Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe
-
Size
454KB
-
MD5
9ab324654d4c20eac2f711c6d1e4e9d0
-
SHA1
aa360fb8209c23e3cd76db608dae2f5b5ede1351
-
SHA256
a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4
-
SHA512
de4105a61f10020bd21b4bb855869c5b31d75cab9ffc2cda4a94edd2e90099c579ea7d7b7126fbf417e4620a004e694d7d93f1d6cfb6e359046d96c7f179960c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/1540-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-27-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/944-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1216-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-522-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2812-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-1253-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2448-1304-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2884-1289-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2632-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-766-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/920-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1076-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1460-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-46-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2496 vpddj.exe 2308 xxxlrxl.exe 2528 204066.exe 2128 0088482.exe 2100 i046846.exe 2816 bthnhh.exe 2804 042062.exe 2712 1fxlrrf.exe 2784 040028.exe 2552 3jjjp.exe 2628 1bbhhn.exe 2008 7ffflfr.exe 944 00440.exe 1092 ddvvj.exe 1428 hhbhht.exe 2800 9hbbhn.exe 2456 vpjpv.exe 1460 222080.exe 1900 jvpvd.exe 2864 thbhnb.exe 2196 i044662.exe 2192 08668.exe 2328 3rrfrxl.exe 2224 bbhtbh.exe 1076 bttbnt.exe 1844 8244624.exe 2536 bbnbnt.exe 2936 46880.exe 2944 26024.exe 1496 dvjjv.exe 3044 lfxxxxr.exe 1720 4484804.exe 1216 4862442.exe 2496 608462.exe 2308 486422.exe 2644 1jvjj.exe 2376 9thbbb.exe 2764 208240.exe 2768 k04466.exe 2288 rlfrxxr.exe 2492 q44268.exe 2600 266484.exe 612 1bntbh.exe 1120 k66840.exe 2164 hbthhn.exe 2824 a4864.exe 1784 xrlxxxl.exe 1208 dvpvj.exe 2760 9dvjv.exe 1044 608406.exe 2800 w60284.exe 1988 7bbnbh.exe 1756 8240882.exe 2976 jpjjv.exe 2408 pjdjv.exe 3016 824062.exe 920 7rlrffl.exe 2236 frlxlrr.exe 2248 6422440.exe 2016 dvpdj.exe 1324 nnntnt.exe 864 btnhbb.exe 2400 ddpvp.exe 1996 820224.exe -
resource yara_rule behavioral1/memory/2496-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-1096-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-977-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-901-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1460-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-48-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c824002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e04400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e04200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4862480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1540 wrote to memory of 2496 1540 a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe 30 PID 1540 wrote to memory of 2496 1540 a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe 30 PID 1540 wrote to memory of 2496 1540 a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe 30 PID 1540 wrote to memory of 2496 1540 a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe 30 PID 2496 wrote to memory of 2308 2496 vpddj.exe 64 PID 2496 