Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe
-
Size
454KB
-
MD5
69646fb445a679869d2742383a19a98f
-
SHA1
ad82a79a01e7895d856b29a1cd52360e81b37d53
-
SHA256
e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b
-
SHA512
dd965dc1d901c3889dc3db17e6037a327218b032c0fc2cf7c1b09fbb3e1f6c9e4048a3f87e40790960ad8344656bd51fac7bdf7baaf7ab1b598751c08126dee5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2556-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-93-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1968-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-148-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/972-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/588-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-269-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2116-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/920-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/988-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/988-581-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1460-701-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1984-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-722-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/868-729-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/940-748-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/684-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-869-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1564-970-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/848-983-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-1039-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2416 64880.exe 2576 rlxxllx.exe 2372 26446.exe 2884 jvppv.exe 2800 xlxxflf.exe 2972 0428402.exe 3040 8646224.exe 2856 64020.exe 2832 o688046.exe 2700 tttthb.exe 2596 vpjjj.exe 1968 8262620.exe 620 82880.exe 2520 66226.exe 2908 228882.exe 2756 042848.exe 2020 2466662.exe 3036 pjppj.exe 2300 bnnnhh.exe 2600 djddd.exe 2248 thbbtn.exe 788 xlxxxrx.exe 972 0848600.exe 1440 xlxxfxf.exe 588 1vvvj.exe 2268 dvddp.exe 2664 vvddj.exe 696 4862846.exe 2116 nnbtnh.exe 2320 rfxfrrr.exe 1880 22808.exe 1444 a4666.exe 1644 480400.exe 920 hthhhb.exe 1640 3lrrxrx.exe 1484 dvdvd.exe 2368 ddpvd.exe 1668 2084228.exe 2640 64662.exe 2800 26468.exe 2972 806066.exe 2840 3bnhhb.exe 2732 htbhbb.exe 2980 a0224.exe 1348 6060228.exe 2728 42002.exe 480 u022222.exe 2532 028448.exe 2308 08006.exe 1232 nhnttt.exe 1740 8244228.exe 2140 8688466.exe 1140 08662.exe 1320 bnhhhh.exe 1940 8244228.exe 2020 i404044.exe 2216 802682.exe 2440 3dppd.exe 1452 5nhhhb.exe 1124 lxfxrrr.exe 2248 086660.exe 844 q64400.exe 1804 xlxllrx.exe 972 02440.exe -
resource yara_rule behavioral1/memory/2556-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/972-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-432-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1320-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-869-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1544-870-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-901-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-908-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-933-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-970-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/848-983-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-984-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-1039-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-1046-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-1077-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-1084-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-1097-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlxrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q68400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w64844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u084064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 