Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 03:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe
-
Size
454KB
-
MD5
1194c8f7783166fc7c9637e2169b4e65
-
SHA1
e66e589a3e64ee01a71a517a34a96d0853b24fbb
-
SHA256
d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1
-
SHA512
2ca85b93e68ccd966e632e2b18b97acbd32409025ded5e77a4389b9a40a4179b7bbe5f7f8263cab8ba530ed45dc6353ae7d74cd92c1964b1d4d7493936f332aa
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2560-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-46-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2844-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-99-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2032-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/280-194-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/852-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/284-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-305-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1748-307-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2364-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1016-514-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1016-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1220-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1220-540-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2320-549-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/772-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-600-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/876-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-781-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1384-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-934-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/680-980-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1584-1069-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2652-1190-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2352 44802.exe 2360 q40284.exe 1900 884888.exe 2844 5nttnn.exe 2180 nbttbb.exe 2664 4200280.exe 2016 04040.exe 2688 nthbnn.exe 2704 20284.exe 2032 246020.exe 1084 9nhtbt.exe 3028 pjvvd.exe 2884 1xfxffl.exe 2980 frrfllx.exe 2904 1xllrrl.exe 1232 1xlrxfr.exe 1572 thbtbt.exe 2444 tbtbnb.exe 280 pjvdj.exe 2044 vpvvp.exe 852 82680.exe 1448 82668.exe 284 6048004.exe 2200 1dpjp.exe 1732 3vjpd.exe 1280 6428828.exe 2532 fflrfff.exe 2224 2862086.exe 1980 rlrxfxl.exe 2332 frlffxf.exe 1192 868404.exe 1748 48062.exe 2364 7tbnnn.exe 2956 ppvpp.exe 2288 hbtbnn.exe 2776 w20246.exe 2940 4824246.exe 2756 hnhtbn.exe 2400 608428.exe 2908 llrxfrl.exe 3056 xlxxfrf.exe 2632 hnhbnt.exe 2648 vppvj.exe 2460 2084286.exe 1036 2228402.exe 3016 vpjdj.exe 1416 jddjv.exe 2972 08662.exe 1480 088022.exe 3040 60806.exe 2984 04224.exe 2692 1vddd.exe 372 vpjjv.exe 860 frfflfl.exe 2072 4844462.exe 2268 w86688.exe 2444 xlrrrxl.exe 1908 1thntt.exe 1100 o200228.exe 2044 1fflrxr.exe 1320 0046446.exe 1544 480068.exe 1684 dpjdj.exe 1016 rfrlllr.exe -
resource yara_rule behavioral1/memory/2560-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-88-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2688-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-199-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/852-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-393-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/372-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1220-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/372-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-903-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-1077-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-1090-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-1115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-1147-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8664000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4228026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8206846.