Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 22:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe
-
Size
456KB
-
MD5
9ab36710d88b6fdc29a5a105751ea325
-
SHA1
8043c3be812e13705b518177a0798a43751d7cce
-
SHA256
72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58
-
SHA512
0554672c159e4101b907628ea6bc98189aa240d725b6e817f002be67580da1f776fb149bdacf75200257684b076d0c8f87ef0438d5213a54b70c5e72615f1961
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2592-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-122-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1308-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/648-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-206-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1908-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-210-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2032-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/984-259-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2348-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/384-278-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/316-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-306-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2612-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-311-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2404-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-329-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2132-336-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-357-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/2688-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-383-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1376-422-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3008-428-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2324-461-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1592-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-634-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2672-655-0x0000000000280000-0x00000000002AA000-memory.dmp family_blackmoon behavioral1/memory/2720-662-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2980-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-727-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1264-734-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/3024-762-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1756-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-828-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2668-930-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1544 7pjjj.exe 1752 u208406.exe 1688 nnnhhb.exe 2008 hhbnbh.exe 2252 lxlfffr.exe 2860 bbtthn.exe 2820 thtthh.exe 2936 5jvvp.exe 2692 2640228.exe 2776 04668.exe 2696 nhbbhn.exe 2512 86846.exe 1308 7nbhtt.exe 2972 vpjvd.exe 2732 k64060.exe 1780 lfflxxl.exe 1952 82068.exe 1988 dddjj.exe 3064 xlrxlfl.exe 1596 dvjjp.exe 648 1vpvd.exe 1908 o084664.exe 1368 8062206.exe 2032 w60022.exe 2028 086200.exe 1288 48628.exe 2240 ttntbb.exe 984 xrflxfr.exe 2348 hhbhtt.exe 384 q24082.exe 316 pppjd.exe 2616 646060.exe 1540 1fxxffr.exe 2612 20802.exe 2404 04284.exe 1420 08002.exe 2132 608422.exe 2804 26402.exe 2812 08624.exe 2792 lfrxfxl.exe 1636 s2068.exe 2672 ntnthn.exe 2688 w60648.exe 1936 08668.exe 2728 tntbhh.exe 2676 s4662.exe 2596 q00084.exe 1340 68444.exe 2988 fxlrffx.exe 1376 vdjpp.exe 3008 028882.exe 1956 bntttn.exe 2572 bnttbb.exe 3000 m8008.exe 468 0426446.exe 2324 s2284.exe 3048 604028.exe 1664 642288.exe 552 4244480.exe 648 httbbb.exe 1356 4806880.exe 1592 6084624.exe 1368 4200668.exe 1676 o200224.exe -
