Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 14:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc8c2bd57155afdd56d847c9369b6d7cf84c2b7ac6de51d03cac80241ac55ee4.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
dc8c2bd57155afdd56d847c9369b6d7cf84c2b7ac6de51d03cac80241ac55ee4.exe
-
Size
454KB
-
MD5
628693ccd4c90ece9270f66e27bd2a9c
-
SHA1
e483ef841425e9ff206e6b053c17c2898410da04
-
SHA256
dc8c2bd57155afdd56d847c9369b6d7cf84c2b7ac6de51d03cac80241ac55ee4
-
SHA512
eb1265ecc8d4935f45eaa3bba9ee91796360a6f5266b55fb5aaa5b99f3a5c3bf0ef47d54601a9b73ffb0deaace1ea121671caa9790163c8852b7b533be3e6335
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2372-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1428-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1412-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/924-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-341-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2652-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/528-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-368-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1872-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1460-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-553-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2644-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-606-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/2560-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-660-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2856-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-811-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1876-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-824-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1876-823-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2580-875-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2920-883-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-1029-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2852-1043-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1788-1051-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2820 fxxrfxl.exe 2740 7lfxflx.exe 2772 9bntnh.exe 2444 httthn.exe 2608 3nhnht.exe 1128 048084.exe 2784 0442064.exe 536 80648.exe 1428 666400.exe 2196 pvvpd.exe 1692 bbtbnn.exe 1868 2080224.exe 1764 4464284.exe 2944 442024.exe 1748 48008.exe 576 20802.exe 2248 vdvpd.exe 1752 ddvjp.exe 1584 8828002.exe 3036 82248.exe 2112 7btbnt.exe 2156 fxfffxx.exe 1760 1bhbbt.exe 1412 lxlrffl.exe 2288 3dvpd.exe 1524 06064.exe 3056 e20462.exe 924 thntnn.exe 2060 xrflrxf.exe 316 k08622.exe 848 w04080.exe 900 602406.exe 2692 9pvjj.exe 3016 o640622.exe 2816 5fxxllx.exe 2888 5thhhn.exe 2900 822002.exe 2748 bbbhht.exe 2620 880684.exe 2728 ttntnn.exe 2652 48680.exe 2276 lrrfxrl.exe 528 nhhbnt.exe 584 882820.exe 2144 22060.exe 1624 lflrxff.exe 2964 xxxlfll.exe 1872 6626680.exe 2864 244226.exe 1932 g6064.exe 1972 ttthbb.exe 1704 02642.exe 1516 9hhnbh.exe 1564 0428620.exe 2980 lfrxffl.exe 1844 48280.exe 2588 fxxxlfx.exe 2220 rfrrxxl.exe 2500 s8220.exe 2492 6408446.exe 1460 0822880.exe 956 jvjdj.exe 1088 228844.exe 1036 826862.exe -
