Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 15:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
28857db9ea15c7fa96e023a0735b15b8dcca8cb5b4219a6654ea32317cc9a75aN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
28857db9ea15c7fa96e023a0735b15b8dcca8cb5b4219a6654ea32317cc9a75aN.exe
-
Size
454KB
-
MD5
2b8ef14060fa6028f98ee553bf7f6270
-
SHA1
a45dcc008dc5467cb8f4f8e6690886dc9689e1a5
-
SHA256
28857db9ea15c7fa96e023a0735b15b8dcca8cb5b4219a6654ea32317cc9a75a
-
SHA512
25943d7430bd5ca39d8fe88b9d8ef97c9863b43bbb12022d000c3c96257a2648fc8d19cf8f6912a693a281a7496cd5b66e13689c0adc5ac0c3db6e358ffa8f1f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2528-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-67-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/496-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-300-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2852-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/824-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-678-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2060-699-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2060-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-652-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3056-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/628-271-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1384-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/728-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-123-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2608-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-954-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1384-1058-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2932-1162-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2532-1312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2524 5htbnt.exe 1660 rlxfrxf.exe 2252 1lxlrfl.exe 2200 042244.exe 2868 8206808.exe 2180 dvjjp.exe 2064 26082.exe 2784 0462008.exe 2608 7vjjp.exe 2228 g6068.exe 1996 02828.exe 1052 2084664.exe 536 42400.exe 2804 pdjvp.exe 2060 u860228.exe 2080 828402.exe 2044 80804.exe 3056 64262.exe 1212 1rfxxxf.exe 1516 66880.exe 800 xfxxffl.exe 1712 ddvdp.exe 1744 nhtbth.exe 1524 bntbnt.exe 1332 5bnttt.exe 728 hbnbhn.exe 496 3rflllr.exe 1384 dvjjv.exe 628 dpjvj.exe 1740 jvvpv.exe 2528 w48466.exe 1576 frrfrrf.exe 1600 jvdjj.exe 284 5rlrrxl.exe 2440 646246.exe 2472 c862484.exe 3016 u860662.exe 2896 pjjpd.exe 2744 k02844.exe 2852 ttbnnb.exe 2064 8206846.exe 2644 hbbhbb.exe 1044 jjppd.exe 824 pjvjp.exe 1608 rfrrxxr.exe 2960 7xrrffl.exe 2964 q20244.exe 2920 3pvvv.exe 2272 5xrxflr.exe 2688 6044886.exe 1300 btbhth.exe 620 vvvjv.exe 2044 nnnhht.exe 3056 w44022.exe 1856 lrxllxr.exe 888 dpddv.exe 688 pvdjp.exe 2928 jjdpv.exe 1680 48220.exe 280 ppjpj.exe 604 860806.exe 2152 btntbn.exe 1928 68662.exe 2292 86886.exe -