resource yara_rule behavioral1/memory/2592-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/648-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-206-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1908-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-210-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2032-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/336-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/492-860-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-930-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i084006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8640268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6082446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4862406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 442802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2592 wrote to memory of 1544 2592 72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe 30 PID 2592 wrote to memory of 1544 2592 72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe 30 PID 2592 wrote to memory of 1544 2592 72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe 30 PID 2592 wrote to memory of 1544 2592 72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe 30 PID 1544 wrote to memory of 1752 1544 7pjjj.exe 31 PID 1544 wrote to memory of 1752 1544 7pjjj.exe 31 PID 1544 wrote to memory of 1752 1544 7pjjj.exe 31 PID 1544 wrote to memory of 1752 1544 7pjjj.exe 31 PID 1752 wrote to memory of 1688 1752 u208406.exe 32 PID 1752 wrote to memory of 1688 1752 u208406.exe 32 PID 1752 wrote to memory of 1688 1752 u208406.exe 32 PID 1752 wrote to memory of 1688 1752 u208406.exe 32 PID 1688 wrote to memory of 2008 1688 nnnhhb.exe 33 PID 1688 wrote to memory of 2008 1688 nnnhhb.exe 33 PID 1688 wrote to memory of 2008 1688 nnnhhb.exe 33 PID 1688 wrote to memory of 2008 1688 nnnhhb.exe 33 PID 2008 wrote to memory of 2252 2008 hhbnbh.exe 34 PID 2008 wrote to memory of 2252 2008 hhbnbh.exe 34 PID 2008 wrote to memory of 2252 2008 hhbnbh.exe 34 PID 2008 wrote to memory of 2252 2008 hhbnbh.exe 34 PID 2252 wrote to memory of 2860 2252 lxlfffr.exe 35 PID 2252 wrote to memory of 2860 2252 lxlfffr.exe 35 PID 2252 wrote to memory of 2860 2252 lxlfffr.exe 35 PID 2252 wrote to memory of 2860 2252 lxlfffr.exe 35 PID 2860 wrote to memory of 2820 2860 bbtthn.exe 36 PID 2860 wrote to memory of 2820 2860 bbtthn.exe 36 PID 2860 wrote to memory of 2820 2860 bbtthn.exe 36 PID 2860 wrote to memory of 2820 2860 bbtthn.exe 36 PID 2820 wrote to memory of 2936 2820 thtthh.exe 37 PID 2820 wrote to memory of 2936 2820 thtthh.exe 37 PID 2820 wrote to memory of 2936 2820 thtthh.exe 37 PID 2820 wrote to memory of 2936 2820 thtthh.exe 37 PID 2936 wrote to memory of 2692 2936 5jvvp.exe 38 PID 2936 wrote to memory of 2692 2936 5jvvp.exe 38 PID 2936 wrote to memory of 2692 2936 5jvvp.exe 38 PID 2936 wrote to memory of 2692 2936 5jvvp.exe 38 PID 2692 wrote to memory of 2776 2692 2640228.exe 39 PID 2692 wrote to memory of 2776 2692 2640228.exe 39 PID 2692 wrote to memory of 2776 2692 2640228.exe 39 PID 2692 wrote to memory of 2776 2692 2640228.exe 39 PID 2776 wrote to memory of 2696 2776 04668.exe 40 PID 2776 wrote to memory of 2696 2776 04668.exe 40 PID 2776 wrote to memory of 2696 2776 04668.exe 40 PID 2776 wrote to memory of 2696 2776 04668.exe 40 PID 2696 wrote to memory of 2512 2696 nhbbhn.exe 41 PID 2696 wrote to memory of 2512 2696 nhbbhn.exe 41 PID 2696 wrote to memory of 2512 2696 nhbbhn.exe 41 PID 2696 wrote to memory of 2512 2696 nhbbhn.exe 41 PID 2512 wrote to memory of 1308 2512 86846.exe 42 PID 2512 wrote to memory of 1308 2512 86846.exe 42 PID 2512 wrote to memory of 1308 2512 86846.exe 42 PID 2512 wrote to memory of 1308 2512 86846.exe 42 PID 1308 wrote to memory of 2972 1308 7nbhtt.exe 43 PID 1308 wrote to memory of 2972 1308 7nbhtt.exe 43 PID 1308 wrote to memory of 2972 1308 7nbhtt.exe 43 PID 1308 wrote to memory of 2972 1308 7nbhtt.exe 43 PID 2972 wrote to memory of 2732 2972 vpjvd.exe 44 PID 2972 wrote to memory of 2732 2972 vpjvd.exe 44 PID 2972 wrote to memory of 2732 2972 vpjvd.exe 44 PID 2972 wrote to memory of 2732 2972 vpjvd.exe 44 PID 2732 wrote to memory of 1780 2732 k64060.exe 45 PID 2732 wrote to memory of 1780 2732 k64060.exe 45 PID 2732 wrote to memory of 1780 2732 k64060.exe 45 PID 2732 wrote to memory of 1780 2732 k64060.