Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 22:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe
-
Size
454KB
-
MD5
d8bb4b686882d9513e81344cef3e84f0
-
SHA1
caeca27ea26e29b7eb91ebe3962ca4f0b4f9dfd0
-
SHA256
3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9c
-
SHA512
177bc87bb55b151bc85decdc7833ddb08ebae350ad15270cf173eb19540390961159baf94421f447d50f454d884102bc22fd0ffd60f7725748e38892a82c1e60
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/1164-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-63-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2660-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2528-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-138-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1992-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-207-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1228-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-254-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1644-267-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/352-272-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/2216-292-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2216-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-352-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2816-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-374-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2980-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/340-406-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1992-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-449-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/840-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1116-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-949-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-990-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1232-1105-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3044-1174-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2792-1181-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1636-1218-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1500 ddvpd.exe 2484 082860.exe 3004 vppvp.exe 2884 860084.exe 2672 9xrrxlx.exe 2908 8004282.exe 2660 8202402.exe 2808 442480.exe 2440 9ttnhb.exe 2528 2608208.exe 2456 9jjvp.exe 2192 m8068.exe 1080 xffrrlr.exe 640 htttnt.exe 1992 7hbnhh.exe 1964 44802.exe 1788 486284.exe 556 u262442.exe 2568 486800.exe 2588 7htbnt.exe 1628 ttbbtt.exe 448 86408.exe 1920 04888.exe 1228 484240.exe 1484 6080668.exe 1648 pjvjd.exe 1612 86806.exe 1984 bnbbbh.exe 1644 886206.exe 352 jvpvp.exe 880 48624.exe 2216 djpvv.exe 2468 2286606.exe 1660 btnntb.exe 2488 nnhthn.exe 3012 xllfxfx.exe 2800 862248.exe 2620 024466.exe 2884 rrlxrxx.exe 2636 hbbnbh.exe 2652 q64640.exe 2816 60402.exe 2824 pjdjv.exe 2756 8682406.exe 2560 26864.exe 2452 482028.exe 2980 24662.exe 340 rxlrffr.exe 2024 1hhnth.exe 1988 48624.exe 2084 048028.exe 1892 btntnn.exe 1992 lxfrrrr.exe 236 6602222.exe 2464 s4666.exe 2860 6668026.exe 1748 w20240.exe 1904 3jvpv.exe 1452 7rrxflx.exe 2372 dpjpv.exe 2396 042806.exe 1332 80284.exe 1668 bbhbnn.exe 840 dpjdd.exe -
resource yara_rule behavioral1/memory/1164-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-133-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1992-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-287-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2216-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-406-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1992-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-949-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1980-977-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-990-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1260-