Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 02:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
860b943bccff2152aaee105123e57b974c5f623757589997c39dea4cc8441cb0N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
860b943bccff2152aaee105123e57b974c5f623757589997c39dea4cc8441cb0N.exe
-
Size
454KB
-
MD5
24bfa7eb216f423710f0bb88f6207010
-
SHA1
ae7368e5502e06875dc6fff647ba86afb7e6890e
-
SHA256
860b943bccff2152aaee105123e57b974c5f623757589997c39dea4cc8441cb0
-
SHA512
44b32493285aaa7c585693c454d8def370614954e7d62b3fe5942fd9776cbcf6571fe8fb68c8403f61d6cb9af894ad44ba3b0576da6bb373005da8d2c6107e73
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2908-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-174-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1008-198-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1008-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/764-222-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/764-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-372-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2116-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/656-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-604-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2568-693-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1340-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-848-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2632-874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-893-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-913-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/668-926-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2200-940-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1472-995-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2328 1pvjj.exe 2632 64662.exe 2876 lxlrrlx.exe 2772 0800224.exe 2692 ddppd.exe 2704 tnhhtt.exe 876 8684402.exe 2892 rlffrlr.exe 2428 9tbhbb.exe 2120 s4280.exe 1620 lxxrlll.exe 3000 8640280.exe 1776 nhttbh.exe 2884 264404.exe 1604 4200628.exe 3056 60280.exe 1536 42222.exe 2076 4864626.exe 1540 e42248.exe 1008 m8224.exe 2524 2004808.exe 1952 m8440.exe 764 480622.exe 1680 e20026.exe 1584 q60460.exe 2488 vpjjd.exe 2528 m0228.exe 2020 4220604.exe 1188 0806224.exe 1652 60402.exe 2372 fxrxlxl.exe 1512 xffrllr.exe 2768 g2002.exe 2820 20880.exe 3032 pjvvd.exe 2956 042462.exe 948 dvddj.exe 2732 824684.exe 2712 20824.exe 1908 nnhthh.exe 300 k82224.exe 876 thbbhb.exe 2228 w28882.exe 2152 m6262.exe 2400 8684822.exe 2600 64806.exe 2856 046660.exe 760 hbnntt.exe 1472 dvddv.exe 2896 vpddd.exe 2868 680844.exe 2116 82440.exe 3052 m6002.exe 1940 1rxlllr.exe 108 5ffllll.exe 1020 4822224.exe 2080 7dpvd.exe 2640 e20688.exe 448 7rffffx.exe 2440 rlrxflr.exe 1300 rlrrxxf.exe 1444 pvvdp.exe 1720 xxlxflx.exe 2464 lfxrrxr.exe -
resource yara_rule behavioral1/memory/2908-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-303-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1512-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/656-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1188-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-810-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-894-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-933-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-1002-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-1033-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-1046-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/928-1065-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 464464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 886804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w82800.