Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 01:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe
-
Size
454KB
-
MD5
125acbacb76419294695bae8cde746de
-
SHA1
240885bf685089b56d5bf32581a3781a2aea2730
-
SHA256
9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc
-
SHA512
a8bfeb3b6acdcf111a097320afdbf6f7c49a19e83014703fe749c5882cb275d382b0835f701b64b5aae0a10b45fcf89f33e2cb7aa235e6bdace79e36513d42c9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2248-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/904-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-483-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/112-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-516-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1440-667-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2440-705-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2180-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-783-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2932-884-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2532-897-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/3060-1034-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2700 jdvdj.exe 2956 6424668.exe 2768 w24646.exe 2900 vvpdd.exe 2724 60442.exe 2568 m4280.exe 3032 hbtbnn.exe 3056 ddvpp.exe 2888 u682440.exe 3020 6040626.exe 2356 u862402.exe 1728 2022646.exe 1616 9bnnbh.exe 684 22628.exe 1680 jdjjv.exe 1732 860682.exe 372 rrrxflr.exe 2976 ddpvd.exe 1600 jjvdj.exe 2036 djdjv.exe 1792 lrfllrr.exe 2944 8264628.exe 1288 2620088.exe 1364 jvjjv.exe 1120 6044802.exe 1692 208804.exe 2080 04880.exe 2028 s4202.exe 2332 3hbhnn.exe 1856 a8802.exe 904 608406.exe 2144 0460224.exe 1584 g8228.exe 2700 9jddj.exe 2820 m0822.exe 2848 lflrlrx.exe 2584 nnbttb.exe 2724 ddpdj.exe 2588 e82840.exe 2568 60840.exe 3032 9bnhth.exe 3052 tttbhh.exe 2556 nhttbb.exe 3048 5pdpp.exe 708 w08062.exe 2928 2224224.exe 1196 0424068.exe 1636 tbtbhn.exe 1764 rrrlrrl.exe 2396 jjvdp.exe 1732 m6002.exe 316 fxrlxxr.exe 2540 fxflllx.exe 2288 xrxlllr.exe 2188 lfrrffr.exe 1772 046840.exe 1004 u426662.exe 2944 422806.exe 1860 1jvvd.exe 960 482028.exe 3004 lfxfllr.exe 1056 2024402.exe 3016 8684226.exe 376 llllxlx.exe -
resource yara_rule behavioral1/memory/2248-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-1020-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-1077-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-1084-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-1112-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2602402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c682822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6080884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e66026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2700 2248 9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe 64 PID 2248 wrote to memory of 2700 2248 9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe 64 PID 2248 wrote to memory of 2700 2248 9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe 64 PID 2248 wrote to memory of 2700 2248 9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe 64 PID 2700 wrote to memory of 2956 2700 jdvdj.exe 32 PID 2700 wrote to memory of 2956 2700 jdvdj.exe 32 PID 2700 wrote to memory of 2956 2700 jdvdj.exe 32 PID 2700 wrote to memory of 2956 2700 jdvdj.exe 32 PID 2956 wrote