Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 00:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe
-
Size
456KB
-
MD5
96b5302905713cbc556dba40b2724fd6
-
SHA1
059cb0172902c0c0aa6bd56642b8d1003d36ec46
-
SHA256
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8
-
SHA512
d6130a9c5496181423b107f6177695ee1fbc0e7625d2c811de46da75f094bec476e14962137240e1e12b4dd010f37f4d8b9bbe1c987b05db2ae6dc3bf89a5403
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRg:q7Tc2NYHUrAwfMp3CDRg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2712-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/624-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-195-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2032-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/756-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-249-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1680-277-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2492-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-417-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2616-427-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1660-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-611-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2344-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-637-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2852-652-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2792-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-725-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2504-1108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-1115-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3008-1208-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1948 ttbhth.exe 1480 5ddjp.exe 2352 66068.exe 2320 o422886.exe 2916 42068.exe 2736 tnbbbh.exe 2852 s0284.exe 2636 jjvvj.exe 2200 thnnht.exe 624 9dpvp.exe 2624 486240.exe 1972 rxrrflf.exe 2296 64280.exe 2728 3dvdv.exe 1664 hbbhbb.exe 2532 m6402.exe 1312 82006.exe 1560 482846.exe 2944 hthnnh.exe 2276 o862880.exe 2032 9tntht.exe 1728 pvvdd.exe 1028 9frrfff.exe 1084 04842.exe 1596 fxrfrrf.exe 756 8262406.exe 1720 vvppd.exe 2612 e82800.exe 2180 c268024.exe 1680 482288.exe 1036 5jvvv.exe 888 220644.exe 1960 8640684.exe 1572 048624.exe 1948 4868008.exe 2492 802402.exe 2364 dvvdj.exe 1672 82024.exe 1128 86286.exe 2816 4246442.exe 2172 lllxrfr.exe 2836 hnhtbh.exe 2868 k48062.exe 2908 xrxlxlf.exe 2880 4206420.exe 2972 hbntbb.exe 2824 04222.exe 624 888226.exe 1976 482462.exe 1684 nbntbh.exe 1796 a6680.exe 2616 602222.exe 2728 jppdp.exe 1660 w20080.exe 1616 ffxfrfl.exe 632 nhhtbh.exe 1964 4868402.exe 1808 s8628.exe 2992 rrxxllr.exe 2144 bbbhbn.exe 2072 7ttntb.exe 1860 u666446.exe 448 5bhnth.exe 2564 i206888.exe -
resource yara_rule behavioral1/memory/2712-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/756-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-417-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2616-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-622-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2112-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-838-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-936-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-961-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-1095-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-1108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-1178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-1189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-1233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-1258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-1313-0x0000000000320000-0x000000000034A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2624668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q20244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u884402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4240662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 226066.