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe"C:\Users\Admin\AppData\Local\Temp\72fd13f397b534c2b12cc0a080b679ceaabd429ba239d3f5fb663232d74ade58.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\7pjjj.exec:\7pjjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\u208406.exec:\u208406.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\nnnhhb.exec:\nnnhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\hhbnbh.exec:\hhbnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\lxlfffr.exec:\lxlfffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\bbtthn.exec:\bbtthn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\thtthh.exec:\thtthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\5jvvp.exec:\5jvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\2640228.exec:\2640228.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\04668.exec:\04668.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\nhbbhn.exec:\nhbbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\86846.exec:\86846.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\7nbhtt.exec:\7nbhtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\vpjvd.exec:\vpjvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\k64060.exec:\k64060.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\lfflxxl.exec:\lfflxxl.exe17⤵
- Executes dropped EXE
PID:1780 -
\??\c:\82068.exec:\82068.exe18⤵
- Executes dropped EXE
PID:1952 -
\??\c:\dddjj.exec:\dddjj.exe19⤵
- Executes dropped EXE
PID:1988 -
\??\c:\xlrxlfl.exec:\xlrxlfl.exe20⤵
- Executes dropped EXE
PID:3064 -
\??\c:\dvjjp.exec:\dvjjp.exe21⤵
- Executes dropped EXE
PID:1596 -
\??\c:\1vpvd.exec:\1vpvd.exe22⤵
- Executes dropped EXE
PID:648 -
\??\c:\o084664.exec:\o084664.exe23⤵
- Executes dropped EXE
PID:1908 -
\??\c:\8062206.exec:\8062206.exe24⤵
- Executes dropped EXE
PID:1368 -
\??\c:\w60022.exec:\w60022.exe25⤵
- Executes dropped EXE
PID:2032 -
\??\c:\086200.exec:\086200.exe26⤵
- Executes dropped EXE
PID:2028 -
\??\c:\48628.exec:\48628.exe27⤵
- Executes dropped EXE
PID:1288 -
\??\c:\ttntbb.exec:\ttntbb.exe28⤵
- Executes dropped EXE
PID:2240 -
\??\c:\xrflxfr.exec:\xrflxfr.exe29⤵
- Executes dropped EXE
PID:984 -
\??\c:\hhbhtt.exec:\hhbhtt.exe30⤵
- Executes dropped EXE
PID:2348 -
\??\c:\q24082.exec:\q24082.exe31⤵
- Executes dropped EXE
PID:384 -
\??\c:\pppjd.exec:\pppjd.exe32⤵
- Executes dropped EXE
PID:316 -
\??\c:\646060.exec:\646060.exe33⤵
- Executes dropped EXE
PID:2616 -
\??\c:\1fxxffr.exec:\1fxxffr.exe34⤵
- Executes dropped EXE
PID:1540 -
\??\c:\20802.exec:\20802.exe35⤵
- Executes dropped EXE
PID:2612 -
\??\c:\04284.exec:\04284.exe36⤵
- Executes dropped EXE
PID:2404 -
\??\c:\08002.exec:\08002.exe37⤵
- Executes dropped EXE
PID:1420 -
\??\c:\608422.exec:\608422.exe38⤵
- Executes dropped EXE
PID:2132 -
\??\c:\26402.exec:\26402.exe39⤵
- Executes dropped EXE
PID:2804 -
\??\c:\08624.exec:\08624.exe40⤵
- Executes dropped EXE
PID:2812 -
\??\c:\lfrxfxl.exec:\lfrxfxl.exe41⤵
- Executes dropped EXE
PID:2792 -
\??\c:\s2068.exec:\s2068.exe42⤵
- Executes dropped EXE
PID:1636 -
\??\c:\ntnthn.exec:\ntnthn.exe43⤵
- Executes dropped EXE
PID:2672 -
\??\c:\w60648.exec:\w60648.exe44⤵
- Executes dropped EXE
PID:2688 -
\??\c:\08668.exec:\08668.exe45⤵
- Executes dropped EXE
PID:1936 -
\??\c:\tntbhh.exec:\tntbhh.exe46⤵
- Executes dropped EXE
PID:2728 -
\??\c:\s4662.exec:\s4662.exe47⤵
- Executes dropped EXE
PID:2676 -
\??\c:\q00084.exec:\q00084.exe48⤵