to memory of 2768 2956 6424668.exe 33 PID 2956 wrote to memory of 2768 2956 6424668.exe 33 PID 2956 wrote to memory of 2768 2956 6424668.exe 33 PID 2956 wrote to memory of 2768 2956 6424668.exe 33 PID 2768 wrote to memory of 2900 2768 w24646.exe 34 PID 2768 wrote to memory of 2900 2768 w24646.exe 34 PID 2768 wrote to memory of 2900 2768 w24646.exe 34 PID 2768 wrote to memory of 2900 2768 w24646.exe 34 PID 2900 wrote to memory of 2724 2900 vvpdd.exe 35 PID 2900 wrote to memory of 2724 2900 vvpdd.exe 35 PID 2900 wrote to memory of 2724 2900 vvpdd.exe 35 PID 2900 wrote to memory of 2724 2900 vvpdd.exe 35 PID 2724 wrote to memory of 2568 2724 60442.exe 36 PID 2724 wrote to memory of 2568 2724 60442.exe 36 PID 2724 wrote to memory of 2568 2724 60442.exe 36 PID 2724 wrote to memory of 2568 2724 60442.exe 36 PID 2568 wrote to memory of 3032 2568 m4280.exe 37 PID 2568 wrote to memory of 3032 2568 m4280.exe 37 PID 2568 wrote to memory of 3032 2568 m4280.exe 37 PID 2568 wrote to memory of 3032 2568 m4280.exe 37 PID 3032 wrote to memory of 3056 3032 hbtbnn.exe 38 PID 3032 wrote to memory of 3056 3032 hbtbnn.exe 38 PID 3032 wrote to memory of 3056 3032 hbtbnn.exe 38 PID 3032 wrote to memory of 3056 3032 hbtbnn.exe 38 PID 3056 wrote to memory of 2888 3056 ddvpp.exe 39 PID 3056 wrote to memory of 2888 3056 ddvpp.exe 39 PID 3056 wrote to memory of 2888 3056 ddvpp.exe 39 PID 3056 wrote to memory of 2888 3056 ddvpp.exe 39 PID 2888 wrote to memory of 3020 2888 u682440.exe 40 PID 2888 wrote to memory of 3020 2888 u682440.exe 40 PID 2888 wrote to memory of 3020 2888 u682440.exe 40 PID 2888 wrote to memory of 3020 2888 u682440.exe 40 PID 3020 wrote to memory of 2356 3020 6040626.exe 41 PID 3020 wrote to memory of 2356 3020 6040626.exe 41 PID 3020 wrote to memory of 2356 3020 6040626.exe 41 PID 3020 wrote to memory of 2356 3020 6040626.exe 41 PID 2356 wrote to memory of 1728 2356 u862402.exe 42 PID 2356 wrote to memory of 1728 2356 u862402.exe 42 PID 2356 wrote to memory of 1728 2356 u862402.exe 42 PID 2356 wrote to memory of 1728 2356 u862402.exe 42 PID 1728 wrote to memory of 1616 1728 2022646.exe 43 PID 1728 wrote to memory of 1616 1728 2022646.exe 43 PID 1728 wrote to memory of 1616 1728 2022646.exe 43 PID 1728 wrote to memory of 1616 1728 2022646.exe 43 PID 1616 wrote to memory of 684 1616 9bnnbh.exe 44 PID 1616 wrote to memory of 684 1616 9bnnbh.exe 44 PID 1616 wrote to memory of 684 1616 9bnnbh.exe 44 PID 1616 wrote to memory of 684 1616 9bnnbh.exe 44 PID 684 wrote to memory of 1680 684 22628.exe 45 PID 684 wrote to memory of 1680 684 22628.exe 45 PID 684 wrote to memory of 1680 684 22628.exe 45 PID 684 wrote to memory of 1680 684 22628.exe 45 PID 1680 wrote to memory of 1732 1680 jdjjv.exe 46 PID 1680 wrote to memory of 1732 1680 jdjjv.exe 46 PID 1680 wrote to memory of 1732 1680 jdjjv.exe 46 PID 1680 wrote to memory of 1732 1680 jdjjv.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe"C:\Users\Admin\AppData\Local\Temp\9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\jdvdj.exec:\jdvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\6424668.exec:\6424668.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\w24646.exec:\w24646.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\vvpdd.exec:\vvpdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\60442.exec:\60442.