Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe
-
Size
454KB
-
MD5
dd01bd2cf8321bc3b9a64e64aa39d800
-
SHA1
ff9e60333ab733ca1aeca39b9b0cb230c555a813
-
SHA256
cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9c
-
SHA512
9fde2a0741c4c0918ae454d0eeeadbc87669310d9edd66a76aae020d6fb30809982b603b9c2fdcd9a5790cfd5910ea6cb5cf0348039e8008efad4eab6d9cb054
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeK:q7Tc2NYHUrAwfMp3CDK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2680-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-78-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2056-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-95-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2104-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-109-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1952-127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2180-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-144-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1984-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-195-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2152-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-648-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2988-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-968-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2720 u088446.exe 2788 6484624.exe 2736 i088440.exe 2760 7frrrxf.exe 2044 vvjdj.exe 2648 86842.exe 2056 q24448.exe 332 thttbb.exe 1616 2048482.exe 2104 024222.exe 2180 vjddp.exe 1952 8628488.exe 308 642844.exe 2908 1hhbtn.exe 1452 642280.exe 1984 u266886.exe 2952 60446.exe 2240 w08806.exe 2164 hbhhhb.exe 2152 2022222.exe 2456 462848.exe 2284 460822.exe 1872 64020.exe 780 g2826.exe 2320 8022822.exe 1728 k24448.exe 1324 nbnhhb.exe 2996 7tbnhh.exe 2348 jdpjp.exe 2524 s8624.exe 2764 640044.exe 2680 fxlxxfl.exe 2792 2066488.exe 2820 3ppvj.exe 2788 02666.exe 2848 xlrlrfl.exe 2812 0866660.exe 2624 tbnnnh.exe 2596 42444.exe 1256 7vvjd.exe 1656 86484.exe 2056 5pddd.exe 1492 60244.exe 1336 2082822.exe 1616 q42622.exe 2252 frllxfr.exe 2156 thtbtt.exe 1156 0868042.exe 2768 rlrrxfr.exe 1976 a6402.exe 1760 jvjjj.exe 2140 2460046.exe 848 46662.exe 1948 0488002.exe 2756 04880.exe 2308 6480062.exe 792 xrfrflr.exe 2192 5nbhnt.exe 768 vvpjv.exe 1624 flxflrr.exe 1484 m2640.exe 2208 886688.exe 872 g0880.exe 2280 u806208.exe -
resource yara_rule behavioral1/memory/2680-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-95-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2104-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-144-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1984-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1336-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-741-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2108-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-898-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-937-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2688408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0404488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o022822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4026640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 220200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u042064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u422284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2720 2680 cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe 30 PID 2680 wrote to memory of 2720 2680 cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe 30 PID 2680 wrote to memory of 2720 2680 cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe 30 PID 2680 wrote to memory of 2720 2680 cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe 30 PID 2720 wrote to memory of 2788 2720 u088446.exe 31 PID 2720 wrote to memory of 2788 2720 u088446.exe 31 PID 2720 wrote to memory of 2788 2720 u088446.exe 31 PID 2720 wrote to memory of 2788 2720 u088446.exe 31 PID 2788 wrote to memory of 2736 2788 6484624.exe 32 PID 2788 wrote to memory of 2736 2788 6484624.exe 32 PID 2788 wrote to memory of 2736 2788 6484624.exe 32 PID 2788 wrote to memory of 2736 2788 6484624.exe 32 PID 2736 wrote to memory of 2760 2736 i088440.exe 33 PID 2736 wrote to memory of 2760 2736 i088440.exe 33 PID 2736 wrote to memory of 2760 2736 i088440.exe 33 PID 2736 wrote to memory of 2760 2736 i088440.exe 33 PID 2760 wrote to memory of 2044 2760 7frrrxf.exe 34 PID 2760 wrote to memory of 2044 2760 7frrrxf.exe 34 PID 2760 wrote to memory of 2044 2760 7frrrxf.exe 34 PID 2760 wrote to memory of 2044 2760 7frrrxf.exe 34 PID 2044 wrote to memory of 2648 2044 vvjdj.exe 35 PID 2044 wrote to memory of 2648 2044 vvjdj.exe 35 PID 2044 wrote to memory of 2648 2044 vvjdj.exe 35 PID 2044 wrote to memory of 2648 2044 vvjdj.exe 35 PID 2648 wrote to memory of 2056 2648 86842.exe 36 PID 2648 wrote to memory of 2056 2648 86842.exe 36 PID 2648 wrote to memory of 2056 2648 86842.exe 36 PID 2648 wrote to memory of 2056 2648 86842.exe 36 PID 2056 wrote to memory of 332 2056 q24448.exe 37 PID 2056 wrote to memory of 332 2056 q24448.exe 37 PID 2056 wrote to memory of 332 2056 q24448.exe 37 PID 2056 wrote to memory of 332 2056 q24448.exe 37 PID 332 wrote to memory of 1616 332 thttbb.exe 38 PID 332 wrote to memory of 1616 332 thttbb.exe 38 PID 332 wrote to memory of 1616 332 thttbb.exe 38 PID 332 wrote to memory of 1616 332 thttbb.exe 38 PID 1616 wrote to memory of 2104 1616 2048482.exe 39 PID 1616 wrote to memory of 2104 1616 2048482.exe 39 PID 1616 wrote to memory of 2104 1616 2048482.exe 39 PID 1616 wrote to memory of 2104 1616 2048482.exe 39 PID 2104 wrote to memory of 2180 2104 024222.exe 40 PID 2104 wrote to memory of 2180 2104 024222.exe 40 PID 2104 wrote to memory of 2180 2104 024222.exe 40 PID 2104 wrote to memory of 2180 2104 024222.exe 40 PID 2180 wrote to memory of 1952 2180 vjddp.exe 41 PID 2180 wrote to memory of 1952 2180 vjddp.exe 41 PID 2180 wrote to memory of 1952 2180 vjddp.exe 41 PID 2180 wrote to memory of 1952 2180 vjddp.exe 41 PID 1952 wrote to memory of 308 1952 8628488.exe 42 PID 1952 wrote to memory of 308 1952 8628488.exe 42 PID 1952 wrote to memory of 308 1952 8628488.exe 42 PID 1952 wrote to memory of 308 1952 8628488.exe 42 PID 308 wrote to memory of 2908 308 642844.exe 43 PID 308 wrote to memory of 2908 308 642844.exe 43 PID 308 wrote to memory of 2908 308 642844.exe 43 PID 308 wrote to memory of 2908 308 642844.exe 43 PID 2908 wrote to memory of 1452 2908 1hhbtn.exe 44 PID 2908 wrote to memory of 1452 2908 1hhbtn.exe 44 PID 2908 wrote to memory of 1452 2908 1hhbtn.exe 44 PID 2908 wrote to memory of 1452 2908 1hhbtn.exe 44 PID 1452 wrote to memory of 1984 1452 642280.exe 45 PID 1452 wrote to memory of 1984 1452 642280.exe 45 PID 1452 wrote to memory of 1984 1452 642280.exe 45 PID 1452 wrote to memory of 1984 1452 642280.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe"C:\Users\Admin\AppData\Local\Temp\cb9cf7dd041460c36de10031ee028b2e44e04c17f6c24a85e339a27b0eb62e9cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\u088446.exec:\u088446.