resource yara_rule behavioral1/memory/2528-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/496-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/824-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/728-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-999-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-1006-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1908-1019-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-1051-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-1065-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-1084-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-1097-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/552-1146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-1154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-1153-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2932-1160-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1080-1205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-1212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-1292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-1305-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2532-1312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-1349-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o862266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2684602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c602442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2524 2528 28857db9ea15c7fa96e023a0735b15b8dcca8cb5b4219a6654ea32317cc9a75aN.exe 31 PID 2528 wrote to memory of 2524 2528 28857db9ea15c7fa96e023a0735b15b8dcca8cb5b4219a6654ea32317cc9a75aN.exe 31 PID 2528 wrote to memory of 2524 2528 28857db9ea15c7fa96e023a0735b15b8dcca8cb5b4219a6654ea32317cc9a75aN.exe 31 PID 2528 wrote to memory of 2524 2528 28857db9ea15c7fa96e023a0735b15b8dcca8cb5b4219a6654ea32317cc9a75aN.exe 31 PID 2524 wrote to memory of 1660 2524 5htbnt.exe 105 PID 2524 wrote to memory of 1660 2524 5htbnt.exe 105 PID 2524 wrote to memory of 1660 2524 5htbnt.exe 105 PID 2524 wrote to memory of 1660 2524 5htbnt.exe 105 PID 1660 wrote to memory of 2252 1660 rlxfrxf.exe 33 PID 1660 wrote to memory of 2252 1660 rlxfrxf.exe 33 PID 1660 wrote to memory of 2252 1660 rlxfrxf.exe 33 PID 1660 wrote to memory of 2252 1660 rlxfrxf.exe 33 PID 2252 wrote to memory of 2200 2252 1lxlrfl.exe 107 PID 2252 wrote to memory of 2200 2252 1lxlrfl.exe 107 PID 2252 wrote to memory of 2200 2252 1lxlrfl.exe 107 PID 2252 wrote to memory of 2200 2252 1lxlrfl.exe 107 PID 2200 wrote to memory of 2868 2200 042244.exe 35 PID 2200 wrote to memory of 2868 2200 042244.exe 35 PID 2200 wrote to memory of 2868 2200 042244.exe 35 PID 2200 wrote to memory of 2868 2200 042244.exe 35 PID 2868 wrote to memory of 2180 2868 8206808.exe 36 PID 2868 wrote to memory of 2180 2868 8206808.exe 36 PID 2868 wrote to memory of 2180 2868 8206808.exe 36 PID 2868 wrote to memory of 2180 2868 8206808.exe 36 PID 2180 wrote to memory of 2064 2180 dvjjp.exe 37 PID 2180 wrote to memory of 2064 2180 dvjjp.exe 37 PID 2180 wrote to memory of 2064 2180 dvjjp.exe 37 PID 2180 wrote to memory of 2064 2180 dvjjp.exe 37 PID 2064 wrote to memory of 2784 2064 26082.exe 38 PID 2064 wrote to memory of 2784 2064 