resource yara_rule behavioral1/memory/2372-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/924-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/528-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1460-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-660-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2856-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-735-0x0000000000350000-0x000000000037A000-memory.dmp upx behavioral1/memory/1876-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-857-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-883-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-915-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-934-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-973-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-1036-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-1044-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-1139-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u840802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6080684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k26800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q64688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2260280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2820 2372 dc8c2bd57155afdd56d847c9369b6d7cf84c2b7ac6de51d03cac80241ac55ee4.exe 30 PID 2372 wrote to memory of 2820 2372 dc8c2bd57155afdd56d847c9369b6d7cf84c2b7ac6de51d03cac80241ac55ee4.exe 30 PID 2372 wrote to memory of 2820 2372 dc8c2bd57155afdd56d847c9369b6d7cf84c2b7ac6de51d03cac80241ac55ee4.exe 30 PID 2372 wrote to memory of 2820 2372 dc8c2bd57155afdd56d847c9369b6d7cf84c2b7ac6de51d03cac80241ac55ee4.exe 30 PID 2820 wrote to memory of 2740 2820 fxxrfxl.exe 31 PID 2820 wrote to memory of 2740 2820 fxxrfxl.exe 31 PID 2820 wrote to memory of 2740 2820 fxxrfxl.exe 31 PID 2820 wrote to memory of 2740 2820 fxxrfxl.exe 31 PID 2740 wrote to memory of 2772 2740 7lfxflx.exe 32 PID 2740 wrote to memory of 2772 2740 7lfxflx.exe 32 PID 2740 wrote to memory of 2772 2740 7lfxflx.exe 32 PID 2740 wrote to memory of 2772 2740 7lfxflx.exe 32 PID 2772 wrote to memory of 2444 2772 9bntnh.exe 33 PID 2772 wrote to memory of 2444 2772 9bntnh.exe 33 PID 2772 wrote to memory of 2444 2772 9bntnh.exe 33 PID 2772 wrote to memory of 2444 2772 9bntnh.exe 33 PID 2444 wrote to memory of 2608 2444 httthn.exe 34 PID 2444 wrote to memory of 2608 2444 httthn.exe 34 PID 2444 wrote to memory of 2608 2444 httthn.exe 34 PID 2444 wrote to memory of 2608 2444 httthn.exe 34 PID 2608 wrote to memory of 1128 2608 3nhnht.exe 35 PID 2608 wrote to memory of 1128 2608 3nhnht.exe 35 PID 2608 wrote to memory of 1128 2608 3nhnht.exe 35 PID 2608 wrote to memory of 1128 2608 3nhnht.exe 35 PID 1128 wrote to memory of 2784 1128 048084.exe 36 PID 1128 wrote to memory of 2784 1128 048084.exe 36 PID 1128 wrote to memory of 2784 1128 048084.exe 36 PID 1128 wrote to memory of 2784 1128 048084.exe 36 PID 2784 wrote to