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-1029-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-1042-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-1061-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-1124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-1149-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6084224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2606442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q80644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6040886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8242480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c000620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2686284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1164 wrote to memory of 1500 1164 3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe 30 PID 1164 wrote to memory of 1500 1164 3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe 30 PID 1164 wrote to memory of 1500 1164 3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe 30 PID 1164 wrote to memory of 1500 1164 3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe 30 PID 1500 wrote to memory of 2484 1500 ddvpd.exe 31 PID 1500 wrote to memory of 2484 1500 ddvpd.exe 31 PID 1500 wrote to memory of 2484 1500 ddvpd.exe 31 PID 1500 wrote to memory of 2484 1500 ddvpd.exe 31 PID 2484 wrote to memory of 3004 2484 082860.exe 32 PID 2484 wrote to memory of 3004 2484 082860.exe 32 PID 2484 wrote to memory of 3004 2484 082860.exe 32 PID 2484 wrote to memory of 3004 2484 082860.exe 32 PID 3004 wrote to memory of 2884 3004 vppvp.exe 33 PID 3004 wrote to memory of 2884 3004 vppvp.exe 33 PID 3004 wrote to memory of 2884 3004 vppvp.exe 33 PID 3004 wrote to memory of 2884 3004 vppvp.exe 33 PID 2884 wrote to memory of 2672 2884 860084.exe 34 PID 2884 wrote to memory of 2672 2884 860084.exe 34 PID 2884 wrote to memory of 2672 2884 860084.exe 34 PID 2884 wrote to memory of 2672 2884 860084.exe 34 PID 2672 wrote to memory of 2908 2672 9xrrxlx.exe 35 PID 2672 wrote to memory of 2908 2672 9xrrxlx.exe 35 PID 2672 wrote to memory of 2908 2672 9xrrxlx.exe 35 PID 2672 wrote to memory of 2908 2672 9xrrxlx.exe 35 PID 2908 wrote to memory of 2660 2908 8004282.exe 36 PID 2908 wrote to memory of 2660 2908 8004282.exe 36 PID 2908 wrote to memory of 2660 2908 8004282.exe 36 PID 2908 wrote to memory of 2660 2908 8004282.exe 36 PID 2660 wrote to memory of 2808 2660 8202402.exe 37 PID 2660 wrote to memory of 2808 2660 8202402.exe 37 PID 2660 wrote to memory of 2808 2660 8202402.exe 37 PID 2660 wrote to memory of 2808 2660 8202402.exe 37 PID 2808 wrote to memory of 2440 2808 442480.exe 38 PID 2808 wrote to memory of 2440 2808 442480.exe 38 PID 2808 wrote to memory of 2440 2808 442480.exe 38 PID 2808 wrote to memory of 2440 2808 442480.exe 38 PID 2440 wrote to memory of 2528 2440 9ttnhb.exe 39 PID 2440 wrote to memory of 2528 2440 9ttnhb.exe 39 PID 2440 wrote to memory of 2528 2440 9ttnhb.exe 39 PID 2440 wrote to memory of 2528 2440 9ttnhb.exe 39 PID 2528 wrote to memory of 2456 2528 2608208.exe 40 PID 2528 wrote to memory of 2456 2528 2608208.exe 40 PID 2528 wrote to memory of 2456 2528 2608208.exe 40 PID 2528 wrote to memory of 2456 2528 2608208.exe 40 PID 2456 wrote to memory of 2192 2456 9jjvp.exe 41 PID 2456 wrote to memory of 2192 2456 9jjvp.exe 41 PID 2456 wrote to memory of 2192 2456 9jjvp.exe 41 PID 2456 wrote to memory of 2192 2456 9jjvp.exe 41 PID 2192 wrote to memory of 1080 2192 m8068.exe 42 PID 2192 wrote to memory of 1080 2192 m8068.exe 42 PID 2192 wrote to memory of 1080 2192 m8068.exe 42 PID 2192 wrote to memory of 1080 2192 m8068.exe 42 PID 1080 wrote to memory of 640 1080 xffrrlr.exe 43 PID 1080 wrote to memory of 640 1080 xffrrlr.exe 43 PID 1080 wrote to memory