Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 22:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bef3cdcc0047b124a5e96f46a5eb49b59fc27b245f7934783c1f8e1b949daf45.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
bef3cdcc0047b124a5e96f46a5eb49b59fc27b245f7934783c1f8e1b949daf45.exe
-
Size
453KB
-
MD5
a2800be1770d8dbc5584b901ec0dd2f7
-
SHA1
ea126e012424d06898907c79179f2c11aade5e94
-
SHA256
bef3cdcc0047b124a5e96f46a5eb49b59fc27b245f7934783c1f8e1b949daf45
-
SHA512
32832daee3420bdfb150f460ce0a35de405f3c04636b71946f935e5af1c9063f67f9f0a06c03e80ddd35da1ad60eb3a20ea8807b8903f597065522e3b13b903d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2464-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-50-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2732-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-89-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1200-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-149-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/760-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-247-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2144-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-270-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2072-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-314-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2908-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-369-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2972-423-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1304-443-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2188-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-480-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2188-491-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/672-498-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2404-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-564-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1748-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-572-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/1740-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-579-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-612-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1864-656-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2836-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-697-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1076-816-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2464-849-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2108 ntnbtb.exe 2896 3xlrflx.exe 2724 pdjjv.exe 2872 bbhbnt.exe 2648 860062.exe 2732 jjddv.exe 2672 08882.exe 2948 dpvvv.exe 2992 ffllxxr.exe 1200 660624.exe 2056 080268.exe 3056 ddvdj.exe 2984 4800280.exe 1164 g4242.exe 2688 dddjj.exe 760 nhnttt.exe 684 pjjpj.exe 2596 pjdpv.exe 1804 9jdpv.exe 568 04242.exe 340 6040842.exe 1872 e68244.exe 1724 0402024.exe 1972 lffxxfl.exe 2408 djjpv.exe 2356 0804040.exe 2144 1pvjj.exe 1736 g0446.exe 1576 tntnht.exe 892 w26206.exe 2072 486624.exe 2884 04802.exe 2108 nhbtnt.exe 2900 