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 2352 2560 d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe 31 PID 2560 wrote to memory of 2352 2560 d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe 31 PID 2560 wrote to memory of 2352 2560 d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe 31 PID 2560 wrote to memory of 2352 2560 d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe 31 PID 2352 wrote to memory of 2360 2352 44802.exe 32 PID 2352 wrote to memory of 2360 2352 44802.exe 32 PID 2352 wrote to memory of 2360 2352 44802.exe 32 PID 2352 wrote to memory of 2360 2352 44802.exe 32 PID 2360 wrote to memory of 1900 2360 q40284.exe 33 PID 2360 wrote to memory of 1900 2360 q40284.exe 33 PID 2360 wrote to memory of 1900 2360 q40284.exe 33 PID 2360 wrote to memory of 1900 2360 q40284.exe 33 PID 1900 wrote to memory of 2844 1900 884888.exe 34 PID 1900 wrote to memory of 2844 1900 884888.exe 34 PID 1900 wrote to memory of 2844 1900 884888.exe 34 PID 1900 wrote to memory of 2844 1900 884888.exe 34 PID 2844 wrote to memory of 2180 2844 5nttnn.exe 35 PID 2844 wrote to memory of 2180 2844 5nttnn.exe 35 PID 2844 wrote to memory of 2180 2844 5nttnn.exe 35 PID 2844 wrote to memory of 2180 2844 5nttnn.exe 35 PID 2180 wrote to memory of 2664 2180 nbttbb.exe 36 PID 2180 wrote to memory of 2664 2180 nbttbb.exe 36 PID 2180 wrote to memory of 2664 2180 nbttbb.exe 36 PID 2180 wrote to memory of 2664 2180 nbttbb.exe 36 PID 2664 wrote to memory of 2016 2664 4200280.exe 37 PID 2664 wrote to memory of 2016 2664 4200280.exe 37 PID 2664 wrote to memory of 2016 2664 4200280.exe 37 PID 2664 wrote to memory of 2016 2664 4200280.exe 37 PID 2016 wrote to memory of 2688 2016 04040.exe 38 PID 2016 wrote to memory of 2688 2016 04040.exe 38 PID 2016 wrote to memory of 2688 2016 04040.exe 38 PID 2016 wrote to memory of 2688 2016 04040.exe 38 PID 2688 wrote to memory of 2704 2688 nthbnn.exe 39 PID 2688 wrote to memory of 2704 2688 nthbnn.exe 39 PID 2688 wrote to memory of 2704 2688 nthbnn.exe 39 PID 2688 wrote to memory of 2704 2688 nthbnn.exe 39 PID 2704 wrote to memory of 2032 2704 20284.exe 40 PID 2704 wrote to memory of 2032 2704 20284.exe 40 PID 2704 wrote to memory of 2032 2704 20284.exe 40 PID 2704 wrote to memory of 2032 2704 20284.exe 40 PID 2032 wrote to memory of 1084 2032 246020.exe 41 PID 2032 wrote to memory of 1084 2032 246020.exe 41 PID 2032 wrote to memory of 1084 2032 246020.exe 41 PID 2032 wrote to memory of 1084 2032 246020.exe 41 PID 1084 wrote to memory of 3028 1084 9nhtbt.exe 42 PID 1084 wrote to memory of 3028 1084 9nhtbt.exe 42 PID 1084 wrote to memory of 3028 1084 9nhtbt.exe 42 PID 1084 wrote to memory of 3028 1084 9nhtbt.exe 42 PID 3028 wrote to memory of 2884 3028 pjvvd.exe 43 PID 3028 wrote to memory of 2884 3028 pjvvd.exe 43 PID 3028 wrote to memory of 2884 3028 pjvvd.exe 43 PID 3028 wrote to memory of 2884 3028 pjvvd.exe 43 PID 2884 wrote to memory of 2980 2884 1xfxffl.exe 44 PID 2884 wrote to memory of 2980 2884 1xfxffl.exe 44 PID 2884 wrote to memory of 2980 2884 1xfxffl.exe 44 PID 2884 wrote to memory of 2980 2884 1xfxffl.exe 44 PID 2980 wrote to memory of 2904 2980 frrfllx.exe 45 PID 2980 wrote to memory of 2904 2980 frrfllx.exe 45 PID 2980 wrote to memory of 2904 2980 frrfllx.exe 45 PID 2980 wrote to memory of 2904 2980 frrfllx.exe 45 PID 2904 wrote to memory of 1232 2904 1xllrrl.exe 46 PID 2904 wrote to memory of 1232 2904 1xllrrl.exe 46 PID 2904 wrote to memory of 1232 2904 1xllrrl.exe 46 PID 2904 wrote to memory of 1232 2904 1xllrrl.