Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe
-
Size
453KB
-
MD5
7098dbe2ef6c59ef2a0c1b1becb1f380
-
SHA1
d5be4270426b90cafb62356f87bddcd2e01567f5
-
SHA256
7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7d
-
SHA512
f18bc72b77035f89640fd6864274e71b920f2e36d6a53f42d80968a22358c02b5266f4735205512a54214bc5b39efcffb34377b120a2b397f9fbe325bd94b73e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 60 IoCs
resource yara_rule behavioral1/memory/1796-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/920-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-131-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/3024-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1100-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-230-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2652-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-249-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1868-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-283-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1616-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-367-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3052-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-409-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2284-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-416-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/632-436-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/564-443-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1696-450-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2584-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-522-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1704-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-701-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1476-708-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/356-722-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2608-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-804-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/864-854-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-959-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2484-967-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-982-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/880-1011-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/276-1043-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/828-1094-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/740-1132-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2148-1149-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2428-1177-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1976-1183-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1964 nhttbb.exe 1988 202282.exe 1256 602248.exe 2352 a6406.exe 2448 4206802.exe 2880 vdppd.exe 2800 686248.exe 2956 dpdjd.exe 3032 860068.exe 2724 0840224.exe 2720 s6466.exe 2980 q20406.exe 920 646004.exe 3024 24002.exe 2736 lxrlrrx.exe 580 dpjjp.exe 1300 26442.exe 2528 fffxlxf.exe 2608 8688440.exe 1992 9vjjv.exe 1560 642622.exe 2556 3bnbtt.exe 1100 xlxxxxf.exe 1700 40626.exe 2652 642282.exe 1524 82440.exe 2912 24222.exe 1052 22846.exe 1244 42046.exe 296 046240.exe 1868 868404.exe 1740 frllfxx.exe 2128 bntbbh.exe 1240 7flrrrx.exe 2072 dvjjp.exe 2428 68006.exe 2356 264482.exe 1616 7jpjj.exe 1952 a0846.exe 2184 e28806.exe 2448 m4206.exe 2824 jjvdj.exe 2880 28628.exe 2152 802620.exe 3052 7htnnt.exe 2936 u428062.exe 2680 frxxfxf.exe 2424 024466.exe 2284 bhnhhb.exe 632 8026228.exe 920 82024.exe 2860 nnhbhn.exe 1268 08666.exe 564 4806600.exe 1696 442240.exe 1928 226806.exe 2772 426280.exe 2512 08044.exe 2584 608028.exe 2576 0422824.exe 1496 60224.exe 1412 9nbbbt.exe 2536 0806880.exe 2320 hhbhnb.exe -