wrote to memory of 2308 2496 vpddj.exe 64 PID 2496 wrote to memory of 2308 2496 vpddj.exe 64 PID 2496 wrote to memory of 2308 2496 vpddj.exe 64 PID 2308 wrote to memory of 2528 2308 xxxlrxl.exe 229 PID 2308 wrote to memory of 2528 2308 xxxlrxl.exe 229 PID 2308 wrote to memory of 2528 2308 xxxlrxl.exe 229 PID 2308 wrote to memory of 2528 2308 xxxlrxl.exe 229 PID 2528 wrote to memory of 2128 2528 204066.exe 33 PID 2528 wrote to memory of 2128 2528 204066.exe 33 PID 2528 wrote to memory of 2128 2528 204066.exe 33 PID 2528 wrote to memory of 2128 2528 204066.exe 33 PID 2128 wrote to memory of 2100 2128 0088482.exe 34 PID 2128 wrote to memory of 2100 2128 0088482.exe 34 PID 2128 wrote to memory of 2100 2128 0088482.exe 34 PID 2128 wrote to memory of 2100 2128 0088482.exe 34 PID 2100 wrote to memory of 2816 2100 i046846.exe 35 PID 2100 wrote to memory of 2816 2100 i046846.exe 35 PID 2100 wrote to memory of 2816 2100 i046846.exe 35 PID 2100 wrote to memory of 2816 2100 i046846.exe 35 PID 2816 wrote to memory of 2804 2816 bthnhh.exe 204 PID 2816 wrote to memory of 2804 2816 bthnhh.exe 204 PID 2816 wrote to memory of 2804 2816 bthnhh.exe 204 PID 2816 wrote to memory of 2804 2816 bthnhh.exe 204 PID 2804 wrote to memory of 2712 2804 042062.exe 37 PID 2804 wrote to memory of 2712 2804 042062.exe 37 PID 2804 wrote to memory of 2712 2804 042062.exe 37 PID 2804 wrote to memory of 2712 2804 042062.exe 37 PID 2712 wrote to memory of 2784 2712 1fxlrrf.exe 38 PID 2712 wrote to memory of 2784 2712 1fxlrrf.exe 38 PID 2712 wrote to memory of 2784 2712 1fxlrrf.exe 38 PID 2712 wrote to memory of 2784 2712 1fxlrrf.exe 38 PID 2784 wrote to memory of 2552 2784 040028.exe 39 PID 2784 wrote to memory of 2552 2784 040028.exe 39 PID 2784 wrote to memory of 2552 2784 040028.exe 39 PID 2784 wrote to memory of 2552 2784 040028.exe 39 PID 2552 wrote to memory of 2628 2552 3jjjp.exe 40 PID 2552 wrote to memory of 2628 2552 3jjjp.exe 40 PID 2552 wrote to memory of 2628 2552 3jjjp.exe 40 PID 2552 wrote to memory of 2628 2552 3jjjp.exe 40 PID 2628 wrote to memory of 2008 2628 1bbhhn.exe 41 PID 2628 wrote to memory of 2008 2628 1bbhhn.exe 41 PID 2628 wrote to memory of 2008 2628 1bbhhn.exe 41 PID 2628 wrote to memory of 2008 2628 1bbhhn.exe 41 PID 2008 wrote to memory of 944 2008 7ffflfr.exe 42 PID 2008 wrote to memory of 944 2008 7ffflfr.exe 42 PID 2008 wrote to memory of 944 2008 7ffflfr.exe 42 PID 2008 wrote to memory of 944 2008 7ffflfr.exe 42 PID 944 wrote to memory of 1092 944 00440.exe 43 PID 944 wrote to memory of 1092 944 00440.exe 43 PID 944 wrote to memory of 1092 944 00440.exe 43 PID 944 wrote to memory of 1092 944 00440.exe 43 PID 1092 wrote to memory of 1428 1092 ddvvj.exe 44 PID 1092 wrote to memory of 1428 1092 ddvvj.exe 44 PID 1092 wrote to memory of 1428 1092 ddvvj.exe 44 PID 1092 wrote to memory of 1428 1092 ddvvj.exe 44 PID 1428 wrote to memory of 2800 1428 hhbhht.exe 45 PID 1428 wrote to memory of 2800 1428 hhbhht.exe 45 PID 1428 wrote to memory of 2800 1428 hhbhht.exe 45 PID 1428 wrote to memory of 2800 1428 hhbhht.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe"C:\Users\Admin\AppData\Local\Temp\a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\vpddj.exec:\vpddj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\xxxlrxl.exec:\xxxlrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\204066.exec:\204066.