memory of 536 2784 0442064.exe 37 PID 2784 wrote to memory of 536 2784 0442064.exe 37 PID 2784 wrote to memory of 536 2784 0442064.exe 37 PID 2784 wrote to memory of 536 2784 0442064.exe 37 PID 536 wrote to memory of 1428 536 80648.exe 38 PID 536 wrote to memory of 1428 536 80648.exe 38 PID 536 wrote to memory of 1428 536 80648.exe 38 PID 536 wrote to memory of 1428 536 80648.exe 38 PID 1428 wrote to memory of 2196 1428 666400.exe 39 PID 1428 wrote to memory of 2196 1428 666400.exe 39 PID 1428 wrote to memory of 2196 1428 666400.exe 39 PID 1428 wrote to memory of 2196 1428 666400.exe 39 PID 2196 wrote to memory of 1692 2196 pvvpd.exe 40 PID 2196 wrote to memory of 1692 2196 pvvpd.exe 40 PID 2196 wrote to memory of 1692 2196 pvvpd.exe 40 PID 2196 wrote to memory of 1692 2196 pvvpd.exe 40 PID 1692 wrote to memory of 1868 1692 bbtbnn.exe 41 PID 1692 wrote to memory of 1868 1692 bbtbnn.exe 41 PID 1692 wrote to memory of 1868 1692 bbtbnn.exe 41 PID 1692 wrote to memory of 1868 1692 bbtbnn.exe 41 PID 1868 wrote to memory of 1764 1868 2080224.exe 42 PID 1868 wrote to memory of 1764 1868 2080224.exe 42 PID 1868 wrote to memory of 1764 1868 2080224.exe 42 PID 1868 wrote to memory of 1764 1868 2080224.exe 42 PID 1764 wrote to memory of 2944 1764 4464284.exe 43 PID 1764 wrote to memory of 2944 1764 4464284.exe 43 PID 1764 wrote to memory of 2944 1764 4464284.exe 43 PID 1764 wrote to memory of 2944 1764 4464284.exe 43 PID 2944 wrote to memory of 1748 2944 442024.exe 44 PID 2944 wrote to memory of 1748 2944 442024.exe 44 PID 2944 wrote to memory of 1748 2944 442024.exe 44 PID 2944 wrote to memory of 1748 2944 442024.exe 44 PID 1748 wrote to memory of 576 1748 48008.exe 45 PID 1748 wrote to memory of 576 1748 48008.exe 45 PID 1748 wrote to memory of 576 1748 48008.exe 45 PID 1748 wrote to memory of 576 1748 48008.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc8c2bd57155afdd56d847c9369b6d7cf84c2b7ac6de51d03cac80241ac55ee4.exe"C:\Users\Admin\AppData\Local\Temp\dc8c2bd57155afdd56d847c9369b6d7cf84c2b7ac6de51d03cac80241ac55ee4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\fxxrfxl.exec:\fxxrfxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\7lfxflx.exec:\7lfxflx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\9bntnh.exec:\9bntnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\httthn.exec:\httthn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\3nhnht.exec:\3nhnht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\048084.exec:\048084.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\0442064.exec:\0442064.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\80648.exec:\80648.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\666400.exec:\666400.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\pvvpd.exec:\pvvpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\bbtbnn.exec:\bbtbnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\2080224.exec:\2080224.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\4464284.exec:\4464284.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\442024.exec:\442024.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\48008.exec:\48008.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\20802.exec:\20802.exe17⤵