resource yara_rule behavioral1/memory/1796-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-131-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/3024-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-879-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2672-959-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2696-960-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-967-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-982-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/880-1011-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2544-1018-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-1057-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-1158-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i420242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u220284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6462262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2602280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0800040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8240606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1796 wrote to memory of 1964 1796 7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe 30 PID 1796 wrote to memory of 1964 1796 7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe 30 PID 1796 wrote to memory of 1964 1796 7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe 30 PID 1796 wrote to memory of 1964 1796 7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe 30 PID 1964 wrote to memory of 1988 1964 nhttbb.exe 31 PID 1964 wrote to memory of 1988 1964 nhttbb.exe 31 PID 1964 wrote to memory of 1988 1964 nhttbb.exe 31 PID 1964 wrote to memory of 1988 1964 nhttbb.exe 31 PID 1988 wrote to memory of 1256 1988 202282.exe 32 PID 1988 wrote to memory of 1256 1988 202282.exe 32 PID 1988 wrote to memory of 1256 1988 202282.exe 32 PID 1988 wrote to memory of 1256 1988 202282.exe 32 PID 1256 wrote to memory of 2352 1256 602248.exe 33 PID 1256 wrote to memory of 2352 1256 602248.exe 33 PID 1256 wrote to memory of 2352 1256 602248.exe 33 PID 1256 wrote to memory of 2352 1256 602248.exe 33 PID 2352 wrote to memory of 2448 2352 a6406.exe 34 PID 2352 wrote to memory of 2448 2352 a6406.exe 34 PID 2352 wrote to memory of 2448 2352 a6406.exe 34 PID 2352 wrote to memory of 2448 2352 a6406.exe 34 PID 2448 wrote to memory of 2880 2448 4206802.exe 35 PID 2448 wrote to memory of 2880 2448 4206802.exe 35 PID 2448 wrote to memory of 2880 2448 4206802.exe 35 PID 2448 wrote to memory of 2880 2448 4206802.exe 35 PID 2880 wrote to memory of 2800 2880 vdppd.exe 36 PID 2880 wrote to memory of 2800 2880 vdppd.exe 36 PID 2880 wrote to memory of 2800 2880 vdppd.exe 36 PID 2880 wrote to memory of 2800 2880 vdppd.exe 36 PID 2800 wrote to memory of 2956 2800 686248.exe 37 PID 2800 wrote to memory of 2956 2800 686248.exe 37 PID 2800 wrote to memory of 2956 2800 686248.exe 37 PID 2800 wrote to memory of 2956 2800 686248.exe 37 PID 2956 wrote to memory of 3032 2956 dpdjd.exe 38 PID 2956 wrote to memory of 3032 2956 dpdjd.exe 38 PID 2956 wrote to memory of 3032 2956 dpdjd.exe 38 PID 2956 wrote to memory of 3032 2956 dpdjd.exe 38 PID 3032 wrote to memory of 2724 3032 860068.exe 39 PID 3032 wrote to memory of 2724 3032 860068.exe 39 PID 3032 wrote to memory of 2724 3032 860068.exe 39 PID 3032 wrote to memory of 2724 3032 860068.exe 39 PID 2724 wrote to memory of 2720 2724 0840224.exe 40 PID 2724 wrote to memory of 2720 2724 0840224.exe 40 PID 2724 wrote to memory of 2720 2724 0840224.exe 40 PID 2724 wrote to memory of 2720 2724 0840224.exe 40 PID 2720 wrote to memory of 2980 2720 s6466.exe 41 PID 2720 wrote to memory of 2980 2720 s6466.exe 41 PID 2720 wrote to memory of 2980 2720 s6466.exe 41 PID 2720 wrote to memory of 2980 2720 s6466.exe 41 PID 2980 wrote to memory of 920 2980 q20406.exe 42 PID 2980 wrote to memory of 920 2980 q20406.exe 42 PID 2980 wrote to memory of 920 2980 q20406.exe 42 PID 2980 wrote to memory of 