26082.exe 38 PID 2064 wrote to memory of 2784 2064 26082.exe 38 PID 2064 wrote to memory of 2784 2064 26082.exe 38 PID 2784 wrote to memory of 2608 2784 0462008.exe 39 PID 2784 wrote to memory of 2608 2784 0462008.exe 39 PID 2784 wrote to memory of 2608 2784 0462008.exe 39 PID 2784 wrote to memory of 2608 2784 0462008.exe 39 PID 2608 wrote to memory of 2228 2608 7vjjp.exe 40 PID 2608 wrote to memory of 2228 2608 7vjjp.exe 40 PID 2608 wrote to memory of 2228 2608 7vjjp.exe 40 PID 2608 wrote to memory of 2228 2608 7vjjp.exe 40 PID 2228 wrote to memory of 1996 2228 g6068.exe 41 PID 2228 wrote to memory of 1996 2228 g6068.exe 41 PID 2228 wrote to memory of 1996 2228 g6068.exe 41 PID 2228 wrote to memory of 1996 2228 g6068.exe 41 PID 1996 wrote to memory of 1052 1996 02828.exe 42 PID 1996 wrote to memory of 1052 1996 02828.exe 42 PID 1996 wrote to memory of 1052 1996 02828.exe 42 PID 1996 wrote to memory of 1052 1996 02828.exe 42 PID 1052 wrote to memory of 536 1052 2084664.exe 43 PID 1052 wrote to memory of 536 1052 2084664.exe 43 PID 1052 wrote to memory of 536 1052 2084664.exe 43 PID 1052 wrote to memory of 536 1052 2084664.exe 43 PID 536 wrote to memory of 2804 536 42400.exe 44 PID 536 wrote to memory of 2804 536 42400.exe 44 PID 536 wrote to memory of 2804 536 42400.exe 44 PID 536 wrote to memory of 2804 536 42400.exe 44 PID 2804 wrote to memory of 2060 2804 pdjvp.exe 45 PID 2804 wrote to memory of 2060 2804 pdjvp.exe 45 PID 2804 wrote to memory of 2060 2804 pdjvp.exe 45 PID 2804 wrote to memory of 2060 2804 pdjvp.exe 45 PID 2060 wrote to memory of 2080 2060 u860228.exe 46 PID 2060 wrote to memory of 2080 2060 u860228.exe 46 PID 2060 wrote to memory of 2080 2060 u860228.exe 46 PID 2060 wrote to memory of 2080 2060 u860228.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\28857db9ea15c7fa96e023a0735b15b8dcca8cb5b4219a6654ea32317cc9a75aN.exe"C:\Users\Admin\AppData\Local\Temp\28857db9ea15c7fa96e023a0735b15b8dcca8cb5b4219a6654ea32317cc9a75aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\5htbnt.exec:\5htbnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\rlxfrxf.exec:\rlxfrxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\1lxlrfl.exec:\1lxlrfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\042244.exec:\042244.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\8206808.exec:\8206808.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\dvjjp.exec:\dvjjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\26082.exec:\26082.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\0462008.exec:\0462008.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\7vjjp.exec:\7vjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\g6068.exec:\g6068.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\02828.exec:\02828.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\2084664.exec:\2084664.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\42400.exec:\42400.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\pdjvp.exec:\pdjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\u860228.exec:\u860228.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\828402.exec:\828402.exe17⤵