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\0088482.exec:\0088482.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\i046846.exec:\i046846.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\bthnhh.exec:\bthnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\042062.exec:\042062.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\1fxlrrf.exec:\1fxlrrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\040028.exec:\040028.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\3jjjp.exec:\3jjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\1bbhhn.exec:\1bbhhn.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\7ffflfr.exec:\7ffflfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\00440.exec:\00440.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\ddvvj.exec:\ddvvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\hhbhht.exec:\hhbhht.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\9hbbhn.exec:\9hbbhn.exe17⤵
- Executes dropped EXE
PID:2800 -
\??\c:\vpjpv.exec:\vpjpv.exe18⤵
- Executes dropped EXE
PID:2456 -
\??\c:\222080.exec:\222080.exe19⤵
- Executes dropped EXE
PID:1460 -
\??\c:\jvpvd.exec:\jvpvd.exe20⤵
- Executes dropped EXE
PID:1900 -
\??\c:\thbhnb.exec:\thbhnb.exe21⤵
- Executes dropped EXE
PID:2864 -
\??\c:\i044662.exec:\i044662.exe22⤵
- Executes dropped EXE
PID:2196 -
\??\c:\08668.exec:\08668.exe23⤵
- Executes dropped EXE
PID:2192 -
\??\c:\3rrfrxl.exec:\3rrfrxl.exe24⤵
- Executes dropped EXE
PID:2328 -
\??\c:\bbhtbh.exec:\bbhtbh.exe25⤵
- Executes dropped EXE
PID:2224 -
\??\c:\bttbnt.exec:\bttbnt.exe26⤵
- Executes dropped EXE
PID:1076 -
\??\c:\8244624.exec:\8244624.exe27⤵
- Executes dropped EXE
PID:1844 -
\??\c:\bbnbnt.exec:\bbnbnt.exe28⤵
- Executes dropped EXE
PID:2536 -
\??\c:\46880.exec:\46880.exe29⤵
- Executes dropped EXE
PID:2936 -
\??\c:\26024.exec:\26024.exe30⤵
- Executes dropped EXE
PID:2944 -
\??\c:\dvjjv.exec:\dvjjv.exe31⤵
- Executes dropped EXE
PID:1496 -
\??\c:\lfxxxxr.exec:\lfxxxxr.exe32⤵
- Executes dropped EXE
PID:3044 -
\??\c:\4484804.exec:\4484804.exe33⤵
- Executes dropped EXE
PID:1720 -
\??\c:\4862442.exec:\4862442.exe34⤵
- Executes dropped EXE
PID:1216 -
\??\c:\608462.exec:\608462.exe35⤵
- Executes dropped EXE
PID:2496 -
\??\c:\486422.exec:\486422.exe36⤵
- Executes dropped EXE
PID:2308 -
\??\c:\1jvjj.exec:\1jvjj.exe37⤵
- Executes dropped EXE
PID:2644 -
\??\c:\9thbbb.exec:\9thbbb.exe38⤵
- Executes dropped EXE
PID:2376 -
\??\c:\208240.exec:\208240.exe39⤵
- Executes dropped EXE
PID:2764 -
\??\c:\k04466.exec:\k04466.exe40⤵
- Executes dropped EXE
PID:2768 -
\??\c:\rlfrxxr.exec:\rlfrxxr.exe41⤵
- Executes dropped EXE
PID:2288 -
\??\c:\q44268.exec:\q44268.exe42⤵
- Executes dropped EXE
PID:2492 -
\??\c:\266484.exec:\266484.exe43⤵
- Executes dropped EXE
PID:2600 -
\??\c:\1bntbh.exec:\1bntbh.exe44⤵
- Executes dropped EXE
PID:612 -
\??\c:\k66840.exec:\k66840.exe45⤵
- Executes dropped EXE
PID:1120 -
\??\c:\hbthhn.exec:\hbthhn.exe46⤵
- Executes dropped EXE
PID:2164 -
\??\c:\a4864.exec:\a4864.exe47⤵
- Executes dropped EXE
PID:2824 -
\??\c:\xrlxxxl.exec:\xrlxxxl.exe48⤵
- Executes dropped EXE
PID:1784 -
\??\c:\dvpvj.exec:\dvpvj.exe49⤵
- Executes dropped EXE
PID:1208 -
\??\c:\9dvjv.exec:\9dvjv.exe50⤵
- Executes dropped EXE
PID:2760 -
\??\c:\608406.exec:\608406.exe51⤵
- Executes dropped EXE
PID:1044 -
\??\c:\w60284.exec:\w60284.exe52⤵
- Executes dropped EXE
PID:2800 -
\??\c:\7bbnbh.exec:\7bbnbh.exe53⤵