224402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2416 2556 e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe 30 PID 2556 wrote to memory of 2416 2556 e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe 30 PID 2556 wrote to memory of 2416 2556 e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe 30 PID 2556 wrote to memory of 2416 2556 e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe 30 PID 2416 wrote to memory of 2576 2416 64880.exe 31 PID 2416 wrote to memory of 2576 2416 64880.exe 31 PID 2416 wrote to memory of 2576 2416 64880.exe 31 PID 2416 wrote to memory of 2576 2416 64880.exe 31 PID 2576 wrote to memory of 2372 2576 rlxxllx.exe 32 PID 2576 wrote to memory of 2372 2576 rlxxllx.exe 32 PID 2576 wrote to memory of 2372 2576 rlxxllx.exe 32 PID 2576 wrote to memory of 2372 2576 rlxxllx.exe 32 PID 2372 wrote to memory of 2884 2372 26446.exe 33 PID 2372 wrote to memory of 2884 2372 26446.exe 33 PID 2372 wrote to memory of 2884 2372 26446.exe 33 PID 2372 wrote to memory of 2884 2372 26446.exe 33 PID 2884 wrote to memory of 2800 2884 jvppv.exe 34 PID 2884 wrote to memory of 2800 2884 jvppv.exe 34 PID 2884 wrote to memory of 2800 2884 jvppv.exe 34 PID 2884 wrote to memory of 2800 2884 jvppv.exe 34 PID 2800 wrote to memory of 2972 2800 xlxxflf.exe 35 PID 2800 wrote to memory of 2972 2800 xlxxflf.exe 35 PID 2800 wrote to memory of 2972 2800 xlxxflf.exe 35 PID 2800 wrote to memory of 2972 2800 xlxxflf.exe 35 PID 2972 wrote to memory of 3040 2972 0428402.exe 36 PID 2972 wrote to memory of 3040 2972 0428402.exe 36 PID 2972 wrote to memory of 3040 2972 0428402.exe 36 PID 2972 wrote to memory of 3040 2972 0428402.exe 36 PID 3040 wrote to memory of 2856 3040 8646224.exe 37 PID 3040 wrote to memory of 2856 3040 8646224.exe 37 PID 3040 wrote to memory of 2856 3040 8646224.exe 37 PID 3040 wrote to memory of 2856 3040 8646224.exe 37 PID 2856 wrote to memory of 2832 2856 64020.exe 38 PID 2856 wrote to memory of 2832 2856 64020.exe 38 PID 2856 wrote to memory of 2832 2856 64020.exe 38 PID 2856 wrote to memory of 2832 2856 64020.exe 38 PID 2832 wrote to memory of 2700 2832 o688046.exe 39 PID 2832 wrote to memory of 2700 2832 o688046.exe 39 PID 2832 wrote to memory of 2700 2832 o688046.exe 39 PID 2832 wrote to memory of 2700 2832 o688046.exe 39 PID 2700 wrote to memory of 2596 2700 tttthb.exe 40 PID 2700 wrote to memory of 2596 2700 tttthb.exe 40 PID 2700 wrote to memory of 2596 2700 tttthb.exe 40 PID 2700 wrote to memory of 2596 2700 tttthb.exe 40 PID 2596 wrote to memory of 1968 2596 vpjjj.exe 41 PID 2596 wrote to memory of 1968 2596 vpjjj.exe 41 PID 2596 wrote to memory of 1968 2596 vpjjj.exe 41 PID 2596 wrote to memory of 1968 2596 vpjjj.exe 41 PID 1968 wrote to memory of 620 1968 8262620.exe 42 PID 1968 wrote to memory of 620 1968 8262620.exe 42 PID 1968 wrote to memory of 620 1968 8262620.exe 42 PID 1968 wrote to memory of 620 1968 8262620.exe 42 PID 620 wrote to memory of 2520 620 82880.exe 43 PID 620 wrote to memory of 2520 620 82880.exe 43 PID 620 wrote to memory of 2520 620 82880.exe 43 PID 620 wrote to memory of 2520 620 82880.exe 43 PID 2520 wrote to memory of 2908 2520 66226.exe 44 PID 2520 wrote to memory of 2908 2520 66226.exe 44 PID 2520 wrote to memory of 2908 2520 66226.exe 44 PID 2520 wrote to memory of 2908 2520 66226.exe 44 PID 2908 wrote to memory of 2756 2908 228882.exe 45 PID 2908 wrote to memory of 2756 2908 228882.exe 45 PID 2908 wrote to memory of 2756 2908 228882.exe 45 PID 2908 wrote to memory of 2756 2908 228882.