- Executes dropped EXE
PID:576 -
\??\c:\vdvpd.exec:\vdvpd.exe18⤵
- Executes dropped EXE
PID:2248 -
\??\c:\ddvjp.exec:\ddvjp.exe19⤵
- Executes dropped EXE
PID:1752 -
\??\c:\8828002.exec:\8828002.exe20⤵
- Executes dropped EXE
PID:1584 -
\??\c:\82248.exec:\82248.exe21⤵
- Executes dropped EXE
PID:3036 -
\??\c:\7btbnt.exec:\7btbnt.exe22⤵
- Executes dropped EXE
PID:2112 -
\??\c:\fxfffxx.exec:\fxfffxx.exe23⤵
- Executes dropped EXE
PID:2156 -
\??\c:\1bhbbt.exec:\1bhbbt.exe24⤵
- Executes dropped EXE
PID:1760 -
\??\c:\lxlrffl.exec:\lxlrffl.exe25⤵
- Executes dropped EXE
PID:1412 -
\??\c:\3dvpd.exec:\3dvpd.exe26⤵
- Executes dropped EXE
PID:2288 -
\??\c:\06064.exec:\06064.exe27⤵
- Executes dropped EXE
PID:1524 -
\??\c:\e20462.exec:\e20462.exe28⤵
- Executes dropped EXE
PID:3056 -
\??\c:\thntnn.exec:\thntnn.exe29⤵
- Executes dropped EXE
PID:924 -
\??\c:\xrflrxf.exec:\xrflrxf.exe30⤵
- Executes dropped EXE
PID:2060 -
\??\c:\k08622.exec:\k08622.exe31⤵
- Executes dropped EXE
PID:316 -
\??\c:\w04080.exec:\w04080.exe32⤵
- Executes dropped EXE
PID:848 -
\??\c:\602406.exec:\602406.exe33⤵
- Executes dropped EXE
PID:900 -
\??\c:\9pvjj.exec:\9pvjj.exe34⤵
- Executes dropped EXE
PID:2692 -
\??\c:\o640622.exec:\o640622.exe35⤵
- Executes dropped EXE
PID:3016 -
\??\c:\5fxxllx.exec:\5fxxllx.exe36⤵
- Executes dropped EXE
PID:2816 -
\??\c:\5thhhn.exec:\5thhhn.exe37⤵
- Executes dropped EXE
PID:2888 -
\??\c:\822002.exec:\822002.exe38⤵
- Executes dropped EXE
PID:2900 -
\??\c:\bbbhht.exec:\bbbhht.exe39⤵
- Executes dropped EXE
PID:2748 -
\??\c:\880684.exec:\880684.exe40⤵
- Executes dropped EXE
PID:2620 -
\??\c:\ttntnn.exec:\ttntnn.exe41⤵
- Executes dropped EXE
PID:2728 -
\??\c:\48680.exec:\48680.exe42⤵
- Executes dropped EXE
PID:2652 -
\??\c:\lrrfxrl.exec:\lrrfxrl.exe43⤵
- Executes dropped EXE
PID:2276 -
\??\c:\nhhbnt.exec:\nhhbnt.exe44⤵
- Executes dropped EXE
PID:528 -
\??\c:\882820.exec:\882820.exe45⤵
- Executes dropped EXE
PID:584 -
\??\c:\22060.exec:\22060.exe46⤵
- Executes dropped EXE
PID:2144 -
\??\c:\lflrxff.exec:\lflrxff.exe47⤵
- Executes dropped EXE
PID:1624 -
\??\c:\xxxlfll.exec:\xxxlfll.exe48⤵
- Executes dropped EXE
PID:2964 -
\??\c:\6626680.exec:\6626680.exe49⤵
- Executes dropped EXE
PID:1872 -
\??\c:\244226.exec:\244226.exe50⤵
- Executes dropped EXE
PID:2864 -
\??\c:\g6064.exec:\g6064.exe51⤵
- Executes dropped EXE
PID:1932 -
\??\c:\ttthbb.exec:\ttthbb.exe52⤵
- Executes dropped EXE
PID:1972 -
\??\c:\02642.exec:\02642.exe53⤵
- Executes dropped EXE
PID:1704 -
\??\c:\9hhnbh.exec:\9hhnbh.exe54⤵
- Executes dropped EXE
PID:1516 -
\??\c:\0428620.exec:\0428620.exe55⤵
- Executes dropped EXE
PID:1564 -
\??\c:\lfrxffl.exec:\lfrxffl.exe56⤵
- Executes dropped EXE
PID:2980 -
\??\c:\48280.exec:\48280.exe57⤵
- Executes dropped EXE
PID:1844 -
\??\c:\fxxxlfx.exec:\fxxxlfx.exe58⤵
- Executes dropped EXE
PID:2588 -
\??\c:\rfrrxxl.exec:\rfrrxxl.exe59⤵
- Executes dropped EXE
PID:2220 -