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe"C:\Users\Admin\AppData\Local\Temp\d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\44802.exec:\44802.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\q40284.exec:\q40284.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\884888.exec:\884888.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\5nttnn.exec:\5nttnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\nbttbb.exec:\nbttbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\4200280.exec:\4200280.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\04040.exec:\04040.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\nthbnn.exec:\nthbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\20284.exec:\20284.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\246020.exec:\246020.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\9nhtbt.exec:\9nhtbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\pjvvd.exec:\pjvvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\1xfxffl.exec:\1xfxffl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\frrfllx.exec:\frrfllx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\1xllrrl.exec:\1xllrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\1xlrxfr.exec:\1xlrxfr.exe17⤵
- Executes dropped EXE
PID:1232 -
\??\c:\thbtbt.exec:\thbtbt.exe18⤵
- Executes dropped EXE
PID:1572 -
\??\c:\tbtbnb.exec:\tbtbnb.exe19⤵
- Executes dropped EXE
PID:2444 -
\??\c:\pjvdj.exec:\pjvdj.exe20⤵
- Executes dropped EXE
PID:280 -
\??\c:\vpvvp.exec:\vpvvp.exe21⤵
- Executes dropped EXE
PID:2044 -
\??\c:\82680.exec:\82680.exe22⤵
- Executes dropped EXE
PID:852 -
\??\c:\82668.exec:\82668.exe23⤵
- Executes dropped EXE
PID:1448 -
\??\c:\6048004.exec:\6048004.exe24⤵
- Executes dropped EXE
PID:284 -
\??\c:\1dpjp.exec:\1dpjp.exe25⤵
- Executes dropped EXE
PID:2200 -
\??\c:\3vjpd.exec:\3vjpd.exe26⤵
- Executes dropped EXE
PID:1732 -
\??\c:\6428828.exec:\6428828.exe27⤵
- Executes dropped EXE
PID:1280 -
\??\c:\fflrfff.exec:\fflrfff.exe28⤵
- Executes dropped EXE
PID:2532 -
\??\c:\2862086.exec:\2862086.exe29⤵
- Executes dropped EXE
PID:2224 -
\??\c:\rlrxfxl.exec:\rlrxfxl.exe30⤵
- Executes dropped EXE
PID:1980 -
\??\c:\frlffxf.exec:\frlffxf.exe31⤵
- Executes dropped EXE
PID:2332 -
\??\c:\868404.exec:\868404.exe32⤵
- Executes dropped EXE
PID:1192 -
\??\c:\48062.exec:\48062.exe33⤵
- Executes dropped EXE
PID:1748 -
\??\c:\7tbnnn.exec:\7tbnnn.exe34⤵
- Executes dropped EXE
PID:2364 -
\??\c:\ppvpp.exec:\ppvpp.exe35⤵
- Executes dropped EXE
PID:2956 -
\??\c:\hbtbnn.exec:\hbtbnn.exe36⤵
- Executes dropped EXE
PID:2288 -
\??\c:\w20246.exec:\w20246.exe37⤵
- Executes dropped EXE
PID:2776 -
\??\c:\4824246.exec:\4824246.exe38⤵
- Executes dropped EXE
PID:2940 -
\??\c:\hnhtbn.exec:\hnhtbn.exe39⤵
- Executes dropped EXE
PID:2756 -
\??\c:\608428.exec:\608428.exe40⤵
- Executes dropped EXE
PID:2400 -
\??\c:\llrxfrl.exec:\llrxfrl.exe41⤵
- Executes dropped EXE
PID:2908 -
\??\c:\xlxxfrf.exec:\xlxxfrf.exe42⤵
- Executes dropped EXE
PID:3056 -
\??\c:\hnhbnt.exec:\hnhbnt.exe43⤵
- Executes dropped EXE
PID:2632 -
\??\c:\vppvj.exec:\vppvj.exe44⤵
- Executes dropped EXE
PID:2648 -
\??\c:\2084286.exec:\2084286.exe45⤵
- Executes dropped EXE
PID:2460 -
\??\c:\2228402.exec:\2228402.exe46⤵
- Executes dropped EXE
PID:1036 -
\??\c:\vpjdj.exec:\vpjdj.exe47⤵
- Executes dropped EXE
PID:3016 -
\??\c:\jddjv.exec:\jddjv.exe48⤵
- Executes dropped EXE
PID:1416 -
\??\c:\08662.exec:\08662.exe49⤵