04206.exe 2780 9vvvd.exe 2920 82008.exe 2908 44488.exe 2656 2806840.exe 2612 k64060.exe 1616 o442844.exe 2104 hbnbnb.exe 2172 tnhnbb.exe 2476 0484824.exe 2432 08246.exe 2544 82284.exe 2820 0868620.exe 2996 xrxlrrf.exe 2712 7thhtb.exe 2972 3hntbt.exe 668 5hbhnb.exe 2008 42064.exe 1304 04680.exe 1916 6028280.exe 332 s0228.exe 1792 04280.exe 2188 8202624.exe 2396 bhbbhn.exe 568 rrllllf.exe 1928 2602068.exe 672 82062.exe 496 8606284.exe 2404 vpdvp.exe 1408 680206.exe 1716 xrlxflx.exe -
resource yara_rule behavioral1/memory/2464-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/668-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-480-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2404-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1108-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-829-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4844602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 464882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e68840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4484664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxlxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0284006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4820846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c244620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4200264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w26206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xflxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2108 2464 bef3cdcc0047b124a5e96f46a5eb49b59fc27b245f7934783c1f8e1b949daf45.exe 31 PID 2464 wrote to memory of 2108 2464 bef3cdcc0047b124a5e96f46a5eb49b59fc27b245f7934783c1f8e1b949daf45.exe 31 PID 2464 wrote to memory of 2108 2464 bef3cdcc0047b124a5e96f46a5eb49b59fc27b245f7934783c1f8e1b949daf45.exe 31 PID 2464 wrote to memory of 2108 2464 bef3cdcc0047b124a5e96f46a5eb49b59fc27b245f7934783c1f8e1b949daf45.exe 31 PID 2108 wrote to memory of 2896 2108 ntnbtb.exe 32 PID 2108 wrote to memory of 2896 2108 ntnbtb.exe 32 PID 2108 wrote to memory of 2896 2108 ntnbtb.exe 32 PID 2108 wrote to memory of 2896 2108 ntnbtb.exe 32 PID 2896 wrote to memory of 2724 2896 3xlrflx.exe 33 PID 2896 wrote to memory of 2724 2896 3xlrflx.exe 33 PID 2896 wrote to memory of 2724 2896 3xlrflx.exe 33 PID 2896 wrote to memory of 2724 2896 3xlrflx.exe 33 PID 2724 wrote to memory of 2872 2724 pdjjv.exe 34 PID 2724 wrote to memory of 2872 2724 pdjjv.exe 34 PID 2724 wrote to memory of 2872 2724 pdjjv.exe 34 PID 2724 wrote to memory of 2872 2724 pdjjv.exe 34 PID 2872 wrote to memory of 2648 2872 bbhbnt.exe 35 PID 2872 wrote to memory of 2648 2872 bbhbnt.exe 35 PID 2872 wrote to memory of 2648 2872 bbhbnt.exe 35 PID 2872 wrote to memory of 2648 2872 bbhbnt.exe 35 PID 2648 wrote to memory of 2732 2648 860062.exe 36 PID 2648 wrote to memory of 2732 2648 860062.exe 36 PID 2648 wrote to memory of 2732 2648 860062.exe 36 PID 2648 wrote to memory of 2732 2648 860062.exe 36 PID 2732 wrote to memory of 2672 2732 jjddv.exe 37 PID 2732 wrote to memory of 2672 