Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 19:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe
-
Size
456KB
-
MD5
5459785143b98aaac015c207defd9d76
-
SHA1
95a70b869265c0ee83bae62c099dc22a3adca73d
-
SHA256
123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda
-
SHA512
ea818a07bec196b1c4e652714827674c5356b1dbffc8a74ecb618368192e1c41eba64d4ebe8ecdc48ac06f0c5e30626af136159381152fd047473b6ab4da8dfb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRN:q7Tc2NYHUrAwfMp3CDRN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/1672-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-60-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2664-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-135-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2984-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1840-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-173-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2368-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/288-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/848-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/924-224-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/952-236-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1784-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-276-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1680-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-327-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1556-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-420-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1232-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1368-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-668-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1988-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/656-749-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2128-775-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1928-788-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3004-966-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-979-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1892-1016-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1032-1024-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1448-1050-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2528-1063-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1644-1100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2864-1226-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 864 60808.exe 2360 5dvvd.exe 1900 frxrlfx.exe 2844 jvpvp.exe 2760 vjvvv.exe 2664 5thhhh.exe 2832 i422820.exe 2684 a2280.exe 2660 8626268.exe 2240 dvppd.exe 2848 pjvvj.exe 1736 264240.exe 2168 7vjpp.exe 3024 7nbnnt.exe 2984 0400068.exe 2868 7rlrflr.exe 1840 40084.exe 2476 i084068.exe 2368 486240.exe 288 266644.exe 848 5xlrllr.exe 1168 7jvdj.exe 924 482884.exe 952 7bbhbb.exe 1472 6428068.exe 2716 2688608.exe 2324 ddpjp.exe 1784 7rllrxr.exe 1752 9xrrflx.exe 1680 s8002.exe 936 xrffllx.exe 1992 28882.exe 864 jdvdj.exe 2288 824028.exe 2836 0806280.exe 2940 082466.exe 2636 s0804.exe 2924 6424064.exe 1556 20240.exe 276 lfflxfl.exe 2624 7dpvj.exe 2752 6020286.exe 1764 4868068.exe 1036 a4246.exe 3016 2602802.exe 2700 nntbhh.exe 2452 q42462.exe 2972 48668.exe 2980 0888440.exe 3032 rlxxffl.exe 2872 826800.exe 1232 hbtnhn.exe 548 a4886.exe 2488 9thbhn.exe 2496 tthhhh.exe 1956 u420280.exe 656 8268664.exe 976 286004.exe 2004 jdppv.exe 2228 9pjvd.exe 1168 rlflrxx.exe 1368 80222.exe 1732 486688.exe 348 a6840.exe -