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\6484624.exec:\6484624.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\i088440.exec:\i088440.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\7frrrxf.exec:\7frrrxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\vvjdj.exec:\vvjdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\86842.exec:\86842.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\q24448.exec:\q24448.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\thttbb.exec:\thttbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
\??\c:\2048482.exec:\2048482.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\024222.exec:\024222.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\vjddp.exec:\vjddp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\8628488.exec:\8628488.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\642844.exec:\642844.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:308 -
\??\c:\1hhbtn.exec:\1hhbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\642280.exec:\642280.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\u266886.exec:\u266886.exe17⤵
- Executes dropped EXE
PID:1984 -
\??\c:\60446.exec:\60446.exe18⤵
- Executes dropped EXE
PID:2952 -
\??\c:\w08806.exec:\w08806.exe19⤵
- Executes dropped EXE
PID:2240 -
\??\c:\hbhhhb.exec:\hbhhhb.exe20⤵
- Executes dropped EXE
PID:2164 -
\??\c:\2022222.exec:\2022222.exe21⤵
- Executes dropped EXE
PID:2152 -
\??\c:\462848.exec:\462848.exe22⤵
- Executes dropped EXE
PID:2456 -
\??\c:\460822.exec:\460822.exe23⤵
- Executes dropped EXE
PID:2284 -
\??\c:\64020.exec:\64020.exe24⤵
- Executes dropped EXE
PID:1872 -
\??\c:\g2826.exec:\g2826.exe25⤵
- Executes dropped EXE
PID:780 -
\??\c:\8022822.exec:\8022822.exe26⤵
- Executes dropped EXE
PID:2320 -
\??\c:\k24448.exec:\k24448.exe27⤵
- Executes dropped EXE
PID:1728 -
\??\c:\nbnhhb.exec:\nbnhhb.exe28⤵
- Executes dropped EXE
PID:1324 -
\??\c:\7tbnhh.exec:\7tbnhh.exe29⤵
- Executes dropped EXE
PID:2996 -
\??\c:\jdpjp.exec:\jdpjp.exe30⤵
- Executes dropped EXE
PID:2348 -
\??\c:\s8624.exec:\s8624.exe31⤵
- Executes dropped EXE
PID:2524 -
\??\c:\640044.exec:\640044.exe32⤵
- Executes dropped EXE
PID:2764 -
\??\c:\fxlxxfl.exec:\fxlxxfl.exe33⤵
- Executes dropped EXE
PID:2680 -
\??\c:\2066488.exec:\2066488.exe34⤵
- Executes dropped EXE
PID:2792 -
\??\c:\3ppvj.exec:\3ppvj.exe35⤵
- Executes dropped EXE
PID:2820 -
\??\c:\02666.exec:\02666.exe36⤵
- Executes dropped EXE
PID:2788 -
\??\c:\xlrlrfl.exec:\xlrlrfl.exe37⤵
- Executes dropped EXE
PID:2848 -
\??\c:\0866660.exec:\0866660.exe38⤵
- Executes dropped EXE
PID:2812 -
\??\c:\tbnnnh.exec:\tbnnnh.exe39⤵
- Executes dropped EXE
PID:2624 -
\??\c:\42444.exec:\42444.exe40⤵
- Executes dropped EXE
PID:2596 -
\??\c:\7vvjd.exec:\7vvjd.exe41⤵
- Executes dropped EXE
PID:1256 -
\??\c:\86484.exec:\86484.exe42⤵
- Executes dropped EXE
PID:1656 -
\??\c:\5pddd.exec:\5pddd.exe43⤵
- Executes dropped EXE
PID:2056 -
\??\c:\60244.exec:\60244.exe44⤵
- Executes dropped EXE
PID:1492 -
\??\c:\2082822.exec:\2082822.exe45⤵
- Executes dropped EXE
PID:1336 -
\??\c:\q42622.exec:\q42622.exe46⤵
- Executes dropped EXE
PID:1616 -
\??\c:\frllxfr.exec:\frllxfr.exe47⤵
- Executes dropped EXE
PID:2252 -
\??\c:\thtbtt.exec:\thtbtt.exe48⤵
- Executes dropped EXE
PID:2156 -
\??\c:\0868042.exec:\0868042.exe49⤵
- Executes dropped EXE
PID:1156 -
\??\c:\rlrrxfr.exec:\rlrrxfr.exe50⤵
- Executes dropped EXE
PID:2768 -
\??\c:\a6402.exec:\a6402.exe51⤵
- Executes dropped EXE
PID:1976 -
\??\c:\jvjjj.exec:\jvjjj.exe52⤵
