Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 00:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe
-
Size
453KB
-
MD5
e86944fd01d67e75db3dc8bcb51a3eef
-
SHA1
47fa15207d2d7d54fa3a120a17ffe0b6da1547ba
-
SHA256
0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3
-
SHA512
ed421fcb45bc77dd35d6c69aedeeada7a31ddd6a80642ce692914bcca4c0572f7203340c089b0f70334b1224539598173a1ce4fb533187989be854d55c21e809
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2560-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/108-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1416-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/860-425-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2808-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-399-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2848-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-360-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2936-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-320-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2956-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-305-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1672-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-291-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1220-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-170-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/372-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-151-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2972-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-116-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2684-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/860-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-985-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2352 xxlrflx.exe 2540 5jvvd.exe 2104 k42800.exe 2840 20884.exe 2180 s6402.exe 2664 jjdjd.exe 3056 0462484.exe 2684 bbbhhn.exe 2672 w46840.exe 2204 82440.exe 108 hhbhtb.exe 1872 s0268.exe 2972 jdvdj.exe 1512 48660.exe 3004 ttntbn.exe 2692 pvvdj.exe 372 8600284.exe 1572 rrflxfr.exe 2268 5nhnth.exe 2080 868806.exe 1224 i824402.exe 2584 1pppv.exe 2088 lfrxfff.exe 852 24660.exe 1168 2062884.exe 1460 462226.exe 2132 u248440.exe 1220 dpdjj.exe 2320 868222.exe 1984 q46008.exe 1648 frrlrlr.exe 1672 8648482.exe 1520 w48848.exe 2092 2448228.exe 2956 e42688.exe 2740 vjjvd.exe 2936 3tbnnb.exe 2844 4862228.exe 2928 xxlrxxf.exe 2952 q64404.exe 2748 3ppjj.exe 2632 o460600.exe 2460 e46066.exe 1764 424444.exe 2848 868822.exe 1416 bntnhh.exe 2168 7flllff.exe 2448 w64406.exe 3032 rlxrlxl.exe 2808 vpdvv.exe 1232 dpvjj.exe 860 3lfxflr.exe 1084 0844006.exe 2368 jvjjp.exe 2244 vjppp.exe 2544 08882.exe 2084 rfxrxfl.exe 2960 q02804.exe 2884 btbbbb.exe 1248 bntttn.exe 1484 680444.exe 2132 vvjjj.exe 1428 vppvj.exe 2164 w46888.exe -
resource yara_rule behavioral1/memory/2560-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-425-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2808-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-399-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2848-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-320-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2956-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-305-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1672-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-291-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1220-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/372-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-151-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2972-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-985-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-1058-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-1101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-1114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-1223-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4260600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8622606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4460606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 