of 640 1080 xffrrlr.exe 43 PID 1080 wrote to memory of 640 1080 xffrrlr.exe 43 PID 640 wrote to memory of 1992 640 htttnt.exe 44 PID 640 wrote to memory of 1992 640 htttnt.exe 44 PID 640 wrote to memory of 1992 640 htttnt.exe 44 PID 640 wrote to memory of 1992 640 htttnt.exe 44 PID 1992 wrote to memory of 1964 1992 7hbnhh.exe 45 PID 1992 wrote to memory of 1964 1992 7hbnhh.exe 45 PID 1992 wrote to memory of 1964 1992 7hbnhh.exe 45 PID 1992 wrote to memory of 1964 1992 7hbnhh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe"C:\Users\Admin\AppData\Local\Temp\3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\ddvpd.exec:\ddvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\082860.exec:\082860.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\vppvp.exec:\vppvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\860084.exec:\860084.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\9xrrxlx.exec:\9xrrxlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\8004282.exec:\8004282.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\8202402.exec:\8202402.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\442480.exec:\442480.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\9ttnhb.exec:\9ttnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\2608208.exec:\2608208.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\9jjvp.exec:\9jjvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\m8068.exec:\m8068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\xffrrlr.exec:\xffrrlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\htttnt.exec:\htttnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\7hbnhh.exec:\7hbnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\44802.exec:\44802.exe17⤵
- Executes dropped EXE
PID:1964 -
\??\c:\486284.exec:\486284.exe18⤵
- Executes dropped EXE
PID:1788 -
\??\c:\u262442.exec:\u262442.exe19⤵
- Executes dropped EXE
PID:556 -
\??\c:\486800.exec:\486800.exe20⤵
- Executes dropped EXE
PID:2568 -
\??\c:\7htbnt.exec:\7htbnt.exe21⤵
- Executes dropped EXE
PID:2588 -
\??\c:\ttbbtt.exec:\ttbbtt.exe22⤵
- Executes dropped EXE
PID:1628 -
\??\c:\86408.exec:\86408.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\04888.exec:\04888.exe24⤵
- Executes dropped EXE
PID:1920 -
\??\c:\484240.exec:\484240.exe25⤵
- Executes dropped EXE
PID:1228 -
\??\c:\6080668.exec:\6080668.exe26⤵
- Executes dropped EXE
PID:1484 -
\??\c:\pjvjd.exec:\pjvjd.exe27⤵
- Executes dropped EXE
PID:1648 -
\??\c:\86806.exec:\86806.exe28⤵
- Executes dropped EXE
PID:1612 -
\??\c:\bnbbbh.exec:\bnbbbh.exe29⤵
- Executes dropped EXE
PID:1984 -
\??\c:\886206.exec:\886206.exe30⤵
- Executes dropped EXE
PID:1644 -
\??\c:\jvpvp.exec:\jvpvp.exe31⤵
- Executes dropped EXE
PID:352 -
\??\c:\48624.exec:\48624.exe32⤵
- Executes dropped EXE
PID:880 -
\??\c:\djpvv.exec:\djpvv.exe33⤵
- Executes dropped EXE
PID:2216 -
\??\c:\2286606.exec:\2286606.exe34⤵
- Executes dropped EXE
PID:2468 -
\??\c:\btnntb.exec:\btnntb.exe35⤵
- Executes dropped EXE
PID:1660 -
\??\c:\nnhthn.exec:\nnhthn.exe36⤵
- Executes dropped EXE
PID:2488 -
\??\c:\xllfxfx.exec:\xllfxfx.exe37⤵
- Executes dropped EXE
PID:3012 -
\??\c:\862248.exec:\862248.exe38⤵
- Executes dropped EXE
PID:2800 -
\??\c:\024466.exec:\024466.exe39⤵
- Executes dropped EXE
PID:2620 -
\??\c:\rrlxrxx.exec:\rrlxrxx.exe40⤵
- Executes dropped EXE
PID:2884 -
\??\c:\hbbnbh.exec:\hbbnbh.exe41⤵
- Executes dropped EXE
PID:2636 -
\??\c:\q64640.exec:\q64640.exe42⤵
- Executes dropped EXE
PID:2652 -
\??\c:\60402.exec:\60402.exe43⤵
- Executes dropped EXE
PID:2816 -
\??\c:\pjdjv.exec:\pjdjv.exe44⤵
- Executes dropped EXE
PID:2824 -
\??\c:\8682406.exec:\8682406.exe45⤵
- Executes dropped EXE
PID:2756 -
\??\c:\26864.exec:\26864.exe46⤵
- Executes dropped EXE
PID:2560 -
\??\c:\482028.exec:\482028.exe47⤵