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2328 2908 860b943bccff2152aaee105123e57b974c5f623757589997c39dea4cc8441cb0N.exe 30 PID 2908 wrote to memory of 2328 2908 860b943bccff2152aaee105123e57b974c5f623757589997c39dea4cc8441cb0N.exe 30 PID 2908 wrote to memory of 2328 2908 860b943bccff2152aaee105123e57b974c5f623757589997c39dea4cc8441cb0N.exe 30 PID 2908 wrote to memory of 2328 2908 860b943bccff2152aaee105123e57b974c5f623757589997c39dea4cc8441cb0N.exe 30 PID 2328 wrote to memory of 2632 2328 1pvjj.exe 31 PID 2328 wrote to memory of 2632 2328 1pvjj.exe 31 PID 2328 wrote to memory of 2632 2328 1pvjj.exe 31 PID 2328 wrote to memory of 2632 2328 1pvjj.exe 31 PID 2632 wrote to memory of 2876 2632 64662.exe 32 PID 2632 wrote to memory of 2876 2632 64662.exe 32 PID 2632 wrote to memory of 2876 2632 64662.exe 32 PID 2632 wrote to memory of 2876 2632 64662.exe 32 PID 2876 wrote to memory of 2772 2876 lxlrrlx.exe 33 PID 2876 wrote to memory of 2772 2876 lxlrrlx.exe 33 PID 2876 wrote to memory of 2772 2876 lxlrrlx.exe 33 PID 2876 wrote to memory of 2772 2876 lxlrrlx.exe 33 PID 2772 wrote to memory of 2692 2772 0800224.exe 34 PID 2772 wrote to memory of 2692 2772 0800224.exe 34 PID 2772 wrote to memory of 2692 2772 0800224.exe 34 PID 2772 wrote to memory of 2692 2772 0800224.exe 34 PID 2692 wrote to memory of 2704 2692 ddppd.exe 35 PID 2692 wrote to memory of 2704 2692 ddppd.exe 35 PID 2692 wrote to memory of 2704 2692 ddppd.exe 35 PID 2692 wrote to memory of 2704 2692 ddppd.exe 35 PID 2704 wrote to memory of 876 2704 tnhhtt.exe 36 PID 2704 wrote to memory of 876 2704 tnhhtt.exe 36 PID 2704 wrote to memory of 876 2704 tnhhtt.exe 36 PID 2704 wrote to memory of 876 2704 tnhhtt.exe 36 PID 876 wrote to memory of 2892 876 8684402.exe 37 PID 876 wrote to memory of 2892 876 8684402.exe 37 PID 876 wrote to memory of 2892 876 8684402.exe 37 PID 876 wrote to memory of 2892 876 8684402.exe 37 PID 2892 wrote to memory of 2428 2892 rlffrlr.exe 38 PID 2892 wrote to memory of 2428 2892 rlffrlr.exe 38 PID 2892 wrote to memory of 2428 2892 rlffrlr.exe 38 PID 2892 wrote to memory of 2428 2892 rlffrlr.exe 38 PID 2428 wrote to memory of 2120 2428 9tbhbb.exe 39 PID 2428 wrote to memory of 2120 2428 9tbhbb.exe 39 PID 2428 wrote to memory of 2120 2428 9tbhbb.exe 39 PID 2428 wrote to memory of 2120 2428 9tbhbb.exe 39 PID 2120 wrote to memory of 1620 2120 s4280.exe 40 PID 2120 wrote to memory of 1620 2120 s4280.exe 40 PID 2120 wrote to memory of 1620 2120 s4280.exe 40 PID 2120 wrote to memory of 1620 2120 s4280.exe 40 PID 1620 wrote to memory of 3000 1620 lxxrlll.exe 41 PID 1620 wrote to memory of 3000 1620 lxxrlll.exe 41 PID 1620 wrote to memory of 3000 1620 lxxrlll.exe 41 PID 1620 wrote to memory of 3000 1620 lxxrlll.exe 41 PID 3000 wrote to memory of 1776 3000 8640280.exe 42 PID 3000 wrote to memory of 1776 3000 8640280.exe 42 PID 3000 wrote to memory of 1776 3000 8640280.exe 42 PID 3000 wrote to memory of 1776 3000 8640280.exe 42 PID 1776 wrote to memory of 2884 1776 nhttbh.exe 43 PID 1776 wrote to memory of 2884 1776 nhttbh.exe 43 PID 1776 wrote to memory of 2884 1776 nhttbh.exe 43 PID 1776 wrote to memory of 2884 1776 nhttbh.exe 43 PID 2884 wrote to memory of 1604 2884 264404.exe 44 PID 2884 wrote to memory of 1604 2884 264404.exe 44 PID 2884 wrote to memory of 1604 2884 264404.exe 44 PID 2884 wrote to memory of 1604 2884 264404.exe 44 PID 1604 wrote to memory of 3056 1604 4200628.exe 45 PID 1604 wrote to memory of 3056 1604 4200628.exe 45 PID 1604 wrote to memory of 3056 1604 4200628.exe 45 PID 1604 wrote to memory of 3056 1604 4200628.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\860b943bccff2152aaee105123e57b974c5f623757589997c39dea4cc8441cb0N.exe"C:\Users\Admin\AppData\Local\Temp\860b943bccff2152aaee105123e57b974c5f623757589997c39dea4cc8441cb0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\1pvjj.exec:\1pvjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\64662.exec:\64662.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\lxlrrlx.exec:\lxlrrlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\0800224.exec:\0800224.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\ddppd.exec:\ddppd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\tnhhtt.exec:\tnhhtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\8684402.exec:\8684402.