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe"C:\Users\Admin\AppData\Local\Temp\e4b862b97d99e215037a91c2f5521397659e74a0c8f799472a06fcd26c11a45b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\64880.exec:\64880.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\rlxxllx.exec:\rlxxllx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\26446.exec:\26446.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\jvppv.exec:\jvppv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\xlxxflf.exec:\xlxxflf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\0428402.exec:\0428402.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\8646224.exec:\8646224.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\64020.exec:\64020.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\o688046.exec:\o688046.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\tttthb.exec:\tttthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\vpjjj.exec:\vpjjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\8262620.exec:\8262620.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\82880.exec:\82880.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\66226.exec:\66226.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\228882.exec:\228882.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\042848.exec:\042848.exe17⤵
- Executes dropped EXE
PID:2756 -
\??\c:\2466662.exec:\2466662.exe18⤵
- Executes dropped EXE
PID:2020 -
\??\c:\pjppj.exec:\pjppj.exe19⤵
- Executes dropped EXE
PID:3036 -
\??\c:\bnnnhh.exec:\bnnnhh.exe20⤵
- Executes dropped EXE
PID:2300 -
\??\c:\djddd.exec:\djddd.exe21⤵
- Executes dropped EXE
PID:2600 -
\??\c:\thbbtn.exec:\thbbtn.exe22⤵
- Executes dropped EXE
PID:2248 -
\??\c:\xlxxxrx.exec:\xlxxxrx.exe23⤵
- Executes dropped EXE
PID:788 -
\??\c:\0848600.exec:\0848600.exe24⤵
- Executes dropped EXE
PID:972 -
\??\c:\xlxxfxf.exec:\xlxxfxf.exe25⤵
- Executes dropped EXE
PID:1440 -
\??\c:\1vvvj.exec:\1vvvj.exe26⤵
- Executes dropped EXE
PID:588 -
\??\c:\dvddp.exec:\dvddp.exe27⤵
- Executes dropped EXE
PID:2268 -
\??\c:\vvddj.exec:\vvddj.exe28⤵
- Executes dropped EXE
PID:2664 -
\??\c:\4862846.exec:\4862846.exe29⤵
- Executes dropped EXE
PID:696 -
\??\c:\nnbtnh.exec:\nnbtnh.exe30⤵
- Executes dropped EXE
PID:2116 -
\??\c:\rfxfrrr.exec:\rfxfrrr.exe31⤵
- Executes dropped EXE
PID:2320 -
\??\c:\22808.exec:\22808.exe32⤵
- Executes dropped EXE
PID:1880 -
\??\c:\a4666.exec:\a4666.exe33⤵
- Executes dropped EXE
PID:1444 -
\??\c:\480400.exec:\480400.exe34⤵
- Executes dropped EXE
PID:1644 -
\??\c:\hthhhb.exec:\hthhhb.exe35⤵
- Executes dropped EXE
PID:920 -
\??\c:\3lrrxrx.exec:\3lrrxrx.exe36⤵
- Executes dropped EXE
PID:1640 -
\??\c:\dvdvd.exec:\dvdvd.exe37⤵
- Executes dropped EXE
PID:1484 -
\??\c:\ddpvd.exec:\ddpvd.exe38⤵
- Executes dropped EXE
PID:2368 -
\??\c:\2084228.exec:\2084228.exe39⤵
- Executes dropped EXE
PID:1668 -
\??\c:\64662.exec:\64662.exe40⤵
- Executes dropped EXE
PID:2640 -
\??\c:\26468.exec:\26468.exe41⤵
- Executes dropped EXE
PID:2800 -
\??\c:\806066.exec:\806066.exe42⤵
- Executes dropped EXE
PID:2972 -
\??\c:\3bnhhb.exec:\3bnhhb.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\htbhbb.exec:\htbhbb.exe44⤵
- Executes dropped EXE
PID:2732 -
\??\c:\a0224.exec:\a0224.exe45⤵
- Executes dropped EXE
PID:2980 -
\??\c:\6060228.exec:\6060228.exe46⤵
- Executes dropped EXE
PID:1348 -
\??\c:\42002.exec:\42002.exe47⤵
- Executes dropped EXE
PID:2728 -
\??\c:\u022222.exec:\u022222.exe48⤵
- Executes dropped EXE
PID:480 -
\??\c:\028448.exec:\028448.exe49⤵
