Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 21:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe
-
Size
453KB
-
MD5
604db61ad7c97378efd7a3515ea1c41d
-
SHA1
323f621ccc8593b0a2170a50a1ab9a827e3be608
-
SHA256
dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b
-
SHA512
11c91f7dafe62b1420efeaba6e1dbd868b29c9184c89259918ef92bfbf786ddf05079000732051746b9715f9d6fff0e3cd9c8a563e3d36a66fdd7eb794ed4b38
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/1960-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-16-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2708-22-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2280-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-56-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1896-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-140-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2316-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-385-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1252-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-592-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2804-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-873-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2252-1028-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1884-1050-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2396-1060-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-1160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2280 86262.exe 2708 66020.exe 2692 640006.exe 2988 1tthnn.exe 2812 djdjp.exe 2664 c040280.exe 2628 rlxlrxr.exe 1896 48068.exe 1540 5hnntt.exe 1252 bthhnn.exe 2532 0824068.exe 1088 8646880.exe 1368 nhnnth.exe 2740 82064.exe 2156 2644628.exe 2316 ffrrrrx.exe 1768 4888620.exe 2520 thtthn.exe 2100 lffrxxf.exe 2396 pjjpp.exe 1660 48646.exe 1820 662428.exe 1384 046206.exe 2292 i428668.exe 1392 0844062.exe 1972 djvpv.exe 2636 5xrfffr.exe 2492 lrfrlrl.exe 2284 nnhhnb.exe 1496 8868624.exe 1912 420644.exe 888 42284.exe 2340 8206846.exe 2168 028628.exe 2700 042840.exe 2864 860246.exe 2692 3dvjd.exe 2840 26624.exe 1704 hhhhbn.exe 2928 jjjvj.exe 2568 86284.exe 2232 xxrxllx.exe 2084 888602.exe 1212 3xlrxfl.exe 2908 9ppjv.exe 1228 dvpvp.exe 1252 a8246.exe 1892 2606868.exe 1004 vpjpv.exe 2732 vvpvp.exe 2900 c044286.exe 2740 808462.exe 2368 2842680.exe 1868 2080824.exe 2356 nnhhbh.exe 2476 vpddj.exe 2196 26020.exe 2296 7dvvd.exe 2236 8646440.exe 2184 046840.exe 1884 8602064.exe 996 60808.exe 768 24222.exe 884 ffflfrf.exe -
resource yara_rule behavioral1/memory/1960-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-22-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2280-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-904-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-1043-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-1051-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-1060-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-1122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-1160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-1173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-1195-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4888028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c286668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0806668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 466008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2280 1960 dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe 30 PID 1960 wrote to memory of 2280 1960 dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe 30 PID 1960 wrote to memory of 2280 1960 dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe 30 PID 1960 wrote to memory of 2280 1960 dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe 30 PID 2280 wrote to memory of 2708 2280 86262.exe 31 PID 2280 wrote to memory of 2708 2280 86262.exe 31 PID 2280 wrote to memory of 2708 2280 86262.exe 31 PID 2280 wrote to memory of 2708 2280 86262.exe 31 PID 2708 wrote to memory of 2692 2708 66020.exe 32 PID 2708 wrote to memory of 2692 2708 66020.exe 32 PID 2708 wrote to memory of 2692 2708 66020.exe 32 PID 2708 wrote to memory of 2692 2708 66020.exe 32 PID 2692 wrote to memory of 2988 2692 640006.exe 33 PID 2692 wrote to memory of 2988 2692 640006.exe 33 PID 2692 wrote to memory of 2988 2692 640006.exe 33 PID 2692 wrote to memory of 2988 2692 640006.exe 33 PID 2988 wrote to memory of 2812 2988 1tthnn.exe 34 PID 2988 wrote to memory of 2812 2988 1tthnn.exe 34 PID 2988 wrote to memory of 2812 2988 1tthnn.exe 34 PID 2988 wrote to memory of 2812 2988 1tthnn.exe 34 PID 2812 wrote to memory of 2664 2812 djdjp.exe 35 PID 2812 wrote to memory of 2664 2812 djdjp.exe 35 PID 2812 wrote to memory of 2664 2812 djdjp.exe 35 PID 2812 wrote to memory of 2664 2812 djdjp.exe 35 PID 2664 wrote to memory of 2628 2664 c040280.exe 36 PID 2664 wrote to memory of 2628 2664 c040280.exe 36 PID 2664 wrote to memory of 2628 2664 c040280.exe 36 PID 2664 wrote to memory of 2628 2664 c040280.exe 36 PID 2628 wrote to memory of 1896 2628 rlxlrxr.exe 37 PID 2628 wrote to memory of 1896 2628 rlxlrxr.exe 37 PID 2628 wrote to memory of 1896 2628 rlxlrxr.exe 37 PID 2628 wrote to memory of 1896 2628 rlxlrxr.exe 37 PID 1896 wrote to memory of 1540 1896 48068.exe 38 PID 1896 wrote to memory of 1540 1896 48068.exe 38 PID 1896 wrote to memory of 1540 1896 48068.exe 38 PID 1896 wrote to memory of 1540 1896 48068.exe 38 PID 1540 wrote to memory of 1252 1540 5hnntt.exe 39 PID 1540 wrote to memory of 1252 1540 5hnntt.exe 39 PID 1540 wrote to memory of 1252 1540 5hnntt.exe 39 PID 1540 wrote to memory of 1252 1540 5hnntt.exe 39 PID 1252 wrote to memory of 2532 1252 bthhnn.exe 40 PID 1252 wrote to memory of 2532 1252 bthhnn.exe 40 PID 1252 wrote to memory of 2532 1252 bthhnn.exe 40 PID 1252 wrote to memory of 2532 1252 bthhnn.exe 40 PID 2532 wrote to memory of 1088 2532 0824068.exe 41 PID 2532 wrote to memory of 1088 2532 0824068.exe 41 PID 2532 wrote to memory of 1088 2532 0824068.exe 41 PID 2532 wrote to memory of 1088 2532 0824068.exe 41 PID 1088 wrote to memory of 1368 1088 8646880.exe 42 PID 1088 wrote to memory of 1368 1088 8646880.exe 42 PID 1088 wrote to memory of 1368 1088 8646880.exe 42 PID 1088 wrote to memory of 1368 1088 8646880.exe 42 PID 1368 wrote to memory of 2740 1368 nhnnth.exe 43 PID 1368 wrote to memory of 2740 1368 nhnnth.exe 43 PID 1368 wrote to memory of 2740 1368 nhnnth.exe 43 PID 1368 wrote to memory of 2740 1368 nhnnth.exe 43 PID 2740 wrote to memory of 2156 2740 82064.exe 44 PID 2740 wrote to memory of 2156 2740 82064.exe 44 PID 2740 wrote to memory of 2156 2740 82064.exe 44 PID 2740 wrote to memory of 2156 2740 82064.exe 44 PID 2156 wrote to memory of 2316 2156 2644628.exe 45 PID 2156 wrote to memory of 2316 2156 2644628.exe 45 PID 2156 wrote to memory of 2316 2156 2644628.exe 45 PID 2156 wrote to memory of 2316 2156 2644628.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe"C:\Users\Admin\AppData\Local\Temp\dec01ae6cd300ad44f94f8df2e1a1931f52c5c41a405bfc5cfa21fb7db92a80b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\86262.exec:\86262.