- Executes dropped EXE
PID:2080 -
\??\c:\80804.exec:\80804.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044 -
\??\c:\64262.exec:\64262.exe19⤵
- Executes dropped EXE
PID:3056 -
\??\c:\1rfxxxf.exec:\1rfxxxf.exe20⤵
- Executes dropped EXE
PID:1212 -
\??\c:\66880.exec:\66880.exe21⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xfxxffl.exec:\xfxxffl.exe22⤵
- Executes dropped EXE
PID:800 -
\??\c:\ddvdp.exec:\ddvdp.exe23⤵
- Executes dropped EXE
PID:1712 -
\??\c:\nhtbth.exec:\nhtbth.exe24⤵
- Executes dropped EXE
PID:1744 -
\??\c:\bntbnt.exec:\bntbnt.exe25⤵
- Executes dropped EXE
PID:1524 -
\??\c:\5bnttt.exec:\5bnttt.exe26⤵
- Executes dropped EXE
PID:1332 -
\??\c:\hbnbhn.exec:\hbnbhn.exe27⤵
- Executes dropped EXE
PID:728 -
\??\c:\3rflllr.exec:\3rflllr.exe28⤵
- Executes dropped EXE
PID:496 -
\??\c:\dvjjv.exec:\dvjjv.exe29⤵
- Executes dropped EXE
PID:1384 -
\??\c:\dpjvj.exec:\dpjvj.exe30⤵
- Executes dropped EXE
PID:628 -
\??\c:\jvvpv.exec:\jvvpv.exe31⤵
- Executes dropped EXE
PID:1740 -
\??\c:\w48466.exec:\w48466.exe32⤵
- Executes dropped EXE
PID:2528 -
\??\c:\frrfrrf.exec:\frrfrrf.exe33⤵
- Executes dropped EXE
PID:1576 -
\??\c:\jvdjj.exec:\jvdjj.exe34⤵
- Executes dropped EXE
PID:1600 -
\??\c:\5rlrrxl.exec:\5rlrrxl.exe35⤵
- Executes dropped EXE
PID:284 -
\??\c:\646246.exec:\646246.exe36⤵
- Executes dropped EXE
PID:2440 -
\??\c:\c862484.exec:\c862484.exe37⤵
- Executes dropped EXE
PID:2472 -
\??\c:\u860662.exec:\u860662.exe38⤵
- Executes dropped EXE
PID:3016 -
\??\c:\pjjpd.exec:\pjjpd.exe39⤵
- Executes dropped EXE
PID:2896 -
\??\c:\k02844.exec:\k02844.exe40⤵
- Executes dropped EXE
PID:2744 -
\??\c:\ttbnnb.exec:\ttbnnb.exe41⤵
- Executes dropped EXE
PID:2852 -
\??\c:\8206846.exec:\8206846.exe42⤵
- Executes dropped EXE
PID:2064 -
\??\c:\hbbhbb.exec:\hbbhbb.exe43⤵
- Executes dropped EXE
PID:2644 -
\??\c:\jjppd.exec:\jjppd.exe44⤵
- Executes dropped EXE
PID:1044 -
\??\c:\pjvjp.exec:\pjvjp.exe45⤵
- Executes dropped EXE
PID:824 -
\??\c:\rfrrxxr.exec:\rfrrxxr.exe46⤵
- Executes dropped EXE
PID:1608 -
\??\c:\7xrrffl.exec:\7xrrffl.exe47⤵
- Executes dropped EXE
PID:2960 -
\??\c:\q20244.exec:\q20244.exe48⤵
- Executes dropped EXE
PID:2964 -
\??\c:\3pvvv.exec:\3pvvv.exe49⤵
- Executes dropped EXE
PID:2920 -
\??\c:\5xrxflr.exec:\5xrxflr.exe50⤵
- Executes dropped EXE
PID:2272 -
\??\c:\6044886.exec:\6044886.exe51⤵
- Executes dropped EXE
PID:2688 -
\??\c:\btbhth.exec:\btbhth.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1300 -
\??\c:\vvvjv.exec:\vvvjv.exe53⤵
- Executes dropped EXE
PID:620 -
\??\c:\nnnhht.exec:\nnnhht.exe54⤵
- Executes dropped EXE
PID:2044 -
\??\c:\w44022.exec:\w44022.exe55⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lrxllxr.exec:\lrxllxr.exe56⤵
- Executes dropped EXE
PID:1856 -
\??\c:\dpddv.exec:\dpddv.exe57⤵
- Executes dropped EXE
PID:888 -
\??\c:\pvdjp.exec:\pvdjp.exe58⤵
- Executes dropped EXE
PID:688 -
\??\c:\jjdpv.exec:\jjdpv.exe59⤵
- Executes dropped EXE
PID:2928 -