920 2980 q20406.exe 42 PID 920 wrote to memory of 3024 920 646004.exe 43 PID 920 wrote to memory of 3024 920 646004.exe 43 PID 920 wrote to memory of 3024 920 646004.exe 43 PID 920 wrote to memory of 3024 920 646004.exe 43 PID 3024 wrote to memory of 2736 3024 24002.exe 44 PID 3024 wrote to memory of 2736 3024 24002.exe 44 PID 3024 wrote to memory of 2736 3024 24002.exe 44 PID 3024 wrote to memory of 2736 3024 24002.exe 44 PID 2736 wrote to memory of 580 2736 lxrlrrx.exe 45 PID 2736 wrote to memory of 580 2736 lxrlrrx.exe 45 PID 2736 wrote to memory of 580 2736 lxrlrrx.exe 45 PID 2736 wrote to memory of 580 2736 lxrlrrx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe"C:\Users\Admin\AppData\Local\Temp\7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\nhttbb.exec:\nhttbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\202282.exec:\202282.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\602248.exec:\602248.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\a6406.exec:\a6406.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\4206802.exec:\4206802.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\vdppd.exec:\vdppd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\686248.exec:\686248.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\dpdjd.exec:\dpdjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\860068.exec:\860068.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\0840224.exec:\0840224.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\s6466.exec:\s6466.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\q20406.exec:\q20406.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\646004.exec:\646004.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\24002.exec:\24002.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\lxrlrrx.exec:\lxrlrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\dpjjp.exec:\dpjjp.exe17⤵
- Executes dropped EXE
PID:580 -
\??\c:\26442.exec:\26442.exe18⤵
- Executes dropped EXE
PID:1300 -
\??\c:\fffxlxf.exec:\fffxlxf.exe19⤵
- Executes dropped EXE
PID:2528 -
\??\c:\8688440.exec:\8688440.exe20⤵
- Executes dropped EXE
PID:2608 -
\??\c:\9vjjv.exec:\9vjjv.exe21⤵
- Executes dropped EXE
PID:1992 -
\??\c:\642622.exec:\642622.exe22⤵
- Executes dropped EXE
PID:1560 -
\??\c:\3bnbtt.exec:\3bnbtt.exe23⤵
- Executes dropped EXE
PID:2556 -
\??\c:\xlxxxxf.exec:\xlxxxxf.exe24⤵
- Executes dropped EXE
PID:1100 -
\??\c:\40626.exec:\40626.exe25⤵
- Executes dropped EXE
PID:1700 -
\??\c:\642282.exec:\642282.exe26⤵
- Executes dropped EXE
PID:2652 -
\??\c:\82440.exec:\82440.exe27⤵
- Executes dropped EXE
PID:1524 -
\??\c:\24222.exec:\24222.exe28⤵
- Executes dropped EXE
PID:2912 -
\??\c:\22846.exec:\22846.exe29⤵
- Executes dropped EXE
PID:1052 -
\??\c:\42046.exec:\42046.exe30⤵
- Executes dropped EXE
PID:1244 -
\??\c:\046240.exec:\046240.exe31⤵
- Executes dropped EXE
PID:296 -
\??\c:\868404.exec:\868404.exe32⤵
- Executes dropped EXE
PID:1868 -
\??\c:\frllfxx.exec:\frllfxx.exe33⤵
- Executes dropped EXE
PID:1740 -
\??\c:\bntbbh.exec:\bntbbh.exe34⤵
- Executes dropped EXE
PID:2128 -
\??\c:\7flrrrx.exec:\7flrrrx.exe35⤵
- Executes dropped EXE
PID:1240 -
\??\c:\dvjjp.exec:\dvjjp.exe36⤵
- Executes dropped EXE
PID:2072 -
\??\c:\68006.exec:\68006.exe37⤵
- Executes dropped EXE
PID:2428 -
\??\c:\264482.exec:\264482.exe38⤵
- Executes dropped EXE
PID:2356 -
\??\c:\7jpjj.exec:\7jpjj.exe39⤵
- Executes dropped EXE
PID:1616 -
\??\c:\a0846.exec:\a0846.exe40⤵
- Executes dropped EXE
PID:1952 -
\??\c:\e28806.exec:\e28806.exe41⤵
- Executes dropped EXE
PID:2184 -
\??\c:\m4206.exec:\m4206.exe42⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jjvdj.exec:\jjvdj.exe43⤵
- Executes dropped EXE
PID:2824 -
\??\c:\28628.exec:\28628.exe44⤵
- Executes dropped EXE
PID:2880 -
\??\c:\802620.exec:\802620.exe45⤵
- Executes dropped EXE
PID:2152 -
\??\c:\7htnnt.exec:\7htnnt.exe46⤵