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 1948 2712 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 30 PID 2712 wrote to memory of 1948 2712 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 30 PID 2712 wrote to memory of 1948 2712 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 30 PID 2712 wrote to memory of 1948 2712 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 30 PID 1948 wrote to memory of 1480 1948 ttbhth.exe 31 PID 1948 wrote to memory of 1480 1948 ttbhth.exe 31 PID 1948 wrote to memory of 1480 1948 ttbhth.exe 31 PID 1948 wrote to memory of 1480 1948 ttbhth.exe 31 PID 1480 wrote to memory of 2352 1480 5ddjp.exe 32 PID 1480 wrote to memory of 2352 1480 5ddjp.exe 32 PID 1480 wrote to memory of 2352 1480 5ddjp.exe 32 PID 1480 wrote to memory of 2352 1480 5ddjp.exe 32 PID 2352 wrote to memory of 2320 2352 66068.exe 33 PID 2352 wrote to memory of 2320 2352 66068.exe 33 PID 2352 wrote to memory of 2320 2352 66068.exe 33 PID 2352 wrote to memory of 2320 2352 66068.exe 33 PID 2320 wrote to memory of 2916 2320 o422886.exe 34 PID 2320 wrote to memory of 2916 2320 o422886.exe 34 PID 2320 wrote to memory of 2916 2320 o422886.exe 34 PID 2320 wrote to memory of 2916 2320 o422886.exe 34 PID 2916 wrote to memory of 2736 2916 42068.exe 35 PID 2916 wrote to memory of 2736 2916 42068.exe 35 PID 2916 wrote to memory of 2736 2916 42068.exe 35 PID 2916 wrote to memory of 2736 2916 42068.exe 35 PID 2736 wrote to memory of 2852 2736 tnbbbh.exe 36 PID 2736 wrote to memory of 2852 2736 tnbbbh.exe 36 PID 2736 wrote to memory of 2852 2736 tnbbbh.exe 36 PID 2736 wrote to memory of 2852 2736 tnbbbh.exe 36 PID 2852 wrote to memory of 2636 2852 s0284.exe 37 PID 2852 wrote to memory of 2636 2852 s0284.exe 37 PID 2852 wrote to memory of 2636 2852 s0284.exe 37 PID 2852 wrote to memory of 2636 2852 s0284.exe 37 PID 2636 wrote to memory of 2200 2636 jjvvj.exe 38 PID 2636 wrote to memory of 2200 2636 jjvvj.exe 38 PID 2636 wrote to memory of 2200 2636 jjvvj.exe 38 PID 2636 wrote to memory of 2200 2636 jjvvj.exe 38 PID 2200 wrote to memory of 624 2200 thnnht.exe 39 PID 2200 wrote to memory of 624 2200 thnnht.exe 39 PID 2200 wrote to memory of 624 2200 thnnht.exe 39 PID 2200 wrote to memory of 624 2200 thnnht.exe 39 PID 624 wrote to memory of 2624 624 9dpvp.exe 40 PID 624 wrote to memory of 2624 624 9dpvp.exe 40 PID 624 wrote to memory of 2624 624 9dpvp.exe 40 PID 624 wrote to memory of 2624 624 9dpvp.exe 40 PID 2624 wrote to memory of 1972 2624 486240.exe 41 PID 2624 wrote to memory of 1972 2624 486240.exe 41 PID 2624 wrote to memory of 1972 2624 486240.exe 41 PID 2624 wrote to memory of 1972 2624 486240.exe 41 PID 1972 wrote to memory of 2296 1972 rxrrflf.exe 42 PID 1972 wrote to memory of 2296 1972 rxrrflf.exe 42 PID 1972 wrote to memory of 2296 1972 rxrrflf.exe 42 PID 1972 wrote to memory of 2296 1972 rxrrflf.exe 42 PID 2296 wrote to memory of 2728 2296 64280.exe 43 PID 2296 wrote to memory of 2728 2296 64280.exe 43 PID 2296 wrote to memory of 2728 2296 64280.exe 43 PID 2296 wrote to memory of 2728 2296 64280.exe 43 PID 2728 wrote to memory of 1664 2728 3dvdv.exe 44 PID 2728 wrote to memory of 1664 2728 3dvdv.exe 44 PID 2728 wrote to memory of 1664 2728 3dvdv.exe 44 PID 2728 wrote to memory of 1664 2728 3dvdv.exe 44 PID 1664 wrote to memory of 2532 1664 hbbhbb.exe 45 PID 1664 wrote to memory of 2532 1664 hbbhbb.exe 45 PID 1664 wrote to memory of 2532 1664 hbbhbb.exe 45 PID 1664 wrote to memory of 2532 1664 hbbhbb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe"C:\Users\Admin\AppData\Local\Temp\ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\ttbhth.exec:\ttbhth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\5ddjp.exec:\5ddjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\66068.exec:\66068.