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\66020.exec:\66020.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\640006.exec:\640006.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\1tthnn.exec:\1tthnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\djdjp.exec:\djdjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\c040280.exec:\c040280.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\rlxlrxr.exec:\rlxlrxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\48068.exec:\48068.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\5hnntt.exec:\5hnntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\bthhnn.exec:\bthhnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\0824068.exec:\0824068.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\8646880.exec:\8646880.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\nhnnth.exec:\nhnnth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\82064.exec:\82064.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\2644628.exec:\2644628.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\ffrrrrx.exec:\ffrrrrx.exe17⤵
- Executes dropped EXE
PID:2316 -
\??\c:\4888620.exec:\4888620.exe18⤵
- Executes dropped EXE
PID:1768 -
\??\c:\thtthn.exec:\thtthn.exe19⤵
- Executes dropped EXE
PID:2520 -
\??\c:\lffrxxf.exec:\lffrxxf.exe20⤵
- Executes dropped EXE
PID:2100 -
\??\c:\pjjpp.exec:\pjjpp.exe21⤵
- Executes dropped EXE
PID:2396 -
\??\c:\48646.exec:\48646.exe22⤵
- Executes dropped EXE
PID:1660 -
\??\c:\662428.exec:\662428.exe23⤵
- Executes dropped EXE
PID:1820 -
\??\c:\046206.exec:\046206.exe24⤵
- Executes dropped EXE
PID:1384 -
\??\c:\i428668.exec:\i428668.exe25⤵
- Executes dropped EXE
PID:2292 -
\??\c:\0844062.exec:\0844062.exe26⤵
- Executes dropped EXE
PID:1392 -
\??\c:\djvpv.exec:\djvpv.exe27⤵
- Executes dropped EXE
PID:1972 -
\??\c:\5xrfffr.exec:\5xrfffr.exe28⤵
- Executes dropped EXE
PID:2636 -
\??\c:\lrfrlrl.exec:\lrfrlrl.exe29⤵
- Executes dropped EXE
PID:2492 -
\??\c:\nnhhnb.exec:\nnhhnb.exe30⤵
- Executes dropped EXE
PID:2284 -
\??\c:\8868624.exec:\8868624.exe31⤵
- Executes dropped EXE
PID:1496 -
\??\c:\420644.exec:\420644.exe32⤵
- Executes dropped EXE
PID:1912 -
\??\c:\42284.exec:\42284.exe33⤵
- Executes dropped EXE
PID:888 -
\??\c:\8206846.exec:\8206846.exe34⤵
- Executes dropped EXE
PID:2340 -
\??\c:\028628.exec:\028628.exe35⤵
- Executes dropped EXE
PID:2168 -
\??\c:\042840.exec:\042840.exe36⤵
- Executes dropped EXE
PID:2700 -
\??\c:\860246.exec:\860246.exe37⤵
- Executes dropped EXE
PID:2864 -
\??\c:\3dvjd.exec:\3dvjd.exe38⤵
- Executes dropped EXE
PID:2692 -
\??\c:\26624.exec:\26624.exe39⤵
- Executes dropped EXE
PID:2840 -
\??\c:\hhhhbn.exec:\hhhhbn.exe40⤵
- Executes dropped EXE
PID:1704 -
\??\c:\jjjvj.exec:\jjjvj.exe41⤵
- Executes dropped EXE
PID:2928 -
\??\c:\86284.exec:\86284.exe42⤵
- Executes dropped EXE
PID:2568 -
\??\c:\xxrxllx.exec:\xxrxllx.exe43⤵
- Executes dropped EXE
PID:2232 -
\??\c:\888602.exec:\888602.exe44⤵
- Executes dropped EXE
PID:2084 -
\??\c:\3xlrxfl.exec:\3xlrxfl.exe45⤵
- Executes dropped EXE
PID:1212 -
\??\c:\9ppjv.exec:\9ppjv.exe46⤵
- Executes dropped EXE
PID:2908 -
\??\c:\dvpvp.exec:\dvpvp.exe47⤵
- Executes dropped EXE
PID:1228 -
\??\c:\a8246.exec:\a8246.exe48⤵
- Executes dropped EXE
PID:1252 -
\??\c:\2606868.exec:\2606868.exe49⤵
- Executes dropped EXE
PID:1892 -
\??\c:\vpjpv.exec:\vpjpv.exe50⤵
- Executes dropped EXE
PID:1004 -
\??\c:\vvpvp.exec:\vvpvp.exe51⤵
- Executes dropped EXE
PID:2732 -
\??\c:\c044286.exec:\c044286.exe52⤵
- Executes dropped EXE
PID:2900 -