2352 2560 0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe 31 PID 2560 wrote to memory of 2352 2560 0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe 31 PID 2560 wrote to memory of 2352 2560 0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe 31 PID 2560 wrote to memory of 2352 2560 0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe 31 PID 2352 wrote to memory of 2540 2352 xxlrflx.exe 32 PID 2352 wrote to memory of 2540 2352 xxlrflx.exe 32 PID 2352 wrote to memory of 2540 2352 xxlrflx.exe 32 PID 2352 wrote to memory of 2540 2352 xxlrflx.exe 32 PID 2540 wrote to memory of 2104 2540 5jvvd.exe 33 PID 2540 wrote to memory of 2104 2540 5jvvd.exe 33 PID 2540 wrote to memory of 2104 2540 5jvvd.exe 33 PID 2540 wrote to memory of 2104 2540 5jvvd.exe 33 PID 2104 wrote to memory of 2840 2104 k42800.exe 34 PID 2104 wrote to memory of 2840 2104 k42800.exe 34 PID 2104 wrote to memory of 2840 2104 k42800.exe 34 PID 2104 wrote to memory of 2840 2104 k42800.exe 34 PID 2840 wrote to memory of 2180 2840 20884.exe 35 PID 2840 wrote to memory of 2180 2840 20884.exe 35 PID 2840 wrote to memory of 2180 2840 20884.exe 35 PID 2840 wrote to memory of 2180 2840 20884.exe 35 PID 2180 wrote to memory of 2664 2180 s6402.exe 36 PID 2180 wrote to memory of 2664 2180 s6402.exe 36 PID 2180 wrote to memory of 2664 2180 s6402.exe 36 PID 2180 wrote to memory of 2664 2180 s6402.exe 36 PID 2664 wrote to memory of 3056 2664 jjdjd.exe 37 PID 2664 wrote to memory of 3056 2664 jjdjd.exe 37 PID 2664 wrote to memory of 3056 2664 jjdjd.exe 37 PID 2664 wrote to memory of 3056 2664 jjdjd.exe 37 PID 3056 wrote to memory of 2684 3056 0462484.exe 38 PID 3056 wrote to memory of 2684 3056 0462484.exe 38 PID 3056 wrote to memory of 2684 3056 0462484.exe 38 PID 3056 wrote to memory of 2684 3056 0462484.exe 38 PID 2684 wrote to memory of 2672 2684 bbbhhn.exe 39 PID 2684 wrote to memory of 2672 2684 bbbhhn.exe 39 PID 2684 wrote to memory of 2672 2684 bbbhhn.exe 39 PID 2684 wrote to memory of 2672 2684 bbbhhn.exe 39 PID 2672 wrote to memory of 2204 2672 w46840.exe 40 PID 2672 wrote to memory of 2204 2672 w46840.exe 40 PID 2672 wrote to memory of 2204 2672 w46840.exe 40 PID 2672 wrote to memory of 2204 2672 w46840.exe 40 PID 2204 wrote to memory of 108 2204 82440.exe 41 PID 2204 wrote to memory of 108 2204 82440.exe 41 PID 2204 wrote to memory of 108 2204 82440.exe 41 PID 2204 wrote to memory of 108 2204 82440.exe 41 PID 108 wrote to memory of 1872 108 hhbhtb.exe 42 PID 108 wrote to memory of 1872 108 hhbhtb.exe 42 PID 108 wrote to memory of 1872 108 hhbhtb.exe 42 PID 108 wrote to memory of 1872 108 hhbhtb.exe 42 PID 1872 wrote to memory of 2972 1872 s0268.exe 43 PID 1872 wrote to memory of 2972 1872 s0268.exe 43 PID 1872 wrote to memory of 2972 1872 s0268.exe 43 PID 1872 wrote to memory of 2972 1872 s0268.exe 43 PID 2972 wrote to memory of 1512 2972 jdvdj.exe 44 PID 2972 wrote to memory of 1512 2972 jdvdj.exe 44 PID 2972 wrote to memory of 1512 2972 jdvdj.exe 44 PID 2972 wrote to memory of 1512 2972 jdvdj.exe 44 PID 1512 wrote to memory of 3004 1512 48660.exe 45 PID 1512 wrote to memory of 3004 1512 48660.exe 45 PID 1512 wrote to memory of 3004 1512 48660.exe 45 PID 1512 wrote to memory of 3004 1512 48660.exe 45 PID 3004 wrote to memory of 2692 3004 ttntbn.exe 46 PID 3004 wrote to memory of 2692 3004 ttntbn.exe 46 PID 3004 wrote to memory of 2692 3004 ttntbn.exe 46 PID 3004 wrote to memory of 2692 3004 ttntbn.