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\o422886.exec:\o422886.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\42068.exec:\42068.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\tnbbbh.exec:\tnbbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\s0284.exec:\s0284.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\jjvvj.exec:\jjvvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\thnnht.exec:\thnnht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\9dpvp.exec:\9dpvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\486240.exec:\486240.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\rxrrflf.exec:\rxrrflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\64280.exec:\64280.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\3dvdv.exec:\3dvdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\hbbhbb.exec:\hbbhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\m6402.exec:\m6402.exe17⤵
- Executes dropped EXE
PID:2532 -
\??\c:\82006.exec:\82006.exe18⤵
- Executes dropped EXE
PID:1312 -
\??\c:\482846.exec:\482846.exe19⤵
- Executes dropped EXE
PID:1560 -
\??\c:\hthnnh.exec:\hthnnh.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944 -
\??\c:\o862880.exec:\o862880.exe21⤵
- Executes dropped EXE
PID:2276 -
\??\c:\9tntht.exec:\9tntht.exe22⤵
- Executes dropped EXE
PID:2032 -
\??\c:\pvvdd.exec:\pvvdd.exe23⤵
- Executes dropped EXE
PID:1728 -
\??\c:\9frrfff.exec:\9frrfff.exe24⤵
- Executes dropped EXE
PID:1028 -
\??\c:\04842.exec:\04842.exe25⤵
- Executes dropped EXE
PID:1084 -
\??\c:\fxrfrrf.exec:\fxrfrrf.exe26⤵
- Executes dropped EXE
PID:1596 -
\??\c:\8262406.exec:\8262406.exe27⤵
- Executes dropped EXE
PID:756 -
\??\c:\vvppd.exec:\vvppd.exe28⤵
- Executes dropped EXE
PID:1720 -
\??\c:\e82800.exec:\e82800.exe29⤵
- Executes dropped EXE
PID:2612 -
\??\c:\c268024.exec:\c268024.exe30⤵
- Executes dropped EXE
PID:2180 -
\??\c:\482288.exec:\482288.exe31⤵
- Executes dropped EXE
PID:1680 -
\??\c:\5jvvv.exec:\5jvvv.exe32⤵
- Executes dropped EXE
PID:1036 -
\??\c:\220644.exec:\220644.exe33⤵
- Executes dropped EXE
PID:888 -
\??\c:\8640684.exec:\8640684.exe34⤵
- Executes dropped EXE
PID:1960 -
\??\c:\048624.exec:\048624.exe35⤵
- Executes dropped EXE
PID:1572 -
\??\c:\4868008.exec:\4868008.exe36⤵
- Executes dropped EXE
PID:1948 -
\??\c:\802402.exec:\802402.exe37⤵
- Executes dropped EXE
PID:2492 -
\??\c:\dvvdj.exec:\dvvdj.exe38⤵
- Executes dropped EXE
PID:2364 -
\??\c:\82024.exec:\82024.exe39⤵
- Executes dropped EXE
PID:1672 -
\??\c:\86286.exec:\86286.exe40⤵
- Executes dropped EXE
PID:1128 -
\??\c:\4246442.exec:\4246442.exe41⤵
- Executes dropped EXE
PID:2816 -
\??\c:\lllxrfr.exec:\lllxrfr.exe42⤵
- Executes dropped EXE
PID:2172 -
\??\c:\hnhtbh.exec:\hnhtbh.exe43⤵
- Executes dropped EXE
PID:2836 -
\??\c:\k48062.exec:\k48062.exe44⤵
- Executes dropped EXE
PID:2868 -
\??\c:\xrxlxlf.exec:\xrxlxlf.exe45⤵
- Executes dropped EXE
PID:2908 -
\??\c:\4206420.exec:\4206420.exe46⤵
- Executes dropped EXE
PID:2880 -
\??\c:\hbntbb.exec:\hbntbb.exe47⤵
- Executes dropped EXE
PID:2972 -
\??\c:\04222.exec:\04222.exe48⤵
- Executes dropped EXE
PID:2824 -
\??\c:\888226.exec:\888226.exe49⤵
- Executes dropped EXE
PID:624 -
\??\c:\482462.exec:\482462.exe50⤵