- Executes dropped EXE
PID:2972 -
\??\c:\088022.exec:\088022.exe50⤵
- Executes dropped EXE
PID:1480 -
\??\c:\60806.exec:\60806.exe51⤵
- Executes dropped EXE
PID:3040 -
\??\c:\04224.exec:\04224.exe52⤵
- Executes dropped EXE
PID:2984 -
\??\c:\1vddd.exec:\1vddd.exe53⤵
- Executes dropped EXE
PID:2692 -
\??\c:\vpjjv.exec:\vpjjv.exe54⤵
- Executes dropped EXE
PID:372 -
\??\c:\frfflfl.exec:\frfflfl.exe55⤵
- Executes dropped EXE
PID:860 -
\??\c:\4844462.exec:\4844462.exe56⤵
- Executes dropped EXE
PID:2072 -
\??\c:\w86688.exec:\w86688.exe57⤵
- Executes dropped EXE
PID:2268 -
\??\c:\xlrrrxl.exec:\xlrrrxl.exe58⤵
- Executes dropped EXE
PID:2444 -
\??\c:\1thntt.exec:\1thntt.exe59⤵
- Executes dropped EXE
PID:1908 -
\??\c:\o200228.exec:\o200228.exe60⤵
- Executes dropped EXE
PID:1100 -
\??\c:\1fflrxr.exec:\1fflrxr.exe61⤵
- Executes dropped EXE
PID:2044 -
\??\c:\0046446.exec:\0046446.exe62⤵
- Executes dropped EXE
PID:1320 -
\??\c:\480068.exec:\480068.exe63⤵
- Executes dropped EXE
PID:1544 -
\??\c:\dpjdj.exec:\dpjdj.exe64⤵
- Executes dropped EXE
PID:1684 -
\??\c:\rfrlllr.exec:\rfrlllr.exe65⤵
- Executes dropped EXE
PID:1016 -
\??\c:\ppjvj.exec:\ppjvj.exe66⤵PID:348
-
\??\c:\nbtntt.exec:\nbtntt.exe67⤵PID:2128
-
\??\c:\3btbnt.exec:\3btbnt.exe68⤵PID:2324
-
\??\c:\ffrflrf.exec:\ffrflrf.exe69⤵PID:1220
-
\??\c:\268422.exec:\268422.exe70⤵PID:2320
-
\??\c:\24226.exec:\24226.exe71⤵PID:772
-
\??\c:\vdvdj.exec:\vdvdj.exe72⤵PID:1020
-
\??\c:\i884620.exec:\i884620.exe73⤵PID:2432
-
\??\c:\7thtnt.exec:\7thtnt.exe74⤵PID:2184
-
\??\c:\26222.exec:\26222.exe75⤵PID:2260
-
\??\c:\q64462.exec:\q64462.exe76⤵PID:1516
-
\??\c:\jjvdp.exec:\jjvdp.exe77⤵PID:1992
-
\??\c:\q80628.exec:\q80628.exe78⤵PID:2816
-
\??\c:\864062.exec:\864062.exe79⤵PID:2772
-
\??\c:\vpdjv.exec:\vpdjv.exe80⤵PID:2288
-
\??\c:\ffxfffx.exec:\ffxfffx.exe81⤵PID:2840
-
\??\c:\nnhthh.exec:\nnhthh.exe82⤵PID:2792
-
\??\c:\thbbhh.exec:\thbbhh.exe83⤵PID:3044
-
\??\c:\8464406.exec:\8464406.exe84⤵PID:2400
-
\??\c:\nthbhb.exec:\nthbhb.exe85⤵PID:2676
-
\??\c:\266680.exec:\266680.exe86⤵PID:2644
-
\??\c:\pdppd.exec:\pdppd.exe87⤵PID:2660
-
\??\c:\82284.exec:\82284.exe88⤵PID:876
-
\??\c:\k80066.exec:\k80066.exe89⤵PID:1104
-
\??\c:\60280.exec:\60280.exe90⤵PID:2008
-
\??\c:\3bnhtt.exec:\3bnhtt.exe91⤵PID:3016
-
\??\c:\264462.exec:\264462.exe92⤵PID:2452
-
\??\c:\60840.exec:\60840.exe93⤵PID:2972
-
\??\c:\60420.exec:\60420.exe94⤵PID:3048
-
\??\c:\bnhhhn.exec:\bnhhhn.exe95⤵PID:2720
-
\??\c:\868240.exec:\868240.exe96⤵PID:1988
-
\??\c:\5dppv.exec:\5dppv.exe97⤵PID:1840
-
\??\c:\nhbtbt.exec:\nhbtbt.exe98⤵PID:372
-
\??\c:\i600286.exec:\i600286.exe99⤵PID:2472
-
\??\c:\8282044.exec:\8282044.exe100⤵PID:376
-
\??\c:\0406224.exec:\0406224.exe101⤵PID:2268
-
\??\c:\jdvvj.exec:\jdvvj.exe102⤵PID:1216
-
\??\c:\o606886.exec:\o606886.exe103⤵PID:2512
-
\??\c:\4606824.exec:\4606824.exe104⤵PID:696
-
\??\c:\48884.exec:\48884.exe105⤵PID:2044
-
\??\c:\9rffrrx.exec:\9rffrrx.exe106⤵PID:1320
-
\??\c:\8244448.exec:\8244448.exe107⤵PID:1544
-
\??\c:\264682.exec:\264682.exe108⤵PID:1684
-
\??\c:\a2446.exec:\a2446.exe109⤵PID:1384
-
\??\c:\82062.exec:\82062.exe110⤵PID:2528
-
\??\c:\jpdjp.exec:\jpdjp.exe111⤵PID:1940
-
\??\c:\628622.exec:\628622.exe112⤵PID:2012
-
\??\c:\s8668.exec:\s8668.exe113⤵PID:1424
-
\??\c:\jjdjp.exec:\jjdjp.exe114⤵PID:708
-
\??\c:\26828.exec:\26828.exe115⤵PID:572
-
\??\c:\hbthbh.exec:\hbthbh.exe116⤵PID:1616
-
\??\c:\8268064.exec:\8268064.exe117⤵PID:792
-
\??\c:\vpvdp.exec:\vpvdp.exe118⤵PID:2184
-
\??\c:\7hbhnt.exec:\7hbhnt.exe119⤵PID:1192
-
\??\c:\ntnnnh.exec:\ntnnnh.exe120⤵PID:396
-
\??\c:\nnnnbb.exec:\nnnnbb.exe121⤵PID:864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-