2732 jjddv.exe 37 PID 2732 wrote to memory of 2672 2732 jjddv.exe 37 PID 2732 wrote to memory of 2672 2732 jjddv.exe 37 PID 2672 wrote to memory of 2948 2672 08882.exe 38 PID 2672 wrote to memory of 2948 2672 08882.exe 38 PID 2672 wrote to memory of 2948 2672 08882.exe 38 PID 2672 wrote to memory of 2948 2672 08882.exe 38 PID 2948 wrote to memory of 2992 2948 dpvvv.exe 39 PID 2948 wrote to memory of 2992 2948 dpvvv.exe 39 PID 2948 wrote to memory of 2992 2948 dpvvv.exe 39 PID 2948 wrote to memory of 2992 2948 dpvvv.exe 39 PID 2992 wrote to memory of 1200 2992 ffllxxr.exe 40 PID 2992 wrote to memory of 1200 2992 ffllxxr.exe 40 PID 2992 wrote to memory of 1200 2992 ffllxxr.exe 40 PID 2992 wrote to memory of 1200 2992 ffllxxr.exe 40 PID 1200 wrote to memory of 2056 1200 660624.exe 41 PID 1200 wrote to memory of 2056 1200 660624.exe 41 PID 1200 wrote to memory of 2056 1200 660624.exe 41 PID 1200 wrote to memory of 2056 1200 660624.exe 41 PID 2056 wrote to memory of 3056 2056 080268.exe 42 PID 2056 wrote to memory of 3056 2056 080268.exe 42 PID 2056 wrote to memory of 3056 2056 080268.exe 42 PID 2056 wrote to memory of 3056 2056 080268.exe 42 PID 3056 wrote to memory of 2984 3056 ddvdj.exe 43 PID 3056 wrote to memory of 2984 3056 ddvdj.exe 43 PID 3056 wrote to memory of 2984 3056 ddvdj.exe 43 PID 3056 wrote to memory of 2984 3056 ddvdj.exe 43 PID 2984 wrote to memory of 1164 2984 4800280.exe 44 PID 2984 wrote to memory of 1164 2984 4800280.exe 44 PID 2984 wrote to memory of 1164 2984 4800280.exe 44 PID 2984 wrote to memory of 1164 2984 4800280.exe 44 PID 1164 wrote to memory of 2688 1164 g4242.exe 45 PID 1164 wrote to memory of 2688 1164 g4242.exe 45 PID 1164 wrote to memory of 2688 1164 g4242.exe 45 PID 1164 wrote to memory of 2688 1164 g4242.exe 45 PID 2688 wrote to memory of 760 2688 dddjj.exe 46 PID 2688 wrote to memory of 760 2688 dddjj.exe 46 PID 2688 wrote to memory of 760 2688 dddjj.exe 46 PID 2688 wrote to memory of 760 2688 dddjj.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\bef3cdcc0047b124a5e96f46a5eb49b59fc27b245f7934783c1f8e1b949daf45.exe"C:\Users\Admin\AppData\Local\Temp\bef3cdcc0047b124a5e96f46a5eb49b59fc27b245f7934783c1f8e1b949daf45.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\ntnbtb.exec:\ntnbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\3xlrflx.exec:\3xlrflx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\pdjjv.exec:\pdjjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\bbhbnt.exec:\bbhbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\860062.exec:\860062.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\jjddv.exec:\jjddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\08882.exec:\08882.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\dpvvv.exec:\dpvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\ffllxxr.exec:\ffllxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\660624.exec:\660624.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\080268.exec:\080268.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\ddvdj.exec:\ddvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\4800280.exec:\4800280.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\g4242.exec:\g4242.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\dddjj.exec:\dddjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\nhnttt.exec:\nhnttt.exe17⤵