- Executes dropped EXE
PID:1988 -
\??\c:\8240882.exec:\8240882.exe54⤵
- Executes dropped EXE
PID:1756 -
\??\c:\jpjjv.exec:\jpjjv.exe55⤵
- Executes dropped EXE
PID:2976 -
\??\c:\pjdjv.exec:\pjdjv.exe56⤵
- Executes dropped EXE
PID:2408 -
\??\c:\824062.exec:\824062.exe57⤵
- Executes dropped EXE
PID:3016 -
\??\c:\7rlrffl.exec:\7rlrffl.exe58⤵
- Executes dropped EXE
PID:920 -
\??\c:\frlxlrr.exec:\frlxlrr.exe59⤵
- Executes dropped EXE
PID:2236 -
\??\c:\6422440.exec:\6422440.exe60⤵
- Executes dropped EXE
PID:2248 -
\??\c:\dvpdj.exec:\dvpdj.exe61⤵
- Executes dropped EXE
PID:2016 -
\??\c:\nnntnt.exec:\nnntnt.exe62⤵
- Executes dropped EXE
PID:1324 -
\??\c:\btnhbb.exec:\btnhbb.exe63⤵
- Executes dropped EXE
PID:864 -
\??\c:\ddpvp.exec:\ddpvp.exe64⤵
- Executes dropped EXE
PID:2400 -
\??\c:\820224.exec:\820224.exe65⤵
- Executes dropped EXE
PID:1996 -
\??\c:\vvvjv.exec:\vvvjv.exe66⤵PID:1752
-
\??\c:\1jjpd.exec:\1jjpd.exe67⤵PID:2068
-
\??\c:\7bntbh.exec:\7bntbh.exe68⤵PID:2968
-
\??\c:\0428286.exec:\0428286.exe69⤵PID:1728
-
\??\c:\nhhthh.exec:\nhhthh.exe70⤵PID:2524
-
\??\c:\60828.exec:\60828.exe71⤵PID:1584
-
\??\c:\lfxrflr.exec:\lfxrflr.exe72⤵PID:1908
-
\??\c:\7pddd.exec:\7pddd.exe73⤵PID:1720
-
\??\c:\fxxxrrf.exec:\fxxxrrf.exe74⤵PID:2356
-
\??\c:\864644.exec:\864644.exe75⤵PID:1904
-
\??\c:\48002.exec:\48002.exe76⤵PID:1576
-
\??\c:\5hbhnt.exec:\5hbhnt.exe77⤵PID:2732
-
\??\c:\rrfxllx.exec:\rrfxllx.exe78⤵PID:2376
-
\??\c:\w64022.exec:\w64022.exe79⤵PID:2764
-
\??\c:\pjdjv.exec:\pjdjv.exe80⤵PID:2668
-
\??\c:\a0444.exec:\a0444.exe81⤵PID:1980
-
\??\c:\426806.exec:\426806.exe82⤵PID:2752
-
\??\c:\c000846.exec:\c000846.exe83⤵PID:2724
-
\??\c:\824684.exec:\824684.exe84⤵PID:2784
-
\??\c:\u424644.exec:\u424644.exe85⤵PID:2700
-
\??\c:\48224.exec:\48224.exe86⤵PID:1244
-
\??\c:\6480846.exec:\6480846.exe87⤵PID:2812
-
\??\c:\g4864.exec:\g4864.exe88⤵PID:2488
-
\??\c:\hhbbnn.exec:\hhbbnn.exe89⤵PID:2840
-
\??\c:\ddppd.exec:\ddppd.exe90⤵PID:2144
-
\??\c:\rfffrfr.exec:\rfffrfr.exe91⤵PID:2560
-
\??\c:\7vvjp.exec:\7vvjp.exe92⤵PID:1992
-
\??\c:\9bbhtb.exec:\9bbhtb.exe93⤵PID:1280
-
\??\c:\djvpd.exec:\djvpd.exe94⤵PID:1452
-
\??\c:\vjvvv.exec:\vjvvv.exe95⤵PID:1900
-
\??\c:\88242.exec:\88242.exe96⤵PID:2976
-
\??\c:\tnbnbb.exec:\tnbnbb.exe97⤵PID:2408
-
\??\c:\lfrlxxl.exec:\lfrlxxl.exe98⤵PID:2864
-
\??\c:\6462222.exec:\6462222.exe99⤵PID:920
-
\??\c:\nhhnhb.exec:\nhhnhb.exe100⤵PID:2192
-
\??\c:\3nbtnn.exec:\3nbtnn.exe101⤵PID:2604
-
\??\c:\8224668.exec:\8224668.exe102⤵PID:2000
-
\??\c:\46266.exec:\46266.exe103⤵PID:1076
-
\??\c:\hhttbh.exec:\hhttbh.exe104⤵PID:3024
-
\??\c:\fflffrr.exec:\fflffrr.exe105⤵PID:1896
-
\??\c:\482840.exec:\482840.exe106⤵PID:2892
-
\??\c:\1hbnnt.exec:\1hbnnt.exe107⤵PID:1492
-
\??\c:\k88028.exec:\k88028.exe108⤵PID:2032
-
\??\c:\0240046.exec:\0240046.exe109⤵PID:872
-
\??\c:\606684.exec:\606684.exe110⤵PID:2968
-
\??\c:\86400.exec:\86400.exe111⤵PID:2052
-
\??\c:\4200666.exec:\4200666.exe112⤵PID:536
-
\??\c:\64062.exec:\64062.exe113⤵PID:1260
-
\??\c:\rlxflxr.exec:\rlxflxr.exe114⤵PID:2256
-
\??\c:\hnhnbn.exec:\hnhnbn.exe115⤵PID:1720
-
\??\c:\vpddd.exec:\vpddd.exe116⤵PID:1164
-
\??\c:\q28266.exec:\q28266.exe117⤵PID:2680
-
\??\c:\pdppp.exec:\pdppp.exe118⤵PID:2696
-
\??\c:\082204.exec:\082204.exe119⤵PID:2100
-
\??\c:\5htnnn.exec:\5htnnn.exe120⤵PID:2788
-
\??\c:\02402.exec:\02402.exe121⤵PID:2656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-