- Executes dropped EXE
PID:1976 -
\??\c:\nbntbh.exec:\nbntbh.exe51⤵
- Executes dropped EXE
PID:1684 -
\??\c:\a6680.exec:\a6680.exe52⤵
- Executes dropped EXE
PID:1796 -
\??\c:\602222.exec:\602222.exe53⤵
- Executes dropped EXE
PID:2616 -
\??\c:\jppdp.exec:\jppdp.exe54⤵
- Executes dropped EXE
PID:2728 -
\??\c:\w20080.exec:\w20080.exe55⤵
- Executes dropped EXE
PID:1660 -
\??\c:\ffxfrfl.exec:\ffxfrfl.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
\??\c:\nhhtbh.exec:\nhhtbh.exe57⤵
- Executes dropped EXE
PID:632 -
\??\c:\4868402.exec:\4868402.exe58⤵
- Executes dropped EXE
PID:1964 -
\??\c:\s8628.exec:\s8628.exe59⤵
- Executes dropped EXE
PID:1808 -
\??\c:\rrxxllr.exec:\rrxxllr.exe60⤵
- Executes dropped EXE
PID:2992 -
\??\c:\bbbhbn.exec:\bbbhbn.exe61⤵
- Executes dropped EXE
PID:2144 -
\??\c:\7ttntb.exec:\7ttntb.exe62⤵
- Executes dropped EXE
PID:2072 -
\??\c:\u666446.exec:\u666446.exe63⤵
- Executes dropped EXE
PID:1860 -
\??\c:\5bhnth.exec:\5bhnth.exe64⤵
- Executes dropped EXE
PID:448 -
\??\c:\i206888.exec:\i206888.exe65⤵
- Executes dropped EXE
PID:2564 -
\??\c:\rfrrxrx.exec:\rfrrxrx.exe66⤵PID:308
-
\??\c:\20846.exec:\20846.exe67⤵PID:1864
-
\??\c:\2624668.exec:\2624668.exe68⤵
- System Location Discovery: System Language Discovery
PID:1772 -
\??\c:\fxllxxf.exec:\fxllxxf.exe69⤵PID:1296
-
\??\c:\42484.exec:\42484.exe70⤵PID:1716
-
\??\c:\4268446.exec:\4268446.exe71⤵PID:904
-
\??\c:\8688006.exec:\8688006.exe72⤵PID:696
-
\??\c:\bnhnbt.exec:\bnhnbt.exe73⤵PID:2164
-
\??\c:\2648006.exec:\2648006.exe74⤵PID:2188
-
\??\c:\bnbttt.exec:\bnbttt.exe75⤵PID:2336
-
\??\c:\k68844.exec:\k68844.exe76⤵PID:2936
-
\??\c:\jdvvp.exec:\jdvvp.exe77⤵PID:2584
-
\??\c:\lllxllx.exec:\lllxllx.exe78⤵PID:2708
-
\??\c:\206688.exec:\206688.exe79⤵PID:1960
-
\??\c:\pjdjv.exec:\pjdjv.exe80⤵PID:2468
-
\??\c:\ddvdd.exec:\ddvdd.exe81⤵PID:1908
-
\??\c:\04808.exec:\04808.exe82⤵PID:2312
-
\??\c:\hnbbbt.exec:\hnbbbt.exe83⤵PID:2344
-
\??\c:\82628.exec:\82628.exe84⤵PID:2112
-
\??\c:\nhbtbt.exec:\nhbtbt.exe85⤵PID:2460
-
\??\c:\44280.exec:\44280.exe86⤵PID:2844
-
\??\c:\86002.exec:\86002.exe87⤵PID:2832
-
\??\c:\ffxfflf.exec:\ffxfflf.exe88⤵PID:2852
-
\??\c:\1vjjj.exec:\1vjjj.exe89⤵PID:2856
-
\??\c:\64284.exec:\64284.exe90⤵PID:2788
-
\??\c:\8888246.exec:\8888246.exe91⤵PID:2792
-
\??\c:\ppdjv.exec:\ppdjv.exe92⤵PID:2824
-
\??\c:\9tbhnt.exec:\9tbhnt.exe93⤵PID:2148
-
\??\c:\5nttbh.exec:\5nttbh.exe94⤵PID:2680
-
\??\c:\g4280.exec:\g4280.exe95⤵PID:2472
-
\??\c:\8206220.exec:\8206220.exe96⤵PID:2528
-
\??\c:\bthntn.exec:\bthntn.exe97⤵PID:668
-
\??\c:\2600006.exec:\2600006.exe98⤵PID:1540
-
\??\c:\lfrxxfr.exec:\lfrxxfr.exe99⤵PID:1164
-
\??\c:\nhhtbh.exec:\nhhtbh.exe100⤵PID:484
-
\??\c:\4228440.exec:\4228440.exe101⤵PID:2896
-
\??\c:\ddvdj.exec:\ddvdj.exe102⤵PID:1792
-
\??\c:\xlxxxxl.exec:\xlxxxxl.exe103⤵PID:1812
-
\??\c:\1pjpv.exec:\1pjpv.exe104⤵PID:1764
-
\??\c:\488428.exec:\488428.exe105⤵PID:2820
-
\??\c:\hbnnnt.exec:\hbnnnt.exe106⤵PID:316
-
\??\c:\k02800.exec:\k02800.exe107⤵PID:1000
-
\??\c:\m6284.exec:\m6284.exe108⤵PID:2104
-
\??\c:\pjpvj.exec:\pjpvj.exe109⤵PID:2600
-
\??\c:\fxlrrlr.exec:\fxlrrlr.exe110⤵PID:980
-
\??\c:\420444.exec:\420444.exe111⤵PID:2132
-
\??\c:\608462.exec:\608462.exe112⤵PID:1596
-
\??\c:\7jddj.exec:\7jddj.exe113⤵PID:1280
-
\??\c:\6006620.exec:\6006620.exe114⤵PID:896
-
\??\c:\1rxrxrf.exec:\1rxrxrf.exe115⤵PID:1868
-
\??\c:\1bhnbh.exec:\1bhnbh.exe116⤵PID:2612
-
\??\c:\jvvpv.exec:\jvvpv.exe117⤵PID:2428
-
\??\c:\bbbhth.exec:\bbbhth.exe118⤵PID:2124
-
\??\c:\5fflrfr.exec:\5fflrfr.exe119⤵PID:2244
-
\??\c:\tnbntt.exec:\tnbntt.exe120⤵PID:3048
-
\??\c:\a0802.exec:\a0802.exe121⤵PID:2168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-