\??\c:\s8220.exec:\s8220.exe60⤵
- Executes dropped EXE
PID:2500 -
\??\c:\6408446.exec:\6408446.exe61⤵
- Executes dropped EXE
PID:2492 -
\??\c:\0822880.exec:\0822880.exe62⤵
- Executes dropped EXE
PID:1460 -
\??\c:\jvjdj.exec:\jvjdj.exe63⤵
- Executes dropped EXE
PID:956 -
\??\c:\228844.exec:\228844.exe64⤵
- Executes dropped EXE
PID:1088 -
\??\c:\826862.exec:\826862.exe65⤵
- Executes dropped EXE
PID:1036 -
\??\c:\vvjjp.exec:\vvjjp.exe66⤵PID:1892
-
\??\c:\pjvdj.exec:\pjvdj.exe67⤵PID:1004
-
\??\c:\20880.exec:\20880.exe68⤵PID:1672
-
\??\c:\pvpjp.exec:\pvpjp.exe69⤵PID:236
-
\??\c:\226864.exec:\226864.exe70⤵PID:2352
-
\??\c:\rlxxflx.exec:\rlxxflx.exe71⤵PID:288
-
\??\c:\jvjjv.exec:\jvjjv.exe72⤵PID:2396
-
\??\c:\pvvpj.exec:\pvvpj.exe73⤵PID:2832
-
\??\c:\ffrxlrf.exec:\ffrxlrf.exe74⤵PID:1976
-
\??\c:\1thnnn.exec:\1thnnn.exe75⤵PID:836
-
\??\c:\04886.exec:\04886.exe76⤵PID:2148
-
\??\c:\02406.exec:\02406.exe77⤵PID:2644
-
\??\c:\ddvvv.exec:\ddvvv.exe78⤵PID:2632
-
\??\c:\262022.exec:\262022.exe79⤵PID:2776
-
\??\c:\1nnnnt.exec:\1nnnnt.exe80⤵
- System Location Discovery: System Language Discovery
PID:2080 -
\??\c:\28620.exec:\28620.exe81⤵PID:2392
-
\??\c:\llxfrxf.exec:\llxfrxf.exe82⤵PID:2452
-
\??\c:\406064.exec:\406064.exe83⤵PID:2780
-
\??\c:\jjppd.exec:\jjppd.exe84⤵
- System Location Discovery: System Language Discovery
PID:2992 -
\??\c:\086628.exec:\086628.exe85⤵PID:2684
-
\??\c:\82660.exec:\82660.exe86⤵PID:2672
-
\??\c:\ntnhtb.exec:\ntnhtb.exe87⤵PID:2376
-
\??\c:\ppvvd.exec:\ppvvd.exe88⤵PID:660
-
\??\c:\q48024.exec:\q48024.exe89⤵PID:2560
-
\??\c:\dvjjp.exec:\dvjjp.exe90⤵PID:2856
-
\??\c:\tnthbh.exec:\tnthbh.exe91⤵PID:2932
-
\??\c:\604646.exec:\604646.exe92⤵PID:352
-
\??\c:\jdvdj.exec:\jdvdj.exe93⤵PID:2160
-
\??\c:\5btbhn.exec:\5btbhn.exe94⤵PID:2088
-
\??\c:\vpppj.exec:\vpppj.exe95⤵PID:1920
-
\??\c:\68028.exec:\68028.exe96⤵PID:2348
-
\??\c:\040824.exec:\040824.exe97⤵PID:768
-
\??\c:\nbnhhb.exec:\nbnhhb.exe98⤵PID:3032
-
\??\c:\pvdjj.exec:\pvdjj.exe99⤵PID:2240
-
\??\c:\6246688.exec:\6246688.exe100⤵PID:896
-
\??\c:\8284282.exec:\8284282.exe101⤵PID:2480
-
\??\c:\bhnthn.exec:\bhnthn.exe102⤵PID:1600
-
\??\c:\g8662.exec:\g8662.exe103⤵PID:2176
-
\??\c:\u264002.exec:\u264002.exe104⤵PID:1788
-
\??\c:\lxllxrf.exec:\lxllxrf.exe105⤵PID:1632
-
\??\c:\s6626.exec:\s6626.exe106⤵PID:1628
-
\??\c:\djjpj.exec:\djjpj.exe107⤵PID:620
-
\??\c:\nhtntn.exec:\nhtntn.exe108⤵PID:2464
-
\??\c:\vpdpd.exec:\vpdpd.exe109⤵PID:2544
-
\??\c:\xfrlxxl.exec:\xfrlxxl.exe110⤵PID:1672
-
\??\c:\bhtbht.exec:\bhtbht.exe111⤵PID:2036
-
\??\c:\226802.exec:\226802.exe112⤵PID:3048
-
\??\c:\7lfxxxf.exec:\7lfxxxf.exe113⤵PID:1476
-
\??\c:\lfffflx.exec:\lfffflx.exe114⤵PID:1636
-
\??\c:\nnhttb.exec:\nnhttb.exe115⤵PID:1876
-
\??\c:\2842866.exec:\2842866.exe116⤵PID:2744
-
\??\c:\9hbhnt.exec:\9hbhnt.exe117⤵PID:2616
-
\??\c:\bbhnht.exec:\bbhnht.exe118⤵
- System Location Discovery: System Language Discovery
PID:876 -
\??\c:\xfxfxff.exec:\xfxfxff.exe119⤵PID:2444
-
\??\c:\vppvd.exec:\vppvd.exe120⤵PID:2656
-
\??\c:\646060.exec:\646060.exe121⤵PID:2608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-