- Executes dropped EXE
PID:1760 -
\??\c:\2460046.exec:\2460046.exe53⤵
- Executes dropped EXE
PID:2140 -
\??\c:\46662.exec:\46662.exe54⤵
- Executes dropped EXE
PID:848 -
\??\c:\0488002.exec:\0488002.exe55⤵
- Executes dropped EXE
PID:1948 -
\??\c:\04880.exec:\04880.exe56⤵
- Executes dropped EXE
PID:2756 -
\??\c:\6480062.exec:\6480062.exe57⤵
- Executes dropped EXE
PID:2308 -
\??\c:\xrfrflr.exec:\xrfrflr.exe58⤵
- Executes dropped EXE
PID:792 -
\??\c:\5nbhnt.exec:\5nbhnt.exe59⤵
- Executes dropped EXE
PID:2192 -
\??\c:\vvpjv.exec:\vvpjv.exe60⤵
- Executes dropped EXE
PID:768 -
\??\c:\flxflrr.exec:\flxflrr.exe61⤵
- Executes dropped EXE
PID:1624 -
\??\c:\m2640.exec:\m2640.exe62⤵
- Executes dropped EXE
PID:1484 -
\??\c:\886688.exec:\886688.exe63⤵
- Executes dropped EXE
PID:2208 -
\??\c:\g0880.exec:\g0880.exe64⤵
- Executes dropped EXE
PID:872 -
\??\c:\u806208.exec:\u806208.exe65⤵
- Executes dropped EXE
PID:2280 -
\??\c:\8644062.exec:\8644062.exe66⤵PID:976
-
\??\c:\1jvvd.exec:\1jvvd.exe67⤵PID:1740
-
\??\c:\1hbtbb.exec:\1hbtbb.exe68⤵PID:2320
-
\??\c:\9fxrrrx.exec:\9fxrrrx.exe69⤵PID:904
-
\??\c:\rflxxxl.exec:\rflxxxl.exe70⤵PID:2012
-
\??\c:\lxllrrl.exec:\lxllrrl.exe71⤵
- System Location Discovery: System Language Discovery
PID:2660 -
\??\c:\42284.exec:\42284.exe72⤵PID:1488
-
\??\c:\llfxflx.exec:\llfxflx.exe73⤵PID:288
-
\??\c:\dvppd.exec:\dvppd.exe74⤵PID:2524
-
\??\c:\8260266.exec:\8260266.exe75⤵PID:2500
-
\??\c:\3ppjp.exec:\3ppjp.exe76⤵PID:1600
-
\??\c:\rlflrrf.exec:\rlflrrf.exe77⤵PID:2784
-
\??\c:\4806228.exec:\4806228.exe78⤵PID:2716
-
\??\c:\xxfxffx.exec:\xxfxffx.exe79⤵PID:2692
-
\??\c:\3htbbh.exec:\3htbbh.exe80⤵PID:2780
-
\??\c:\fxrrxxl.exec:\fxrrxxl.exe81⤵PID:2600
-
\??\c:\044466.exec:\044466.exe82⤵PID:2772
-
\??\c:\bthnbb.exec:\bthnbb.exe83⤵PID:2748
-
\??\c:\0428002.exec:\0428002.exe84⤵PID:2632
-
\??\c:\082806.exec:\082806.exe85⤵PID:2596
-
\??\c:\4266486.exec:\4266486.exe86⤵PID:2844
-
\??\c:\42224.exec:\42224.exe87⤵PID:1652
-
\??\c:\e86288.exec:\e86288.exe88⤵PID:1320
-
\??\c:\9djjd.exec:\9djjd.exe89⤵PID:2988
-
\??\c:\6884686.exec:\6884686.exe90⤵PID:2260
-
\??\c:\4262884.exec:\4262884.exe91⤵PID:1832
-
\??\c:\htbbhn.exec:\htbbhn.exe92⤵PID:2172
-
\??\c:\s6828.exec:\s6828.exe93⤵PID:1040
-
\??\c:\88060.exec:\88060.exe94⤵PID:2644
-
\??\c:\608804.exec:\608804.exe95⤵PID:2112
-
\??\c:\48668.exec:\48668.exe96⤵PID:1232
-
\??\c:\hbthnh.exec:\hbthnh.exe97⤵PID:1604
-
\??\c:\1bntbb.exec:\1bntbb.exe98⤵PID:1988
-
\??\c:\9dvpv.exec:\9dvpv.exe99⤵PID:2560
-
\??\c:\2440084.exec:\2440084.exe100⤵PID:2556
-
\??\c:\1ffllll.exec:\1ffllll.exe101⤵PID:2108
-
\??\c:\jdvdj.exec:\jdvdj.exe102⤵PID:2240
-
\??\c:\3vjjj.exec:\3vjjj.exe103⤵PID:2476
-
\??\c:\rlrrfxx.exec:\rlrrfxx.exe104⤵PID:2428
-
\??\c:\vjpjp.exec:\vjpjp.exe105⤵PID:1216
-
\??\c:\w84848.exec:\w84848.exe106⤵PID:2216
-
\??\c:\a4620.exec:\a4620.exe107⤵PID:2436
-
\??\c:\2462222.exec:\2462222.exe108⤵PID:3068
-
\??\c:\6844488.exec:\6844488.exe109⤵PID:1084
-
\??\c:\24448.exec:\24448.exe110⤵PID:1876
-
\??\c:\4862284.exec:\4862284.exe111⤵PID:1228
-
\??\c:\hbnttt.exec:\hbnttt.exe112⤵PID:880
-
\??\c:\264062.exec:\264062.exe113⤵PID:2008
-
\??\c:\lrffxxx.exec:\lrffxxx.exe114⤵PID:2656
-
\??\c:\6040228.exec:\6040228.exe115⤵PID:3044
-
\??\c:\3fxlrrl.exec:\3fxlrrl.exe116⤵PID:2964
-
\??\c:\426284.exec:\426284.exe117⤵PID:2248
-
\??\c:\ffrfrlx.exec:\ffrfrlx.exe118⤵PID:2860
-
\??\c:\082288.exec:\082288.exe119⤵PID:876
-
\??\c:\084022.exec:\084022.exe120⤵PID:1564
-
\??\c:\5vdvd.exec:\5vdvd.exe121⤵PID:2856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-