resource yara_rule behavioral1/memory/1672-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-135-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2984-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-420-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2872-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/656-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/656-749-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2128-775-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1928-788-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2844-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-966-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-1016-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2528-1063-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1644-1100-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2956-1107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-1180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-1187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-1229-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0800262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1672 wrote to memory of 864 1672 123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe 31 PID 1672 wrote to memory of 864 1672 123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe 31 PID 1672 wrote to memory of 864 1672 123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe 31 PID 1672 wrote to memory of 864 1672 123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe 31 PID 864 wrote to memory of 2360 864 60808.exe 32 PID 864 wrote to memory of 2360 864 60808.exe 32 PID 864 wrote to memory of 2360 864 60808.exe 32 PID 864 wrote to memory of 2360 864 60808.exe 32 PID 2360 wrote to memory of 1900 2360 5dvvd.exe 33 PID 2360 wrote to memory of 1900 2360 5dvvd.exe 33 PID 2360 wrote to memory of 1900 2360 5dvvd.exe 33 PID 2360 wrote to memory of 1900 2360 5dvvd.exe 33 PID 1900 wrote to memory of 2844 1900 frxrlfx.exe 34 PID 1900 wrote to memory of 2844 1900 frxrlfx.exe 34 PID 1900 wrote to memory of 2844 1900 frxrlfx.exe 34 PID 1900 wrote to memory of 2844 1900 frxrlfx.exe 34 PID 2844 wrote to memory of 2760 2844 jvpvp.exe 35 PID 2844 wrote to memory of 2760 2844 jvpvp.exe 35 PID 2844 wrote to memory of 2760 2844 jvpvp.exe 35 PID 2844 wrote to memory of 2760 2844 jvpvp.exe 35 PID 2760 wrote to memory of 2664 2760 vjvvv.exe 36 PID 2760 wrote to memory of 2664 2760 vjvvv.exe 36 PID 2760 wrote to memory of 2664 2760 vjvvv.exe 36 PID 2760 wrote to memory of 2664 2760 vjvvv.exe 36 PID 2664 wrote to memory of 2832 2664 5thhhh.exe 37 PID 2664 wrote to memory of 2832 2664 5thhhh.exe 37 PID 2664 wrote to memory of 2832 2664 5thhhh.exe 37 PID 2664 wrote to memory of 2832 2664 5thhhh.exe 37 PID 2832 wrote to memory of 2684 2832 i422820.exe 38 PID 2832 wrote to memory of 2684 2832 i422820.exe 38 PID 2832 wrote to memory of 2684 2832 i422820.exe 38 PID 2832 wrote to memory of 2684 2832 i422820.exe 38 PID 2684 wrote to memory of 2660 2684 a2280.exe 39 PID 2684 wrote to memory of 2660 2684 a2280.exe 39 PID 2684 wrote to memory of 2660 2684 a2280.exe 39 PID 2684 wrote to memory of 2660 2684 a2280.exe 39 PID 2660 wrote to memory of 2240 2660 8626268.exe 40 PID 2660 wrote to memory of 2240 2660 8626268.exe 40 PID 2660 wrote to memory of 2240 2660 8626268.exe 40 PID 2660 wrote to memory of 2240 2660 8626268.exe 40 PID 2240 wrote to memory of 2848 2240 dvppd.exe 41 PID 2240 wrote to memory of 2848 2240 dvppd.exe 41 PID 2240 wrote to memory of 2848 2240 dvppd.exe 41 PID 2240 wrote to memory of 2848 2240 dvppd.exe 41 PID 2848 wrote to memory of 1736 2848 pjvvj.exe 42 PID 2848 wrote to memory of 1736 2848 pjvvj.exe 42 PID 2848 wrote to memory of 1736 2848 pjvvj.exe 42 PID 2848 wrote to memory of 1736 2848 pjvvj.exe 42 PID 1736 wrote to memory of 2168 1736 264240.exe 43 PID 1736 wrote to memory of 2168 1736 264240.exe 43 PID 1736 wrote to memory of 2168 1736 264240.exe 43 PID 1736 wrote to memory of 2168 1736 264240.exe 43 PID 2168 wrote to memory of 3024 2168 7vjpp.exe 44 PID 2168 wrote to memory of 3024 2168 7vjpp.exe 44 PID 2168 wrote to memory of 3024 2168 7vjpp.exe 44 PID 2168 wrote to memory of 3024 2168 7vjpp.exe 44 PID 3024 wrote to memory of 2984 3024 7nbnnt.exe 45 PID 3024 wrote to memory of 2984 3024 7nbnnt.exe 45 PID 3024 wrote to memory of 2984 3024 7nbnnt.exe 45 PID 3024 wrote to memory of 2984 3024 7nbnnt.exe 45 PID 2984 wrote to memory of 2868 2984 0400068.exe 46 PID 2984 wrote to memory of 2868 2984 0400068.exe 46 PID 2984 wrote to memory of 2868 2984 0400068.exe 46 PID 2984 wrote to memory of 2868 2984 0400068.