- Executes dropped EXE
PID:3052 -
\??\c:\u428062.exec:\u428062.exe47⤵
- Executes dropped EXE
PID:2936 -
\??\c:\frxxfxf.exec:\frxxfxf.exe48⤵
- Executes dropped EXE
PID:2680 -
\??\c:\024466.exec:\024466.exe49⤵
- Executes dropped EXE
PID:2424 -
\??\c:\bhnhhb.exec:\bhnhhb.exe50⤵
- Executes dropped EXE
PID:2284 -
\??\c:\8026228.exec:\8026228.exe51⤵
- Executes dropped EXE
PID:632 -
\??\c:\82024.exec:\82024.exe52⤵
- Executes dropped EXE
PID:920 -
\??\c:\nnhbhn.exec:\nnhbhn.exe53⤵
- Executes dropped EXE
PID:2860 -
\??\c:\08666.exec:\08666.exe54⤵
- Executes dropped EXE
PID:1268 -
\??\c:\4806600.exec:\4806600.exe55⤵
- Executes dropped EXE
PID:564 -
\??\c:\442240.exec:\442240.exe56⤵
- Executes dropped EXE
PID:1696 -
\??\c:\226806.exec:\226806.exe57⤵
- Executes dropped EXE
PID:1928 -
\??\c:\426280.exec:\426280.exe58⤵
- Executes dropped EXE
PID:2772 -
\??\c:\08044.exec:\08044.exe59⤵
- Executes dropped EXE
PID:2512 -
\??\c:\608028.exec:\608028.exe60⤵
- Executes dropped EXE
PID:2584 -
\??\c:\0422824.exec:\0422824.exe61⤵
- Executes dropped EXE
PID:2576 -
\??\c:\60224.exec:\60224.exe62⤵
- Executes dropped EXE
PID:1496 -
\??\c:\9nbbbt.exec:\9nbbbt.exe63⤵
- Executes dropped EXE
PID:1412 -
\??\c:\0806880.exec:\0806880.exe64⤵
- Executes dropped EXE
PID:2536 -
\??\c:\hhbhnb.exec:\hhbhnb.exe65⤵
- Executes dropped EXE
PID:2320 -
\??\c:\2008484.exec:\2008484.exe66⤵PID:884
-
\??\c:\jvpvv.exec:\jvpvv.exe67⤵PID:2492
-
\??\c:\pjddj.exec:\pjddj.exe68⤵PID:1520
-
\??\c:\0484064.exec:\0484064.exe69⤵PID:1704
-
\??\c:\i084668.exec:\i084668.exe70⤵PID:748
-
\??\c:\dpppj.exec:\dpppj.exe71⤵PID:744
-
\??\c:\bhhntb.exec:\bhhntb.exe72⤵PID:1936
-
\??\c:\204400.exec:\204400.exe73⤵PID:2256
-
\??\c:\26466.exec:\26466.exe74⤵PID:1112
-
\??\c:\bthbhb.exec:\bthbhb.exe75⤵PID:1736
-
\??\c:\5rfffxx.exec:\5rfffxx.exe76⤵PID:868
-
\??\c:\0840606.exec:\0840606.exe77⤵PID:1740
-
\??\c:\s6444.exec:\s6444.exe78⤵PID:2244
-
\??\c:\2022480.exec:\2022480.exe79⤵PID:1688
-
\??\c:\5jvdd.exec:\5jvdd.exe80⤵PID:2008
-
\??\c:\bbtttb.exec:\bbtttb.exe81⤵PID:1036
-
\??\c:\xlxxxrx.exec:\xlxxxrx.exe82⤵PID:1844
-
\??\c:\dvddd.exec:\dvddd.exe83⤵PID:1616
-
\??\c:\vjvdv.exec:\vjvdv.exe84⤵PID:2440
-
\??\c:\6488620.exec:\6488620.exe85⤵PID:2884
-
\??\c:\1htbhn.exec:\1htbhn.exe86⤵PID:1908
-
\??\c:\20880.exec:\20880.exe87⤵PID:1768
-
\??\c:\pjvpp.exec:\pjvpp.exe88⤵PID:2880
-
\??\c:\bhnhbb.exec:\bhnhbb.exe89⤵PID:2700
-
\??\c:\jdjjp.exec:\jdjjp.exe90⤵PID:3052
-
\??\c:\rfffxxf.exec:\rfffxxf.exe91⤵PID:2732
-
\??\c:\vjvvv.exec:\vjvvv.exe92⤵PID:2724
-
\??\c:\046688.exec:\046688.exe93⤵PID:2728
-
\??\c:\g0620.exec:\g0620.exe94⤵PID:1512
-
\??\c:\pvvpj.exec:\pvvpj.exe95⤵PID:956
-
\??\c:\42480.exec:\42480.exe96⤵PID:1476
-
\??\c:\ttnbnn.exec:\ttnbnn.exe97⤵PID:3040
-
\??\c:\rxfffff.exec:\rxfffff.exe98⤵PID:356
-
\??\c:\jvppd.exec:\jvppd.exe99⤵PID:768
-
\??\c:\3lfxllx.exec:\3lfxllx.exe100⤵PID:580
-
\??\c:\6488062.exec:\6488062.exe101⤵PID:2504
-
\??\c:\hhttht.exec:\hhttht.exe102⤵PID:2112
-
\??\c:\fxlrllf.exec:\fxlrllf.exe103⤵PID:2528
-
\??\c:\m2622.exec:\m2622.exe104⤵PID:2608
-
\??\c:\462840.exec:\462840.exe105⤵PID:2588
-
\??\c:\ppjjp.exec:\ppjjp.exe106⤵PID:1784
-
\??\c:\ntnbnn.exec:\ntnbnn.exe107⤵PID:236
-
\??\c:\hhbntb.exec:\hhbntb.exe108⤵PID:2120
-
\??\c:\xrffrxr.exec:\xrffrxr.exe109⤵PID:2536
-
\??\c:\nhhnbn.exec:\nhhnbn.exe110⤵PID:952
-
\??\c:\08620.exec:\08620.exe111⤵PID:1332
-
\??\c:\246200.exec:\246200.exe112⤵PID:1340
-
\??\c:\vpdpp.exec:\vpdpp.exe113⤵PID:1760
-
\??\c:\u862468.exec:\u862468.exe114⤵PID:2044
-
\??\c:\lflrxxl.exec:\lflrxxl.exe115⤵PID:836
-
\??\c:\9lxrxll.exec:\9lxrxll.exe116⤵PID:2160
-
\??\c:\0424662.exec:\0424662.exe117⤵PID:304
-
\??\c:\64444.exec:\64444.exe118⤵PID:1244
-
\??\c:\88624.exec:\88624.exe119⤵PID:1032
-
\??\c:\04468.exec:\04468.exe120⤵PID:864
-
\??\c:\488028.exec:\488028.exe121⤵PID:348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-