- Executes dropped EXE
PID:760 -
\??\c:\pjjpj.exec:\pjjpj.exe18⤵
- Executes dropped EXE
PID:684 -
\??\c:\pjdpv.exec:\pjdpv.exe19⤵
- Executes dropped EXE
PID:2596 -
\??\c:\9jdpv.exec:\9jdpv.exe20⤵
- Executes dropped EXE
PID:1804 -
\??\c:\04242.exec:\04242.exe21⤵
- Executes dropped EXE
PID:568 -
\??\c:\6040842.exec:\6040842.exe22⤵
- Executes dropped EXE
PID:340 -
\??\c:\e68244.exec:\e68244.exe23⤵
- Executes dropped EXE
PID:1872 -
\??\c:\0402024.exec:\0402024.exe24⤵
- Executes dropped EXE
PID:1724 -
\??\c:\lffxxfl.exec:\lffxxfl.exe25⤵
- Executes dropped EXE
PID:1972 -
\??\c:\djjpv.exec:\djjpv.exe26⤵
- Executes dropped EXE
PID:2408 -
\??\c:\0804040.exec:\0804040.exe27⤵
- Executes dropped EXE
PID:2356 -
\??\c:\1pvjj.exec:\1pvjj.exe28⤵
- Executes dropped EXE
PID:2144 -
\??\c:\g0446.exec:\g0446.exe29⤵
- Executes dropped EXE
PID:1736 -
\??\c:\tntnht.exec:\tntnht.exe30⤵
- Executes dropped EXE
PID:1576 -
\??\c:\w26206.exec:\w26206.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:892 -
\??\c:\486624.exec:\486624.exe32⤵
- Executes dropped EXE
PID:2072 -
\??\c:\04802.exec:\04802.exe33⤵
- Executes dropped EXE
PID:2884 -
\??\c:\nhbtnt.exec:\nhbtnt.exe34⤵
- Executes dropped EXE
PID:2108 -
\??\c:\04206.exec:\04206.exe35⤵
- Executes dropped EXE
PID:2900 -
\??\c:\9vvvd.exec:\9vvvd.exe36⤵
- Executes dropped EXE
PID:2780 -
\??\c:\82008.exec:\82008.exe37⤵
- Executes dropped EXE
PID:2920 -
\??\c:\44488.exec:\44488.exe38⤵
- Executes dropped EXE
PID:2908 -
\??\c:\2806840.exec:\2806840.exe39⤵
- Executes dropped EXE
PID:2656 -
\??\c:\k64060.exec:\k64060.exe40⤵
- Executes dropped EXE
PID:2612 -
\??\c:\o442844.exec:\o442844.exe41⤵
- Executes dropped EXE
PID:1616 -
\??\c:\hbnbnb.exec:\hbnbnb.exe42⤵
- Executes dropped EXE
PID:2104 -
\??\c:\tnhnbb.exec:\tnhnbb.exe43⤵
- Executes dropped EXE
PID:2172 -
\??\c:\0484824.exec:\0484824.exe44⤵
- Executes dropped EXE
PID:2476 -
\??\c:\08246.exec:\08246.exe45⤵
- Executes dropped EXE
PID:2432 -
\??\c:\82284.exec:\82284.exe46⤵
- Executes dropped EXE
PID:2544 -
\??\c:\0868620.exec:\0868620.exe47⤵
- Executes dropped EXE
PID:2820 -
\??\c:\xrxlrrf.exec:\xrxlrrf.exe48⤵
- Executes dropped EXE
PID:2996 -
\??\c:\7thhtb.exec:\7thhtb.exe49⤵
- Executes dropped EXE
PID:2712 -
\??\c:\3hntbt.exec:\3hntbt.exe50⤵
- Executes dropped EXE
PID:2972 -
\??\c:\5hbhnb.exec:\5hbhnb.exe51⤵
- Executes dropped EXE
PID:668 -
\??\c:\42064.exec:\42064.exe52⤵
- Executes dropped EXE
PID:2008 -
\??\c:\04680.exec:\04680.exe53⤵
- Executes dropped EXE
PID:1304 -
\??\c:\6028280.exec:\6028280.exe54⤵
- Executes dropped EXE
PID:1916 -
\??\c:\s0228.exec:\s0228.exe55⤵
- Executes dropped EXE
PID:332 -
\??\c:\04280.exec:\04280.exe56⤵
- Executes dropped EXE
PID:1792 -
\??\c:\8202624.exec:\8202624.exe57⤵
- Executes dropped EXE
PID:2188 -
\??\c:\bhbbhn.exec:\bhbbhn.exe58⤵