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe"C:\Users\Admin\AppData\Local\Temp\0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\xxlrflx.exec:\xxlrflx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\5jvvd.exec:\5jvvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\k42800.exec:\k42800.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\20884.exec:\20884.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\s6402.exec:\s6402.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\jjdjd.exec:\jjdjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\0462484.exec:\0462484.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\bbbhhn.exec:\bbbhhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\w46840.exec:\w46840.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\82440.exec:\82440.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\hhbhtb.exec:\hhbhtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:108 -
\??\c:\s0268.exec:\s0268.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\jdvdj.exec:\jdvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\48660.exec:\48660.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\ttntbn.exec:\ttntbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\pvvdj.exec:\pvvdj.exe17⤵
- Executes dropped EXE
PID:2692 -
\??\c:\8600284.exec:\8600284.exe18⤵
- Executes dropped EXE
PID:372 -
\??\c:\rrflxfr.exec:\rrflxfr.exe19⤵
- Executes dropped EXE
PID:1572 -
\??\c:\5nhnth.exec:\5nhnth.exe20⤵
- Executes dropped EXE
PID:2268 -
\??\c:\868806.exec:\868806.exe21⤵
- Executes dropped EXE
PID:2080 -
\??\c:\i824402.exec:\i824402.exe22⤵
- Executes dropped EXE
PID:1224 -
\??\c:\1pppv.exec:\1pppv.exe23⤵
- Executes dropped EXE
PID:2584 -
\??\c:\lfrxfff.exec:\lfrxfff.exe24⤵
- Executes dropped EXE
PID:2088 -
\??\c:\24660.exec:\24660.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:852 -
\??\c:\2062884.exec:\2062884.exe26⤵
- Executes dropped EXE
PID:1168 -
\??\c:\462226.exec:\462226.exe27⤵
- Executes dropped EXE
PID:1460 -
\??\c:\u248440.exec:\u248440.exe28⤵
- Executes dropped EXE
PID:2132 -
\??\c:\dpdjj.exec:\dpdjj.exe29⤵
- Executes dropped EXE
PID:1220 -
\??\c:\868222.exec:\868222.exe30⤵
- Executes dropped EXE
PID:2320 -
\??\c:\q46008.exec:\q46008.exe31⤵
- Executes dropped EXE
PID:1984 -
\??\c:\frrlrlr.exec:\frrlrlr.exe32⤵
- Executes dropped EXE
PID:1648 -
\??\c:\8648482.exec:\8648482.exe33⤵
- Executes dropped EXE
PID:1672 -
\??\c:\w48848.exec:\w48848.exe34⤵
- Executes dropped EXE
PID:1520 -
\??\c:\2448228.exec:\2448228.exe35⤵
- Executes dropped EXE
PID:2092 -
\??\c:\e42688.exec:\e42688.exe36⤵
- Executes dropped EXE
PID:2956 -
\??\c:\vjjvd.exec:\vjjvd.exe37⤵
- Executes dropped EXE
PID:2740 -
\??\c:\3tbnnb.exec:\3tbnnb.exe38⤵
- Executes dropped EXE
PID:2936 -
\??\c:\4862228.exec:\4862228.exe39⤵
- Executes dropped EXE
PID:2844 -
\??\c:\xxlrxxf.exec:\xxlrxxf.exe40⤵
- Executes dropped EXE
PID:2928 -
\??\c:\q64404.exec:\q64404.exe41⤵
- Executes dropped EXE
PID:2952 -
\??\c:\3ppjj.exec:\3ppjj.exe42⤵
- Executes dropped EXE
PID:2748 -
\??\c:\o460600.exec:\o460600.exe43⤵
- Executes dropped EXE
PID:2632 -
\??\c:\e46066.exec:\e46066.exe44⤵
- Executes dropped EXE
PID:2460 -
\??\c:\424444.exec:\424444.exe45⤵
- Executes dropped EXE
PID:1764 -
\??\c:\868822.exec:\868822.exe46⤵
- Executes dropped EXE
PID:2848 -
\??\c:\bntnhh.exec:\bntnhh.exe47⤵
- Executes dropped EXE
PID:1416 -
\??\c:\7flllff.exec:\7flllff.exe48⤵
- Executes dropped EXE
PID:2168 -
\??\c:\w64406.exec:\w64406.exe49⤵
- Executes dropped EXE