\??\c:\808462.exec:\808462.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740 -
\??\c:\2842680.exec:\2842680.exe54⤵
- Executes dropped EXE
PID:2368 -
\??\c:\2080824.exec:\2080824.exe55⤵
- Executes dropped EXE
PID:1868 -
\??\c:\nnhhbh.exec:\nnhhbh.exe56⤵
- Executes dropped EXE
PID:2356 -
\??\c:\vpddj.exec:\vpddj.exe57⤵
- Executes dropped EXE
PID:2476 -
\??\c:\26020.exec:\26020.exe58⤵
- Executes dropped EXE
PID:2196 -
\??\c:\7dvvd.exec:\7dvvd.exe59⤵
- Executes dropped EXE
PID:2296 -
\??\c:\8646440.exec:\8646440.exe60⤵
- Executes dropped EXE
PID:2236 -
\??\c:\046840.exec:\046840.exe61⤵
- Executes dropped EXE
PID:2184 -
\??\c:\8602064.exec:\8602064.exe62⤵
- Executes dropped EXE
PID:1884 -
\??\c:\60808.exec:\60808.exe63⤵
- Executes dropped EXE
PID:996 -
\??\c:\24222.exec:\24222.exe64⤵
- Executes dropped EXE
PID:768 -
\??\c:\ffflfrf.exec:\ffflfrf.exe65⤵
- Executes dropped EXE
PID:884 -
\??\c:\086200.exec:\086200.exe66⤵PID:1048
-
\??\c:\u002620.exec:\u002620.exe67⤵PID:1548
-
\??\c:\3bhthn.exec:\3bhthn.exe68⤵PID:1564
-
\??\c:\lllxxxf.exec:\lllxxxf.exe69⤵PID:2256
-
\??\c:\26402.exec:\26402.exe70⤵PID:1604
-
\??\c:\ddvdp.exec:\ddvdp.exe71⤵PID:3000
-
\??\c:\7vvvd.exec:\7vvvd.exe72⤵PID:2304
-
\??\c:\jjjvj.exec:\jjjvj.exe73⤵PID:3024
-
\??\c:\pvpvp.exec:\pvpvp.exe74⤵PID:1076
-
\??\c:\hhhbbt.exec:\hhhbbt.exe75⤵PID:1992
-
\??\c:\i606886.exec:\i606886.exe76⤵PID:2644
-
\??\c:\82280.exec:\82280.exe77⤵PID:2280
-
\??\c:\1rllrrf.exec:\1rllrrf.exe78⤵PID:2760
-
\??\c:\82402.exec:\82402.exe79⤵PID:2748
-
\??\c:\rlfrxff.exec:\rlfrxff.exe80⤵PID:2656
-
\??\c:\nbnhth.exec:\nbnhth.exe81⤵PID:1616
-
\??\c:\tnbhtt.exec:\tnbhtt.exe82⤵PID:2692
-
\??\c:\flrxlrr.exec:\flrxlrr.exe83⤵PID:2576
-
\??\c:\vddjv.exec:\vddjv.exe84⤵PID:1632
-
\??\c:\04864.exec:\04864.exe85⤵PID:2928
-
\??\c:\8842402.exec:\8842402.exe86⤵PID:2572
-
\??\c:\lxlflrf.exec:\lxlflrf.exe87⤵PID:2232
-
\??\c:\5tnntn.exec:\5tnntn.exe88⤵PID:2344
-
\??\c:\42806.exec:\42806.exe89⤵PID:1212
-
\??\c:\482846.exec:\482846.exe90⤵PID:1896
-
\??\c:\hhbthh.exec:\hhbthh.exe91⤵PID:1140
-
\??\c:\jpjpj.exec:\jpjpj.exe92⤵
- System Location Discovery: System Language Discovery
PID:3012 -
\??\c:\bbnnbb.exec:\bbnnbb.exe93⤵PID:2216
-
\??\c:\6828068.exec:\6828068.exe94⤵PID:900
-
\??\c:\48246.exec:\48246.exe95⤵PID:2868
-
\??\c:\btbnhn.exec:\btbnhn.exe96⤵PID:2804
-
\??\c:\vdvjp.exec:\vdvjp.exe97⤵PID:1100
-
\??\c:\rrflflx.exec:\rrflflx.exe98⤵PID:2888
-
\??\c:\0246684.exec:\0246684.exe99⤵PID:2592
-
\??\c:\xxfffff.exec:\xxfffff.exe100⤵PID:2228
-
\??\c:\6688046.exec:\6688046.exe101⤵PID:1920
-
\??\c:\048624.exec:\048624.exe102⤵PID:2192
-
\??\c:\86406.exec:\86406.exe103⤵PID:1876
-
\??\c:\9frxrrl.exec:\9frxrrl.exe104⤵PID:2188
-
\??\c:\bnnhnh.exec:\bnnhnh.exe105⤵PID:1348
-
\??\c:\82006.exec:\82006.exe106⤵PID:1816
-
\??\c:\jjvvd.exec:\jjvvd.exe107⤵PID:1648
-
\??\c:\8206846.exec:\8206846.exe108⤵PID:920
-
\??\c:\hnnbht.exec:\hnnbht.exe109⤵
- System Location Discovery: System Language Discovery
PID:1716 -
\??\c:\lfflxfx.exec:\lfflxfx.exe110⤵PID:2104
-
\??\c:\8660402.exec:\8660402.exe111⤵PID:1976
-
\??\c:\djpdj.exec:\djpdj.exe112⤵PID:1980
-
\??\c:\5vjvv.exec:\5vjvv.exe113⤵PID:1972
-
\??\c:\020066.exec:\020066.exe114⤵PID:2612
-
\??\c:\rlxrxrx.exec:\rlxrxrx.exe115⤵PID:648
-
\??\c:\bthhnn.exec:\bthhnn.exe116⤵PID:1464
-
\??\c:\4266828.exec:\4266828.exe117⤵PID:2304
-
\??\c:\tnntnt.exec:\tnntnt.exe118⤵PID:1296
-
\??\c:\o480620.exec:\o480620.exe119⤵PID:1496
-
\??\c:\bnbbhh.exec:\bnbbhh.exe120⤵PID:896
-
\??\c:\0468668.exec:\0468668.exe121⤵PID:2756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-