- Executes dropped EXE
PID:2396 -
\??\c:\rrllllf.exec:\rrllllf.exe59⤵
- Executes dropped EXE
PID:568 -
\??\c:\2602068.exec:\2602068.exe60⤵
- Executes dropped EXE
PID:1928 -
\??\c:\82062.exec:\82062.exe61⤵
- Executes dropped EXE
PID:672 -
\??\c:\8606284.exec:\8606284.exe62⤵
- Executes dropped EXE
PID:496 -
\??\c:\vpdvp.exec:\vpdvp.exe63⤵
- Executes dropped EXE
PID:2404 -
\??\c:\680206.exec:\680206.exe64⤵
- Executes dropped EXE
PID:1408 -
\??\c:\xrlxflx.exec:\xrlxflx.exe65⤵
- Executes dropped EXE
PID:1716 -
\??\c:\6028002.exec:\6028002.exe66⤵PID:2216
-
\??\c:\w20240.exec:\w20240.exe67⤵PID:1628
-
\??\c:\tnhnbb.exec:\tnhnbb.exe68⤵PID:2144
-
\??\c:\0080842.exec:\0080842.exe69⤵PID:1736
-
\??\c:\k26684.exec:\k26684.exe70⤵PID:1212
-
\??\c:\60844.exec:\60844.exe71⤵PID:2372
-
\??\c:\04284.exec:\04284.exe72⤵PID:1748
-
\??\c:\0406884.exec:\0406884.exe73⤵PID:1740
-
\??\c:\602404.exec:\602404.exe74⤵PID:1584
-
\??\c:\fflrfrl.exec:\fflrfrl.exe75⤵PID:2400
-
\??\c:\606682.exec:\606682.exe76⤵PID:2936
-
\??\c:\9rxfrrl.exec:\9rxfrrl.exe77⤵PID:2736
-
\??\c:\dpdpd.exec:\dpdpd.exe78⤵PID:2784
-
\??\c:\820284.exec:\820284.exe79⤵PID:2920
-
\??\c:\004206.exec:\004206.exe80⤵PID:2644
-
\??\c:\g6040.exec:\g6040.exe81⤵PID:2656
-
\??\c:\604022.exec:\604022.exe82⤵PID:2788
-
\??\c:\9dppp.exec:\9dppp.exe83⤵PID:2428
-
\??\c:\dpvvv.exec:\dpvvv.exe84⤵PID:1068
-
\??\c:\4280668.exec:\4280668.exe85⤵PID:1864
-
\??\c:\6422442.exec:\6422442.exe86⤵PID:2452
-
\??\c:\9xffrrx.exec:\9xffrrx.exe87⤵PID:2300
-
\??\c:\462444.exec:\462444.exe88⤵PID:3012
-
\??\c:\u802006.exec:\u802006.exe89⤵PID:2960
-
\??\c:\a0828.exec:\a0828.exe90⤵PID:2836
-
\??\c:\nbnttn.exec:\nbnttn.exe91⤵PID:3024
-
\??\c:\u604606.exec:\u604606.exe92⤵PID:2808
-
\??\c:\k24060.exec:\k24060.exe93⤵PID:1164
-
\??\c:\xlrrfxr.exec:\xlrrfxr.exe94⤵PID:2708
-
\??\c:\rflxfxx.exec:\rflxfxx.exe95⤵PID:760
-
\??\c:\nbtbhn.exec:\nbtbhn.exe96⤵PID:484
-
\??\c:\tnbhtt.exec:\tnbhtt.exe97⤵PID:2180
-
\??\c:\9nhtbh.exec:\9nhtbh.exe98⤵PID:2080
-
\??\c:\620244.exec:\620244.exe99⤵PID:776
-
\??\c:\k86282.exec:\k86282.exe100⤵PID:2068
-
\??\c:\0848044.exec:\0848044.exe101⤵PID:2560
-
\??\c:\82406.exec:\82406.exe102⤵PID:1572
-
\??\c:\jvjpv.exec:\jvjpv.exe103⤵PID:2572
-
\??\c:\1frllll.exec:\1frllll.exe104⤵PID:1108
-
\??\c:\c266662.exec:\c266662.exe105⤵PID:1996
-
\??\c:\dppvv.exec:\dppvv.exe106⤵PID:1368
-
\??\c:\202600.exec:\202600.exe107⤵PID:1776
-
\??\c:\hbhhnh.exec:\hbhhnh.exe108⤵PID:2540
-
\??\c:\5ttnhh.exec:\5ttnhh.exe109⤵PID:2376
-
\??\c:\nhnbnb.exec:\nhnbnb.exe110⤵PID:1076
-
\??\c:\pvdpp.exec:\pvdpp.exe111⤵PID:352
-
\??\c:\rfrxllr.exec:\rfrxllr.exe112⤵PID:1004
-
\??\c:\6466262.exec:\6466262.exe113⤵PID:2700
-
\??\c:\868066.exec:\868066.exe114⤵PID:2012
-
\??\c:\68488.exec:\68488.exe115⤵PID:2464
-
\??\c:\xlrffff.exec:\xlrffff.exe116⤵PID:1152
-
\??\c:\jvppd.exec:\jvppd.exe117⤵PID:1812
-
\??\c:\dvddd.exec:\dvddd.exe118⤵PID:2392
-
\??\c:\3vjdd.exec:\3vjdd.exe119⤵PID:2912
-
\??\c:\04606.exec:\04606.exe120⤵PID:2204
-
\??\c:\flxrxrf.exec:\flxrxrf.exe121⤵PID:2148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-