\820688.exe90⤵PID:1372
-
\??\c:\i644002.exec:\i644002.exe91⤵PID:2864
-
\??\c:\m4466.exec:\m4466.exe92⤵PID:2948
-
\??\c:\rflflll.exec:\rflflll.exe93⤵PID:2896
-
\??\c:\k84446.exec:\k84446.exe94⤵PID:2760
-
\??\c:\a8668.exec:\a8668.exe95⤵PID:1820
-
\??\c:\s4668.exec:\s4668.exe96⤵PID:840
-
\??\c:\6428042.exec:\6428042.exe97⤵PID:316
-
\??\c:\24288.exec:\24288.exe98⤵PID:1540
-
\??\c:\28824.exec:\28824.exe99⤵PID:324
-
\??\c:\hbhhnh.exec:\hbhhnh.exe100⤵PID:3040
-
\??\c:\s6484.exec:\s6484.exe101⤵PID:1804
-
\??\c:\pvjjv.exec:\pvjjv.exe102⤵PID:2492
-
\??\c:\60880.exec:\60880.exe103⤵PID:2996
-
\??\c:\frfflfl.exec:\frfflfl.exe104⤵PID:1192
-
\??\c:\dpvpp.exec:\dpvpp.exe105⤵PID:2168
-
\??\c:\hbhnnn.exec:\hbhnnn.exe106⤵PID:1516
-
\??\c:\lxlllrr.exec:\lxlllrr.exe107⤵PID:1788
-
\??\c:\rlxflrx.exec:\rlxflrx.exe108⤵PID:1652
-
\??\c:\g6846.exec:\g6846.exe109⤵PID:1536
-
\??\c:\hbthtt.exec:\hbthtt.exe110⤵PID:912
-
\??\c:\g6806.exec:\g6806.exe111⤵PID:1480
-
\??\c:\s4268.exec:\s4268.exe112⤵PID:700
-
\??\c:\02244.exec:\02244.exe113⤵PID:2504
-
\??\c:\5httbb.exec:\5httbb.exe114⤵PID:2640
-
\??\c:\1frxffl.exec:\1frxffl.exe115⤵PID:2776
-
\??\c:\7vjjp.exec:\7vjjp.exe116⤵PID:892
-
\??\c:\6462046.exec:\6462046.exe117⤵PID:2600
-
\??\c:\8600624.exec:\8600624.exe118⤵PID:1616
-
\??\c:\1hbhnn.exec:\1hbhnn.exe119⤵
- System Location Discovery: System Language Discovery
PID:2108 -
\??\c:\o006846.exec:\o006846.exe120⤵PID:1908
-
\??\c:\60284.exec:\60284.exe121⤵PID:2392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-