- Executes dropped EXE
PID:2532 -
\??\c:\08006.exec:\08006.exe50⤵
- Executes dropped EXE
PID:2308 -
\??\c:\nhnttt.exec:\nhnttt.exe51⤵
- Executes dropped EXE
PID:1232 -
\??\c:\8244228.exec:\8244228.exe52⤵
- Executes dropped EXE
PID:1740 -
\??\c:\8688466.exec:\8688466.exe53⤵
- Executes dropped EXE
PID:2140 -
\??\c:\08662.exec:\08662.exe54⤵
- Executes dropped EXE
PID:1140 -
\??\c:\bnhhhh.exec:\bnhhhh.exe55⤵
- Executes dropped EXE
PID:1320 -
\??\c:\8244228.exec:\8244228.exe56⤵
- Executes dropped EXE
PID:1940 -
\??\c:\i404044.exec:\i404044.exe57⤵
- Executes dropped EXE
PID:2020 -
\??\c:\802682.exec:\802682.exe58⤵
- Executes dropped EXE
PID:2216 -
\??\c:\3dppd.exec:\3dppd.exe59⤵
- Executes dropped EXE
PID:2440 -
\??\c:\5nhhhb.exec:\5nhhhb.exe60⤵
- Executes dropped EXE
PID:1452 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe61⤵
- Executes dropped EXE
PID:1124 -
\??\c:\086660.exec:\086660.exe62⤵
- Executes dropped EXE
PID:2248 -
\??\c:\q64400.exec:\q64400.exe63⤵
- Executes dropped EXE
PID:844 -
\??\c:\xlxllrx.exec:\xlxllrx.exe64⤵
- Executes dropped EXE
PID:1804 -
\??\c:\02440.exec:\02440.exe65⤵
- Executes dropped EXE
PID:972 -
\??\c:\08862.exec:\08862.exe66⤵PID:1440
-
\??\c:\0842266.exec:\0842266.exe67⤵PID:1876
-
\??\c:\208426.exec:\208426.exe68⤵PID:2144
-
\??\c:\s8006.exec:\s8006.exe69⤵PID:1212
-
\??\c:\6804884.exec:\6804884.exe70⤵PID:2500
-
\??\c:\vpddp.exec:\vpddp.exe71⤵PID:2260
-
\??\c:\jvdvv.exec:\jvdvv.exe72⤵PID:988
-
\??\c:\hthbhh.exec:\hthbhh.exe73⤵PID:2116
-
\??\c:\7xlrffl.exec:\7xlrffl.exe74⤵PID:1692
-
\??\c:\20204.exec:\20204.exe75⤵PID:2512
-
\??\c:\208226.exec:\208226.exe76⤵PID:1596
-
\??\c:\q48424.exec:\q48424.exe77⤵PID:1260
-
\??\c:\086688.exec:\086688.exe78⤵PID:920
-
\??\c:\rfllllx.exec:\rfllllx.exe79⤵PID:1640
-
\??\c:\642244.exec:\642244.exe80⤵PID:2428
-
\??\c:\68040.exec:\68040.exe81⤵PID:2384
-
\??\c:\o084668.exec:\o084668.exe82⤵PID:2956
-
\??\c:\pdpvd.exec:\pdpvd.exe83⤵PID:2948
-
\??\c:\42446.exec:\42446.exe84⤵PID:2560
-
\??\c:\a4604.exec:\a4604.exe85⤵PID:776
-
\??\c:\dvpvd.exec:\dvpvd.exe86⤵PID:2968
-
\??\c:\9bnhbt.exec:\9bnhbt.exe87⤵PID:2896
-
\??\c:\jdjpv.exec:\jdjpv.exe88⤵PID:2752
-
\??\c:\042400.exec:\042400.exe89⤵PID:2712
-
\??\c:\i866822.exec:\i866822.exe90⤵PID:2700
-
\??\c:\04622.exec:\04622.exe91⤵PID:876
-
\??\c:\2066822.exec:\2066822.exe92⤵PID:2220
-
\??\c:\i688828.exec:\i688828.exe93⤵PID:1724
-
\??\c:\e04426.exec:\e04426.exe94⤵PID:3008
-
\??\c:\hthhtt.exec:\hthhtt.exe95⤵PID:1460
-
\??\c:\8626822.exec:\8626822.exe96⤵PID:1984
-
\??\c:\rlfflrx.exec:\rlfflrx.exe97⤵PID:1588
-
\??\c:\jjddj.exec:\jjddj.exe98⤵PID:2240
-
\??\c:\4800228.exec:\4800228.exe99⤵PID:868
-
\??\c:\486622.exec:\486622.exe100⤵PID:2252
-
\??\c:\vjddv.exec:\vjddv.exe101⤵PID:1848
-
\??\c:\8240606.exec:\8240606.exe102⤵PID:940
-
\??\c:\vvpvd.exec:\vvpvd.exe103⤵PID:2600
-
\??\c:\fxffrlr.exec:\fxffrlr.exe104⤵PID:1052
-
\??\c:\rfllxrf.exec:\rfllxrf.exe105⤵PID:1924
-
\??\c:\606240.exec:\606240.exe106⤵PID:684
-
\??\c:\bnttbb.exec:\bnttbb.exe107⤵PID:1944
-
\??\c:\w60062.exec:\w60062.exe108⤵PID:1800
-
\??\c:\3frxfxx.exec:\3frxfxx.exe109⤵PID:852
-
\??\c:\4824064.exec:\4824064.exe110⤵PID:1496
-
\??\c:\3nbhnt.exec:\3nbhnt.exe111⤵PID:1456
-
\??\c:\9dppv.exec:\9dppv.exe112⤵PID:1364
-
\??\c:\thbnnn.exec:\thbnnn.exe113⤵PID:2656
-
\??\c:\202860.exec:\202860.exe114⤵PID:572
-
\??\c:\bthhnh.exec:\bthhnh.exe115⤵PID:2480
-
\??\c:\4240062.exec:\4240062.exe116⤵PID:2116
-
\??\c:\4206884.exec:\4206884.exe117⤵PID:2080
-
\??\c:\86484.exec:\86484.exe118⤵PID:2324
-
\??\c:\4802480.exec:\4802480.exe119⤵PID:2408
-
\??\c:\pjpjp.exec:\pjpjp.exe120⤵PID:1256
-
\??\c:\thtbbt.exec:\thtbbt.exe121⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-