PID:2448 -
\??\c:\rlxrlxl.exec:\rlxrlxl.exe50⤵
- Executes dropped EXE
PID:3032 -
\??\c:\vpdvv.exec:\vpdvv.exe51⤵
- Executes dropped EXE
PID:2808 -
\??\c:\dpvjj.exec:\dpvjj.exe52⤵
- Executes dropped EXE
PID:1232 -
\??\c:\3lfxflr.exec:\3lfxflr.exe53⤵
- Executes dropped EXE
PID:860 -
\??\c:\0844006.exec:\0844006.exe54⤵
- Executes dropped EXE
PID:1084 -
\??\c:\jvjjp.exec:\jvjjp.exe55⤵
- Executes dropped EXE
PID:2368 -
\??\c:\vjppp.exec:\vjppp.exe56⤵
- Executes dropped EXE
PID:2244 -
\??\c:\08882.exec:\08882.exe57⤵
- Executes dropped EXE
PID:2544 -
\??\c:\rfxrxfl.exec:\rfxrxfl.exe58⤵
- Executes dropped EXE
PID:2084 -
\??\c:\q02804.exec:\q02804.exe59⤵
- Executes dropped EXE
PID:2960 -
\??\c:\btbbbb.exec:\btbbbb.exe60⤵
- Executes dropped EXE
PID:2884 -
\??\c:\bntttn.exec:\bntttn.exe61⤵
- Executes dropped EXE
PID:1248 -
\??\c:\680444.exec:\680444.exe62⤵
- Executes dropped EXE
PID:1484 -
\??\c:\vvjjj.exec:\vvjjj.exe63⤵
- Executes dropped EXE
PID:2132 -
\??\c:\vppvj.exec:\vppvj.exe64⤵
- Executes dropped EXE
PID:1428 -
\??\c:\w46888.exec:\w46888.exe65⤵
- Executes dropped EXE
PID:2164 -
\??\c:\xxflrlr.exec:\xxflrlr.exe66⤵PID:2888
-
\??\c:\nbhtbn.exec:\nbhtbn.exe67⤵PID:1648
-
\??\c:\frxxrlr.exec:\frxxrlr.exe68⤵PID:2100
-
\??\c:\4460606.exec:\4460606.exe69⤵
- System Location Discovery: System Language Discovery
PID:2252 -
\??\c:\i422822.exec:\i422822.exe70⤵PID:900
-
\??\c:\42822.exec:\42822.exe71⤵PID:1748
-
\??\c:\jvdvd.exec:\jvdvd.exe72⤵PID:2028
-
\??\c:\680066.exec:\680066.exe73⤵PID:680
-
\??\c:\k20066.exec:\k20066.exe74⤵PID:2568
-
\??\c:\vdvpp.exec:\vdvpp.exe75⤵PID:2928
-
\??\c:\1nnbth.exec:\1nnbth.exe76⤵PID:2772
-
\??\c:\2022228.exec:\2022228.exe77⤵PID:2792
-
\??\c:\2448260.exec:\2448260.exe78⤵PID:3044
-
\??\c:\pvdpd.exec:\pvdpd.exe79⤵PID:2780
-
\??\c:\jdpjp.exec:\jdpjp.exe80⤵PID:2524
-
\??\c:\4282822.exec:\4282822.exe81⤵PID:2796
-
\??\c:\vjppv.exec:\vjppv.exe82⤵PID:2628
-
\??\c:\vppvj.exec:\vppvj.exe83⤵PID:2240
-
\??\c:\jdpjd.exec:\jdpjd.exe84⤵PID:2452
-
\??\c:\tbnntn.exec:\tbnntn.exe85⤵PID:2800
-
\??\c:\646066.exec:\646066.exe86⤵PID:1172
-
\??\c:\k68844.exec:\k68844.exe87⤵PID:2808
-
\??\c:\7pddj.exec:\7pddj.exe88⤵PID:1232
-
\??\c:\fxrxxxl.exec:\fxrxxxl.exe89⤵PID:860
-
\??\c:\hbhnnt.exec:\hbhnnt.exe90⤵PID:2860
-
\??\c:\u248444.exec:\u248444.exe91⤵PID:1700
-
\??\c:\202244.exec:\202244.exe92⤵PID:2856
-
\??\c:\u066006.exec:\u066006.exe93⤵PID:1688
-
\??\c:\lfllrrx.exec:\lfllrrx.exe94⤵PID:2480
-
\??\c:\3ffffrr.exec:\3ffffrr.exe95⤵PID:2212
-
\??\c:\rlffrrx.exec:\rlffrrx.exe96⤵PID:2296
-
\??\c:\ddvjv.exec:\ddvjv.exe97⤵PID:2464
-
\??\c:\4200000.exec:\4200000.exe98⤵PID:2400
-
\??\c:\xlxxfxx.exec:\xlxxfxx.exe99⤵PID:2088
-
\??\c:\rlflllr.exec:\rlflllr.exe100⤵PID:2044
-
\??\c:\w64488.exec:\w64488.exe101⤵PID:572
-
\??\c:\hbnntt.exec:\hbnntt.exe102⤵PID:408
-
\??\c:\m0284.exec:\m0284.exe103⤵PID:1784
-
\??\c:\ppjjp.exec:\ppjjp.exe104⤵PID:2784
-
\??\c:\6462262.exec:\6462262.exe105⤵PID:1680
-
\??\c:\7ffrxxl.exec:\7ffrxxl.exe106⤵PID:1220
-
\??\c:\2408488.exec:\2408488.exe107⤵PID:2404
-
\??\c:\5xrrxxl.exec:\5xrrxxl.exe108⤵PID:2528
-
\??\c:\6860608.exec:\6860608.exe109⤵PID:468
-
\??\c:\frlfrrr.exec:\frlfrrr.exe110⤵PID:2888
-
\??\c:\s6468.exec:\s6468.exe111⤵PID:2280
-
\??\c:\k86288.exec:\k86288.exe112⤵PID:2100
-
\??\c:\tthnnn.exec:\tthnnn.exe113⤵PID:2252
-
\??\c:\nbttbb.exec:\nbttbb.exe114⤵PID:1528
-
\??\c:\pdddv.exec:\pdddv.exe115⤵PID:2060
-
\??\c:\20888.exec:\20888.exe116⤵PID:2936
-
\??\c:\7hhnhh.exec:\7hhnhh.exe117⤵PID:2248
-
\??\c:\0244606.exec:\0244606.exe118⤵PID:2920
-
\??\c:\xxllrxf.exec:\xxllrxf.exe119⤵PID:2916
-
\??\c:\hthtth.exec:\hthtth.exe120⤵PID:2772
-
\??\c:\4862840.exec:\4862840.exe121⤵PID:1864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-