\??\c:\48220.exec:\48220.exe60⤵
- Executes dropped EXE
PID:1680 -
\??\c:\ppjpj.exec:\ppjpj.exe61⤵
- Executes dropped EXE
PID:280 -
\??\c:\860806.exec:\860806.exe62⤵
- Executes dropped EXE
PID:604 -
\??\c:\btntbn.exec:\btntbn.exe63⤵
- Executes dropped EXE
PID:2152 -
\??\c:\68662.exec:\68662.exe64⤵
- Executes dropped EXE
PID:1928 -
\??\c:\86886.exec:\86886.exe65⤵
- Executes dropped EXE
PID:2292 -
\??\c:\8228646.exec:\8228646.exe66⤵PID:2176
-
\??\c:\8240644.exec:\8240644.exe67⤵PID:2596
-
\??\c:\6800262.exec:\6800262.exe68⤵PID:1384
-
\??\c:\20888.exec:\20888.exe69⤵PID:628
-
\??\c:\nhtbhb.exec:\nhtbhb.exe70⤵PID:2992
-
\??\c:\rfrlrlr.exec:\rfrlrlr.exe71⤵PID:2456
-
\??\c:\jdpjp.exec:\jdpjp.exe72⤵PID:2528
-
\??\c:\1pppv.exec:\1pppv.exe73⤵
- System Location Discovery: System Language Discovery
PID:2396 -
\??\c:\rrflxxr.exec:\rrflxxr.exe74⤵PID:884
-
\??\c:\jdpjp.exec:\jdpjp.exe75⤵PID:2100
-
\??\c:\2680426.exec:\2680426.exe76⤵PID:1660
-
\??\c:\4262426.exec:\4262426.exe77⤵PID:2452
-
\??\c:\9htbhn.exec:\9htbhn.exe78⤵PID:2200
-
\??\c:\xxlrxrx.exec:\xxlrxrx.exe79⤵PID:2816
-
\??\c:\6800228.exec:\6800228.exe80⤵PID:876
-
\??\c:\1bttbb.exec:\1bttbb.exe81⤵PID:2892
-
\??\c:\0806224.exec:\0806224.exe82⤵PID:1532
-
\??\c:\04662.exec:\04662.exe83⤵PID:2724
-
\??\c:\fxfxllx.exec:\fxfxllx.exe84⤵PID:2632
-
\??\c:\0862828.exec:\0862828.exe85⤵PID:2084
-
\??\c:\m0460.exec:\m0460.exe86⤵PID:2932
-
\??\c:\nhbbhh.exec:\nhbbhh.exe87⤵PID:1620
-
\??\c:\868848.exec:\868848.exe88⤵PID:2908
-
\??\c:\k26288.exec:\k26288.exe89⤵PID:1960
-
\??\c:\w24482.exec:\w24482.exe90⤵PID:1700
-
\??\c:\9lrrrxx.exec:\9lrrrxx.exe91⤵PID:2564
-
\??\c:\8268408.exec:\8268408.exe92⤵PID:764
-
\??\c:\60842.exec:\60842.exe93⤵PID:2060
-
\??\c:\3rfxrrx.exec:\3rfxrrx.exe94⤵PID:2260
-
\??\c:\8086880.exec:\8086880.exe95⤵PID:2788
-
\??\c:\4828680.exec:\4828680.exe96⤵PID:2212
-
\??\c:\s6220.exec:\s6220.exe97⤵PID:2204
-
\??\c:\426088.exec:\426088.exe98⤵PID:2840
-
\??\c:\0462444.exec:\0462444.exe99⤵PID:2348
-
\??\c:\hbhhhn.exec:\hbhhhn.exe100⤵PID:348
-
\??\c:\q26222.exec:\q26222.exe101⤵PID:896
-
\??\c:\84444.exec:\84444.exe102⤵PID:1712
-
\??\c:\nnbhnn.exec:\nnbhnn.exe103⤵PID:2356
-
\??\c:\hbnbbt.exec:\hbnbbt.exe104⤵PID:564
-
\??\c:\q24460.exec:\q24460.exe105⤵PID:1632
-
\??\c:\08462.exec:\08462.exe106⤵PID:2588
-
\??\c:\u200008.exec:\u200008.exe107⤵PID:2116
-
\??\c:\04228.exec:\04228.exe108⤵PID:2188
-
\??\c:\nbbbhb.exec:\nbbbhb.exe109⤵PID:1408
-
\??\c:\tnbtbb.exec:\tnbtbb.exe110⤵PID:2596
-
\??\c:\1ddjp.exec:\1ddjp.exe111⤵PID:1384
-
\??\c:\86840.exec:\86840.exe112⤵PID:628
-
\??\c:\042426.exec:\042426.exe113⤵PID:1572
-
\??\c:\2684602.exec:\2684602.exe114⤵
- System Location Discovery: System Language Discovery
PID:2456 -
\??\c:\i862484.exec:\i862484.exe115⤵PID:2528
-
\??\c:\4424682.exec:\4424682.exe116⤵PID:2796
-
\??\c:\btthhh.exec:\btthhh.exe117⤵PID:1500
-
\??\c:\864202.exec:\864202.exe118⤵PID:2760
-
\??\c:\864460.exec:\864460.exe119⤵PID:2888
-
\??\c:\48046.exec:\48046.exe120⤵PID:2768
-
\??\c:\26484.exec:\26484.exe121⤵PID:2868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-