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe"C:\Users\Admin\AppData\Local\Temp\123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\60808.exec:\60808.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\5dvvd.exec:\5dvvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\frxrlfx.exec:\frxrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\jvpvp.exec:\jvpvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\vjvvv.exec:\vjvvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\5thhhh.exec:\5thhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\i422820.exec:\i422820.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\a2280.exec:\a2280.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\8626268.exec:\8626268.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\dvppd.exec:\dvppd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\pjvvj.exec:\pjvvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\264240.exec:\264240.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\7vjpp.exec:\7vjpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\7nbnnt.exec:\7nbnnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\0400068.exec:\0400068.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\7rlrflr.exec:\7rlrflr.exe17⤵
- Executes dropped EXE
PID:2868 -
\??\c:\40084.exec:\40084.exe18⤵
- Executes dropped EXE
PID:1840 -
\??\c:\i084068.exec:\i084068.exe19⤵
- Executes dropped EXE
PID:2476 -
\??\c:\486240.exec:\486240.exe20⤵
- Executes dropped EXE
PID:2368 -
\??\c:\266644.exec:\266644.exe21⤵
- Executes dropped EXE
PID:288 -
\??\c:\5xlrllr.exec:\5xlrllr.exe22⤵
- Executes dropped EXE
PID:848 -
\??\c:\7jvdj.exec:\7jvdj.exe23⤵
- Executes dropped EXE
PID:1168 -
\??\c:\482884.exec:\482884.exe24⤵
- Executes dropped EXE
PID:924 -
\??\c:\7bbhbb.exec:\7bbhbb.exe25⤵
- Executes dropped EXE
PID:952 -
\??\c:\6428068.exec:\6428068.exe26⤵
- Executes dropped EXE
PID:1472 -
\??\c:\2688608.exec:\2688608.exe27⤵
- Executes dropped EXE
PID:2716 -
\??\c:\ddpjp.exec:\ddpjp.exe28⤵
- Executes dropped EXE
PID:2324 -
\??\c:\7rllrxr.exec:\7rllrxr.exe29⤵
- Executes dropped EXE
PID:1784 -
\??\c:\9xrrflx.exec:\9xrrflx.exe30⤵
- Executes dropped EXE
PID:1752 -
\??\c:\s8002.exec:\s8002.exe31⤵
- Executes dropped EXE
PID:1680 -
\??\c:\xrffllx.exec:\xrffllx.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:936 -
\??\c:\28882.exec:\28882.exe33⤵
- Executes dropped EXE
PID:1992 -
\??\c:\jdvdj.exec:\jdvdj.exe34⤵
- Executes dropped EXE
PID:864 -
\??\c:\824028.exec:\824028.exe35⤵
- Executes dropped EXE
PID:2288 -
\??\c:\0806280.exec:\0806280.exe36⤵
- Executes dropped EXE
PID:2836 -
\??\c:\082466.exec:\082466.exe37⤵
- Executes dropped EXE
PID:2940 -
\??\c:\s0804.exec:\s0804.exe38⤵
- Executes dropped EXE
PID:2636 -
\??\c:\6424064.exec:\6424064.exe39⤵
- Executes dropped EXE
PID:2924 -
\??\c:\20240.exec:\20240.exe40⤵
- Executes dropped EXE
PID:1556 -
\??\c:\lfflxfl.exec:\lfflxfl.exe41⤵
- Executes dropped EXE
PID:276 -
\??\c:\7dpvj.exec:\7dpvj.exe42⤵
- Executes dropped EXE
PID:2624 -
\??\c:\6020286.exec:\6020286.exe43⤵
- Executes dropped EXE
PID:2752 -
\??\c:\4868068.exec:\4868068.exe44⤵
- Executes dropped EXE
PID:1764 -
\??\c:\a4246.exec:\a4246.exe45⤵
- Executes dropped EXE
PID:1036 -
\??\c:\2602802.exec:\2602802.exe46⤵
- Executes dropped EXE