- Executes dropped EXE
PID:2596 -
\??\c:\68444.exec:\68444.exe49⤵
- Executes dropped EXE
PID:1340 -
\??\c:\fxlrffx.exec:\fxlrffx.exe50⤵
- Executes dropped EXE
PID:2988 -
\??\c:\vdjpp.exec:\vdjpp.exe51⤵
- Executes dropped EXE
PID:1376 -
\??\c:\028882.exec:\028882.exe52⤵
- Executes dropped EXE
PID:3008 -
\??\c:\bntttn.exec:\bntttn.exe53⤵
- Executes dropped EXE
PID:1956 -
\??\c:\bnttbb.exec:\bnttbb.exe54⤵
- Executes dropped EXE
PID:2572 -
\??\c:\m8008.exec:\m8008.exe55⤵
- Executes dropped EXE
PID:3000 -
\??\c:\0426446.exec:\0426446.exe56⤵
- Executes dropped EXE
PID:468 -
\??\c:\s2284.exec:\s2284.exe57⤵
- Executes dropped EXE
PID:2324 -
\??\c:\604028.exec:\604028.exe58⤵
- Executes dropped EXE
PID:3048 -
\??\c:\642288.exec:\642288.exe59⤵
- Executes dropped EXE
PID:1664 -
\??\c:\4244480.exec:\4244480.exe60⤵
- Executes dropped EXE
PID:552 -
\??\c:\httbbb.exec:\httbbb.exe61⤵
- Executes dropped EXE
PID:648 -
\??\c:\4806880.exec:\4806880.exe62⤵
- Executes dropped EXE
PID:1356 -
\??\c:\6084624.exec:\6084624.exe63⤵
- Executes dropped EXE
PID:1592 -
\??\c:\4200668.exec:\4200668.exe64⤵
- Executes dropped EXE
PID:1368 -
\??\c:\o200224.exec:\o200224.exe65⤵
- Executes dropped EXE
PID:1676 -
\??\c:\xlxfllx.exec:\xlxfllx.exe66⤵PID:1684
-
\??\c:\64280.exec:\64280.exe67⤵PID:2156
-
\??\c:\jdppd.exec:\jdppd.exe68⤵PID:1872
-
\??\c:\1ffrxfl.exec:\1ffrxfl.exe69⤵PID:2280
-
\??\c:\1xlflrr.exec:\1xlflrr.exe70⤵PID:2236
-
\??\c:\q42240.exec:\q42240.exe71⤵PID:2568
-
\??\c:\48280.exec:\48280.exe72⤵PID:336
-
\??\c:\rrfrlll.exec:\rrfrlll.exe73⤵PID:1920
-
\??\c:\fxllffl.exec:\fxllffl.exe74⤵PID:316
-
\??\c:\3lxrxrr.exec:\3lxrxrr.exe75⤵PID:2592
-
\??\c:\xrffrxf.exec:\xrffrxf.exe76⤵PID:1692
-
\??\c:\nbhhhb.exec:\nbhhhb.exe77⤵PID:2408
-
\??\c:\6046842.exec:\6046842.exe78⤵PID:1744
-
\??\c:\486888.exec:\486888.exe79⤵PID:2404
-
\??\c:\48286.exec:\48286.exe80⤵PID:1420
-
\??\c:\dpddv.exec:\dpddv.exe81⤵PID:2872
-
\??\c:\llxxflx.exec:\llxxflx.exe82⤵PID:2804
-
\??\c:\w84428.exec:\w84428.exe83⤵PID:2888
-
\??\c:\btnthh.exec:\btnthh.exe84⤵PID:2792
-
\??\c:\a2624.exec:\a2624.exe85⤵PID:2892
-
\??\c:\9vpvd.exec:\9vpvd.exe86⤵PID:2672
-
\??\c:\k20020.exec:\k20020.exe87⤵PID:2720
-
\??\c:\vpvvj.exec:\vpvvj.exe88⤵PID:2736
-
\??\c:\4284662.exec:\4284662.exe89⤵PID:2728
-
\??\c:\pjdjj.exec:\pjdjj.exe90⤵PID:2436
-
\??\c:\468888.exec:\468888.exe91⤵PID:2508
-
\??\c:\80640.exec:\80640.exe92⤵PID:2980
-
\??\c:\5xrflff.exec:\5xrflff.exe93⤵PID:2988
-
\??\c:\vjvvv.exec:\vjvvv.exe94⤵PID:2724
-
\??\c:\9lxffff.exec:\9lxffff.exe95⤵PID:108
-
\??\c:\jjppv.exec:\jjppv.exe96⤵PID:1900
-
\??\c:\lxllflr.exec:\lxllflr.exe97⤵PID:2572
-
\??\c:\8640268.exec:\8640268.exe98⤵
- System Location Discovery: System Language Discovery
PID:1264 -
\??\c:\o020222.exec:\o020222.exe99⤵PID:3056
-
\??\c:\200482.exec:\200482.exe100⤵PID:3044
-
\??\c:\680844.exec:\680844.exe101⤵PID:1072
-
\??\c:\e08844.exec:\e08844.exe102⤵PID:3024
-
\??\c:\240488.exec:\240488.exe103⤵PID:1972
-
\??\c:\thhbbt.exec:\thhbbt.exe104⤵PID:2360
-
\??\c:\xrllxxr.exec:\xrllxxr.exe105⤵PID:2640
-
\??\c:\dvpvj.exec:\dvpvj.exe106⤵PID:1756
-
\??\c:\60220.exec:\60220.exe107⤵PID:1508
-
\??\c:\2460000.exec:\2460000.exe108⤵PID:1792
-
\??\c:\86886.exec:\86886.exe109⤵PID:1288
-
\??\c:\42044.exec:\42044.exe110⤵PID:288
-
\??\c:\lxffllr.exec:\lxffllr.exe111⤵PID:2484
-
\??\c:\hhtnnh.exec:\hhtnnh.exe112⤵PID:2044
-
\??\c:\hbtnbt.exec:\hbtnbt.exe113⤵PID:2236
-
\??\c:\9htnbt.exec:\9htnbt.exe114⤵PID:2456
-
\??\c:\42024.exec:\42024.exe115⤵PID:336
-
\??\c:\202264.exec:\202264.exe116⤵PID:1920
-
\??\c:\jdvdp.exec:\jdvdp.exe117⤵PID:1544
-
\??\c:\1pjjp.exec:\1pjjp.exe118⤵PID:492
-
\??\c:\bnttnh.exec:\bnttnh.exe119⤵PID:1628
-
\??\c:\pdppv.exec:\pdppv.exe120⤵PID:2408
-
\??\c:\8886060.exec:\8886060.exe121⤵PID:1744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-