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\m4280.exec:\m4280.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\hbtbnn.exec:\hbtbnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\ddvpp.exec:\ddvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\u682440.exec:\u682440.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\6040626.exec:\6040626.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\u862402.exec:\u862402.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\2022646.exec:\2022646.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\9bnnbh.exec:\9bnnbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\22628.exec:\22628.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\jdjjv.exec:\jdjjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\860682.exec:\860682.exe17⤵
- Executes dropped EXE
PID:1732 -
\??\c:\rrrxflr.exec:\rrrxflr.exe18⤵
- Executes dropped EXE
PID:372 -
\??\c:\ddpvd.exec:\ddpvd.exe19⤵
- Executes dropped EXE
PID:2976 -
\??\c:\jjvdj.exec:\jjvdj.exe20⤵
- Executes dropped EXE
PID:1600 -
\??\c:\djdjv.exec:\djdjv.exe21⤵
- Executes dropped EXE
PID:2036 -
\??\c:\lrfllrr.exec:\lrfllrr.exe22⤵
- Executes dropped EXE
PID:1792 -
\??\c:\8264628.exec:\8264628.exe23⤵
- Executes dropped EXE
PID:2944 -
\??\c:\2620088.exec:\2620088.exe24⤵
- Executes dropped EXE
PID:1288 -
\??\c:\jvjjv.exec:\jvjjv.exe25⤵
- Executes dropped EXE
PID:1364 -
\??\c:\6044802.exec:\6044802.exe26⤵
- Executes dropped EXE
PID:1120 -
\??\c:\208804.exec:\208804.exe27⤵
- Executes dropped EXE
PID:1692 -
\??\c:\04880.exec:\04880.exe28⤵
- Executes dropped EXE
PID:2080 -
\??\c:\s4202.exec:\s4202.exe29⤵
- Executes dropped EXE
PID:2028 -
\??\c:\3hbhnn.exec:\3hbhnn.exe30⤵
- Executes dropped EXE
PID:2332 -
\??\c:\a8802.exec:\a8802.exe31⤵
- Executes dropped EXE
PID:1856 -
\??\c:\608406.exec:\608406.exe32⤵
- Executes dropped EXE
PID:904 -
\??\c:\0460224.exec:\0460224.exe33⤵
- Executes dropped EXE
PID:2144 -
\??\c:\g8228.exec:\g8228.exe34⤵
- Executes dropped EXE
PID:1584 -
\??\c:\9jddj.exec:\9jddj.exe35⤵
- Executes dropped EXE
PID:2700 -
\??\c:\m0822.exec:\m0822.exe36⤵
- Executes dropped EXE
PID:2820 -
\??\c:\lflrlrx.exec:\lflrlrx.exe37⤵
- Executes dropped EXE
PID:2848 -
\??\c:\nnbttb.exec:\nnbttb.exe38⤵
- Executes dropped EXE
PID:2584 -
\??\c:\ddpdj.exec:\ddpdj.exe39⤵
- Executes dropped EXE
PID:2724 -
\??\c:\e82840.exec:\e82840.exe40⤵
- Executes dropped EXE
PID:2588 -
\??\c:\60840.exec:\60840.exe41⤵
- Executes dropped EXE
PID:2568 -
\??\c:\9bnhth.exec:\9bnhth.exe42⤵
- Executes dropped EXE
PID:3032 -
\??\c:\tttbhh.exec:\tttbhh.exe43⤵
- Executes dropped EXE
PID:3052 -
\??\c:\nhttbb.exec:\nhttbb.exe44⤵
- Executes dropped EXE
PID:2556 -
\??\c:\5pdpp.exec:\5pdpp.exe45⤵
- Executes dropped EXE
PID:3048 -
\??\c:\w08062.exec:\w08062.exe46⤵
- Executes dropped EXE
PID:708 -
\??\c:\2224224.exec:\2224224.exe47⤵
- Executes dropped EXE
PID:2928 -
\??\c:\0424068.exec:\0424068.exe48⤵
- Executes dropped EXE
PID:1196 -
\??\c:\tbtbhn.exec:\tbtbhn.exe49⤵
- Executes dropped EXE
PID:1636 -
\??\c:\rrrlrrl.exec:\rrrlrrl.exe50⤵
- Executes dropped EXE
PID:1764 -
\??\c:\jjvdp.exec:\jjvdp.exe51⤵
- Executes dropped EXE
PID:2396 -
\??\c:\m6002.exec:\m6002.exe52⤵
- Executes dropped EXE
PID:1732 -
\??\c:\fxrlxxr.exec:\fxrlxxr.exe53⤵
- Executes dropped EXE
PID:316 -
\??\c:\fxflllx.exec:\fxflllx.exe54⤵
- Executes dropped EXE
PID:2540 -
\??\c:\xrxlllr.exec:\xrxlllr.exe55⤵