PID:3016 -
\??\c:\nntbhh.exec:\nntbhh.exe47⤵
- Executes dropped EXE
PID:2700 -
\??\c:\q42462.exec:\q42462.exe48⤵
- Executes dropped EXE
PID:2452 -
\??\c:\48668.exec:\48668.exe49⤵
- Executes dropped EXE
PID:2972 -
\??\c:\0888440.exec:\0888440.exe50⤵
- Executes dropped EXE
PID:2980 -
\??\c:\rlxxffl.exec:\rlxxffl.exe51⤵
- Executes dropped EXE
PID:3032 -
\??\c:\826800.exec:\826800.exe52⤵
- Executes dropped EXE
PID:2872 -
\??\c:\hbtnhn.exec:\hbtnhn.exe53⤵
- Executes dropped EXE
PID:1232 -
\??\c:\a4886.exec:\a4886.exe54⤵
- Executes dropped EXE
PID:548 -
\??\c:\9thbhn.exec:\9thbhn.exe55⤵
- Executes dropped EXE
PID:2488 -
\??\c:\tthhhh.exec:\tthhhh.exe56⤵
- Executes dropped EXE
PID:2496 -
\??\c:\u420280.exec:\u420280.exe57⤵
- Executes dropped EXE
PID:1956 -
\??\c:\8268664.exec:\8268664.exe58⤵
- Executes dropped EXE
PID:656 -
\??\c:\286004.exec:\286004.exe59⤵
- Executes dropped EXE
PID:976 -
\??\c:\jdppv.exec:\jdppv.exe60⤵
- Executes dropped EXE
PID:2004 -
\??\c:\9pjvd.exec:\9pjvd.exe61⤵
- Executes dropped EXE
PID:2228 -
\??\c:\rlflrxx.exec:\rlflrxx.exe62⤵
- Executes dropped EXE
PID:1168 -
\??\c:\80222.exec:\80222.exe63⤵
- Executes dropped EXE
PID:1368 -
\??\c:\486688.exec:\486688.exe64⤵
- Executes dropped EXE
PID:1732 -
\??\c:\a6840.exec:\a6840.exe65⤵
- Executes dropped EXE
PID:348 -
\??\c:\7nhnbh.exec:\7nhnbh.exe66⤵PID:2588
-
\??\c:\64280.exec:\64280.exe67⤵PID:1940
-
\??\c:\9htttt.exec:\9htttt.exe68⤵PID:1792
-
\??\c:\48668.exec:\48668.exe69⤵PID:2356
-
\??\c:\9vddd.exec:\9vddd.exe70⤵PID:1984
-
\??\c:\08666.exec:\08666.exe71⤵PID:768
-
\??\c:\5pddv.exec:\5pddv.exe72⤵PID:900
-
\??\c:\dpddv.exec:\dpddv.exe73⤵PID:1516
-
\??\c:\3vpdd.exec:\3vpdd.exe74⤵PID:1176
-
\??\c:\bbbnbh.exec:\bbbnbh.exe75⤵PID:2568
-
\??\c:\5thnhn.exec:\5thnhn.exe76⤵PID:2724
-
\??\c:\08622.exec:\08622.exe77⤵PID:2392
-
\??\c:\9tnnnn.exec:\9tnnnn.exe78⤵PID:1900
-
\??\c:\7lffflx.exec:\7lffflx.exe79⤵PID:2180
-
\??\c:\64002.exec:\64002.exe80⤵PID:2760
-
\??\c:\9pvvp.exec:\9pvvp.exe81⤵PID:3064
-
\??\c:\jpvdp.exec:\jpvdp.exe82⤵PID:2928
-
\??\c:\42444.exec:\42444.exe83⤵PID:2832
-
\??\c:\2860046.exec:\2860046.exe84⤵PID:276
-
\??\c:\pdjdj.exec:\pdjdj.exe85⤵PID:2704
-
\??\c:\080444.exec:\080444.exe86⤵PID:2684
-
\??\c:\4682262.exec:\4682262.exe87⤵PID:2524
-
\??\c:\008028.exec:\008028.exe88⤵PID:1172
-
\??\c:\xlrlfrr.exec:\xlrlfrr.exe89⤵PID:3068
-
\??\c:\640626.exec:\640626.exe90⤵PID:2008
-
\??\c:\8868260.exec:\8868260.exe91⤵PID:1480
-
\??\c:\9vdvv.exec:\9vdvv.exe92⤵PID:2892
-
\??\c:\pdjdd.exec:\pdjdd.exe93⤵PID:3004
-
\??\c:\m8404.exec:\m8404.exe94⤵PID:2616
-
\??\c:\64484.exec:\64484.exe95⤵PID:3048
-
\??\c:\3hnnbt.exec:\3hnnbt.exe96⤵PID:1988
-
\??\c:\20666.exec:\20666.exe97⤵PID:1856
-
\??\c:\w80448.exec:\w80448.exe98⤵PID:1700
-
\??\c:\3pvpj.exec:\3pvpj.exe99⤵PID:2056
-
\??\c:\7nnnbb.exec:\7nnnbb.exe100⤵PID:2600
-
\??\c:\64600.exec:\64600.exe101⤵PID:2348
-
\??\c:\frxrrlf.exec:\frxrrlf.exe102⤵PID:656
-
\??\c:\k68688.exec:\k68688.exe103⤵PID:1448
-
\??\c:\thhhhb.exec:\thhhhb.exe104⤵PID:1592
-
\??\c:\80266.exec:\80266.exe105⤵PID:1800
-
\??\c:\8468262.exec:\8468262.exe106⤵PID:2128
-
\??\c:\9ppdv.exec:\9ppdv.exe107⤵PID:2148
-
\??\c:\htbttt.exec:\htbttt.exe108⤵PID:1928
-
\??\c:\nbhhbb.exec:\nbhhbb.exe109⤵PID:2264
-
\??\c:\4626602.exec:\4626602.exe110⤵PID:2716
-
\??\c:\xlxrllf.exec:\xlxrllf.exe111⤵PID:2100
-
\??\c:\7vddd.exec:\7vddd.exe112⤵PID:2152
-
\??\c:\7fllrll.exec:\7fllrll.exe113⤵PID:708
-
\??\c:\7rfxxrx.exec:\7rfxxrx.exe114⤵PID:912
-
\??\c:\o400048.exec:\o400048.exe115⤵PID:2352
-
\??\c:\i806604.exec:\i806604.exe116⤵PID:692
-
\??\c:\tnbhnn.exec:\tnbhnn.exe117⤵PID:1748
-
\??\c:\nbnttb.exec:\nbnttb.exe118⤵PID:1992
-
\??\c:\xlrfxrf.exec:\xlrfxrf.exe119⤵PID:2816
-
\??\c:\xrfflfl.exec:\xrfflfl.exe120⤵PID:2360
-
\??\c:\c026600.exec:\c026600.exe121⤵PID:2936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-