- Executes dropped EXE
PID:2452 -
\??\c:\24662.exec:\24662.exe48⤵
- Executes dropped EXE
PID:2980 -
\??\c:\rxlrffr.exec:\rxlrffr.exe49⤵
- Executes dropped EXE
PID:340 -
\??\c:\1hhnth.exec:\1hhnth.exe50⤵
- Executes dropped EXE
PID:2024 -
\??\c:\48624.exec:\48624.exe51⤵
- Executes dropped EXE
PID:1988 -
\??\c:\048028.exec:\048028.exe52⤵
- Executes dropped EXE
PID:2084 -
\??\c:\btntnn.exec:\btntnn.exe53⤵
- Executes dropped EXE
PID:1892 -
\??\c:\lxfrrrr.exec:\lxfrrrr.exe54⤵
- Executes dropped EXE
PID:1992 -
\??\c:\6602222.exec:\6602222.exe55⤵
- Executes dropped EXE
PID:236 -
\??\c:\s4666.exec:\s4666.exe56⤵
- Executes dropped EXE
PID:2464 -
\??\c:\6668026.exec:\6668026.exe57⤵
- Executes dropped EXE
PID:2860 -
\??\c:\w20240.exec:\w20240.exe58⤵
- Executes dropped EXE
PID:1748 -
\??\c:\3jvpv.exec:\3jvpv.exe59⤵
- Executes dropped EXE
PID:1904 -
\??\c:\7rrxflx.exec:\7rrxflx.exe60⤵
- Executes dropped EXE
PID:1452 -
\??\c:\dpjpv.exec:\dpjpv.exe61⤵
- Executes dropped EXE
PID:2372 -
\??\c:\042806.exec:\042806.exe62⤵
- Executes dropped EXE
PID:2396 -
\??\c:\80284.exec:\80284.exe63⤵
- Executes dropped EXE
PID:1332 -
\??\c:\bbhbnn.exec:\bbhbnn.exe64⤵
- Executes dropped EXE
PID:1668 -
\??\c:\dpjdd.exec:\dpjdd.exe65⤵
- Executes dropped EXE
PID:840 -
\??\c:\bhnnnh.exec:\bhnnnh.exe66⤵PID:1760
-
\??\c:\68664.exec:\68664.exe67⤵PID:1648
-
\??\c:\4266880.exec:\4266880.exe68⤵PID:1800
-
\??\c:\9lrffxx.exec:\9lrffxx.exe69⤵PID:2188
-
\??\c:\vvpjp.exec:\vvpjp.exe70⤵PID:2008
-
\??\c:\hthbnn.exec:\hthbnn.exe71⤵PID:1940
-
\??\c:\86020.exec:\86020.exe72⤵PID:1704
-
\??\c:\bhhnhh.exec:\bhhnhh.exe73⤵PID:2416
-
\??\c:\a8628.exec:\a8628.exe74⤵PID:880
-
\??\c:\lfflxfx.exec:\lfflxfx.exe75⤵PID:1864
-
\??\c:\9vpvp.exec:\9vpvp.exe76⤵PID:2096
-
\??\c:\xrlrxxf.exec:\xrlrxxf.exe77⤵PID:2076
-
\??\c:\pdpvd.exec:\pdpvd.exe78⤵PID:1660
-
\??\c:\s2680.exec:\s2680.exe79⤵PID:2352
-
\??\c:\7vjjp.exec:\7vjjp.exe80⤵PID:2804
-
\??\c:\1pjpj.exec:\1pjpj.exe81⤵PID:2888
-
\??\c:\pjpdj.exec:\pjpdj.exe82⤵PID:3048
-
\??\c:\tnhhnn.exec:\tnhhnn.exe83⤵PID:2884
-
\??\c:\26462.exec:\26462.exe84⤵PID:2684
-
\??\c:\thhbtb.exec:\thhbtb.exe85⤵PID:2644
-
\??\c:\6086802.exec:\6086802.exe86⤵PID:2536
-
\??\c:\22640.exec:\22640.exe87⤵PID:2808
-
\??\c:\042422.exec:\042422.exe88⤵PID:2700
-
\??\c:\0488468.exec:\0488468.exe89⤵PID:2768
-
\??\c:\0806688.exec:\0806688.exe90⤵PID:2560
-
\??\c:\hbtbhn.exec:\hbtbhn.exe91⤵PID:1916
-
\??\c:\6006442.exec:\6006442.exe92⤵PID:2192
-
\??\c:\ddvjj.exec:\ddvjj.exe93⤵PID:1600
-
\??\c:\i006280.exec:\i006280.exe94⤵PID:324
-
\??\c:\tnnttb.exec:\tnnttb.exe95⤵PID:1692
-
\??\c:\9rllrxr.exec:\9rllrxr.exe96⤵PID:1804
-
\??\c:\lfxllrf.exec:\lfxllrf.exe97⤵PID:1564
-
\??\c:\48624.exec:\48624.exe98⤵PID:1116
-
\??\c:\xxxfrxf.exec:\xxxfrxf.exe99⤵PID:2868
-
\??\c:\86024.exec:\86024.exe100⤵PID:2992
-
\??\c:\fxlllfl.exec:\fxlllfl.exe101⤵PID:1440
-
\??\c:\hbthtb.exec:\hbthtb.exe102⤵PID:2912
-
\??\c:\42402.exec:\42402.exe103⤵PID:2184
-
\??\c:\4828480.exec:\4828480.exe104⤵PID:448
-
\??\c:\1nhnbb.exec:\1nhnbb.exe105⤵PID:1524
-
\??\c:\s0280.exec:\s0280.exe106⤵PID:2040
-
\??\c:\g4886.exec:\g4886.exe107⤵PID:844
-
\??\c:\9fxxxxp.exec:\9fxxxxp.exe108⤵PID:1672
-
\??\c:\frffrxf.exec:\frffrxf.exe109⤵PID:2624
-
\??\c:\9nntbn.exec:\9nntbn.exe110⤵PID:1956
-
\??\c:\flffrxf.exec:\flffrxf.exe111⤵PID:536
-
\??\c:\a0228.exec:\a0228.exe112⤵PID:2248
-
\??\c:\ddvdj.exec:\ddvdj.exe113⤵PID:1448
-
\??\c:\464440.exec:\464440.exe114⤵PID:1264
-
\??\c:\44220.exec:\44220.exe115⤵PID:1704
-
\??\c:\9lxrffr.exec:\9lxrffr.exe116⤵PID:2416
-
\??\c:\djjvj.exec:\djjvj.exe117⤵PID:880
-
\??\c:\m2002.exec:\m2002.exe118⤵PID:1664
-
\??\c:\9jvvj.exec:\9jvvj.exe119⤵PID:1540
-
\??\c:\w80622.exec:\w80622.exe120⤵PID:2964
-
\??\c:\4862402.exec:\4862402.exe121⤵PID:2432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-