- Executes dropped EXE
PID:2288 -
\??\c:\lfrrffr.exec:\lfrrffr.exe56⤵
- Executes dropped EXE
PID:2188 -
\??\c:\046840.exec:\046840.exe57⤵
- Executes dropped EXE
PID:1772 -
\??\c:\u426662.exec:\u426662.exe58⤵
- Executes dropped EXE
PID:1004 -
\??\c:\422806.exec:\422806.exe59⤵
- Executes dropped EXE
PID:2944 -
\??\c:\1jvvd.exec:\1jvvd.exe60⤵
- Executes dropped EXE
PID:1860 -
\??\c:\482028.exec:\482028.exe61⤵
- Executes dropped EXE
PID:960 -
\??\c:\lfxfllr.exec:\lfxfllr.exe62⤵
- Executes dropped EXE
PID:3004 -
\??\c:\2024402.exec:\2024402.exe63⤵
- Executes dropped EXE
PID:1056 -
\??\c:\8684226.exec:\8684226.exe64⤵
- Executes dropped EXE
PID:3016 -
\??\c:\llllxlx.exec:\llllxlx.exe65⤵
- Executes dropped EXE
PID:376 -
\??\c:\48840.exec:\48840.exe66⤵PID:112
-
\??\c:\s8040.exec:\s8040.exe67⤵PID:2028
-
\??\c:\g4806.exec:\g4806.exe68⤵PID:2328
-
\??\c:\m6284.exec:\m6284.exe69⤵PID:1880
-
\??\c:\a8284.exec:\a8284.exe70⤵PID:892
-
\??\c:\486884.exec:\486884.exe71⤵PID:2688
-
\??\c:\26880.exec:\26880.exe72⤵PID:1584
-
\??\c:\vvpvj.exec:\vvpvj.exe73⤵PID:2684
-
\??\c:\dvppv.exec:\dvppv.exe74⤵PID:2992
-
\??\c:\20226.exec:\20226.exe75⤵PID:2956
-
\??\c:\frrlxxl.exec:\frrlxxl.exe76⤵PID:1432
-
\??\c:\7xrllxl.exec:\7xrllxl.exe77⤵PID:2760
-
\??\c:\0402024.exec:\0402024.exe78⤵PID:2692
-
\??\c:\pjvdp.exec:\pjvdp.exe79⤵PID:2828
-
\??\c:\4268406.exec:\4268406.exe80⤵PID:2572
-
\??\c:\08628.exec:\08628.exe81⤵PID:1884
-
\??\c:\42004.exec:\42004.exe82⤵PID:3036
-
\??\c:\04844.exec:\04844.exe83⤵
- System Location Discovery: System Language Discovery
PID:2880 -
\??\c:\frflffr.exec:\frflffr.exe84⤵PID:1668
-
\??\c:\08668.exec:\08668.exe85⤵PID:2596
-
\??\c:\q60066.exec:\q60066.exe86⤵PID:1724
-
\??\c:\vpjjd.exec:\vpjjd.exe87⤵PID:1440
-
\??\c:\2622002.exec:\2622002.exe88⤵PID:1616
-
\??\c:\086888.exec:\086888.exe89⤵PID:1196
-
\??\c:\xrffrrl.exec:\xrffrrl.exe90⤵PID:2620
-
\??\c:\s0840.exec:\s0840.exe91⤵PID:1764
-
\??\c:\w04028.exec:\w04028.exe92⤵PID:1316
-
\??\c:\i824846.exec:\i824846.exe93⤵PID:1296
-
\??\c:\5lxfffl.exec:\5lxfffl.exe94⤵PID:1472
-
\??\c:\fxxxxrx.exec:\fxxxxrx.exe95⤵PID:2540
-
\??\c:\8622266.exec:\8622266.exe96⤵PID:2440
-
\??\c:\9rxrrlr.exec:\9rxrrlr.exe97⤵PID:1896
-
\??\c:\xlrrlff.exec:\xlrrlff.exe98⤵PID:1908
-
\??\c:\dpddd.exec:\dpddd.exe99⤵PID:1972
-
\??\c:\bnhntb.exec:\bnhntb.exe100⤵PID:2180
-
\??\c:\08662.exec:\08662.exe101⤵PID:1744
-
\??\c:\htbbhh.exec:\htbbhh.exe102⤵
- System Location Discovery: System Language Discovery
PID:1892 -
\??\c:\ntnhht.exec:\ntnhht.exe103⤵PID:912
-
\??\c:\s8208.exec:\s8208.exe104⤵PID:1992
-
\??\c:\lxxfllr.exec:\lxxfllr.exe105⤵PID:1988
-
\??\c:\080460.exec:\080460.exe106⤵PID:1632
-
\??\c:\9pppp.exec:\9pppp.exe107⤵PID:2516
-
\??\c:\thtnnn.exec:\thtnnn.exe108⤵PID:2016
-
\??\c:\m6000.exec:\m6000.exe109⤵PID:2076
-
\??\c:\xrxxfxf.exec:\xrxxfxf.exe110⤵PID:3012
-
\??\c:\lrrllrr.exec:\lrrllrr.exe111⤵PID:2344
-
\??\c:\424404.exec:\424404.exe112⤵PID:1564
-
\??\c:\e42462.exec:\e42462.exe113⤵PID:2704
-
\??\c:\lffxfxf.exec:\lffxfxf.exe114⤵PID:2952
-
\??\c:\9ppvd.exec:\9ppvd.exe115⤵PID:2744
-
\??\c:\nhhnbb.exec:\nhhnbb.exe116⤵PID:2792
-
\??\c:\rlflxfr.exec:\rlflxfr.exe117⤵PID:2768
-
\??\c:\k46666.exec:\k46666.exe118⤵PID:2696
-
\??\c:\82062.exec:\82062.exe119⤵PID:2584
-
\??\c:\800408.exec:\800408.exe120⤵PID:2148
-
\??\c:\042200.exec:\042200.exe121⤵PID:2124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-