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\rlffrlr.exec:\rlffrlr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\9tbhbb.exec:\9tbhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\s4280.exec:\s4280.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\lxxrlll.exec:\lxxrlll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\8640280.exec:\8640280.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\nhttbh.exec:\nhttbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\264404.exec:\264404.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\4200628.exec:\4200628.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\60280.exec:\60280.exe17⤵
- Executes dropped EXE
PID:3056 -
\??\c:\42222.exec:\42222.exe18⤵
- Executes dropped EXE
PID:1536 -
\??\c:\4864626.exec:\4864626.exe19⤵
- Executes dropped EXE
PID:2076 -
\??\c:\e42248.exec:\e42248.exe20⤵
- Executes dropped EXE
PID:1540 -
\??\c:\m8224.exec:\m8224.exe21⤵
- Executes dropped EXE
PID:1008 -
\??\c:\2004808.exec:\2004808.exe22⤵
- Executes dropped EXE
PID:2524 -
\??\c:\m8440.exec:\m8440.exe23⤵
- Executes dropped EXE
PID:1952 -
\??\c:\480622.exec:\480622.exe24⤵
- Executes dropped EXE
PID:764 -
\??\c:\e20026.exec:\e20026.exe25⤵
- Executes dropped EXE
PID:1680 -
\??\c:\q60460.exec:\q60460.exe26⤵
- Executes dropped EXE
PID:1584 -
\??\c:\vpjjd.exec:\vpjjd.exe27⤵
- Executes dropped EXE
PID:2488 -
\??\c:\m0228.exec:\m0228.exe28⤵
- Executes dropped EXE
PID:2528 -
\??\c:\4220604.exec:\4220604.exe29⤵
- Executes dropped EXE
PID:2020 -
\??\c:\0806224.exec:\0806224.exe30⤵
- Executes dropped EXE
PID:1188 -
\??\c:\60402.exec:\60402.exe31⤵
- Executes dropped EXE
PID:1652 -
\??\c:\fxrxlxl.exec:\fxrxlxl.exe32⤵
- Executes dropped EXE
PID:2372 -
\??\c:\xffrllr.exec:\xffrllr.exe33⤵
- Executes dropped EXE
PID:1512 -
\??\c:\g2002.exec:\g2002.exe34⤵
- Executes dropped EXE
PID:2768 -
\??\c:\20880.exec:\20880.exe35⤵
- Executes dropped EXE
PID:2820 -
\??\c:\pjvvd.exec:\pjvvd.exe36⤵
- Executes dropped EXE
PID:3032 -
\??\c:\042462.exec:\042462.exe37⤵
- Executes dropped EXE
PID:2956 -
\??\c:\dvddj.exec:\dvddj.exe38⤵
- Executes dropped EXE
PID:948 -
\??\c:\824684.exec:\824684.exe39⤵
- Executes dropped EXE
PID:2732 -
\??\c:\20824.exec:\20824.exe40⤵
- Executes dropped EXE
PID:2712 -
\??\c:\nnhthh.exec:\nnhthh.exe41⤵
- Executes dropped EXE
PID:1908 -
\??\c:\k82224.exec:\k82224.exe42⤵
- Executes dropped EXE
PID:300 -
\??\c:\thbbhb.exec:\thbbhb.exe43⤵
- Executes dropped EXE
PID:876 -
\??\c:\w28882.exec:\w28882.exe44⤵
- Executes dropped EXE
PID:2228 -
\??\c:\m6262.exec:\m6262.exe45⤵
- Executes dropped EXE
PID:2152 -
\??\c:\8684822.exec:\8684822.exe46⤵
- Executes dropped EXE
PID:2400 -
\??\c:\64806.exec:\64806.exe47⤵
- Executes dropped EXE
PID:2600 -
\??\c:\046660.exec:\046660.exe48⤵
- Executes dropped EXE
PID:2856 -
\??\c:\hbnntt.exec:\hbnntt.exe49⤵
- Executes dropped EXE
PID:760 -
\??\c:\dvddv.exec:\dvddv.exe50⤵
- Executes dropped EXE
PID:1472 -
\??\c:\vpddd.exec:\vpddd.exe51⤵
- Executes dropped EXE
PID:2896 -
\??\c:\680844.exec:\680844.exe52⤵
- Executes dropped EXE
PID:2868 -
\??\c:\82440.exec:\82440.exe53⤵
- Executes dropped EXE
PID:2116 -
\??\c:\m6002.exec:\m6002.exe54⤵
- Executes dropped EXE
PID:3052 -
\??\c:\1rxlllr.exec:\1rxlllr.exe55⤵
- Executes dropped EXE
PID:1940 -
\??\c:\5ffllll.exec:\5ffllll.exe56⤵
- Executes dropped EXE
PID:108 -
\??\c:\4822224.exec:\4822224.exe57⤵
- Executes dropped EXE
PID:1020 -
\??\c:\7dpvd.exec:\7dpvd.exe58⤵
- Executes dropped EXE
PID:2080 -
\??\c:\e20688.exec:\e20688.exe59⤵
- Executes dropped EXE
PID:2640 -
\??\c:\7rffffx.exec:\7rffffx.exe60⤵
- Executes dropped EXE
PID:448 -
\??\c:\rlrxflr.exec:\rlrxflr.exe61⤵
- Executes dropped EXE
PID:2440 -
\??\c:\rlrrxxf.exec:\rlrrxxf.exe62⤵
- Executes dropped EXE
PID:1300 -
\??\c:\pvvdp.exec:\pvvdp.exe63⤵
- Executes dropped EXE
PID:1444 -
\??\c:\xxlxflx.exec:\xxlxflx.exe64⤵
- Executes dropped EXE
PID:1720 -
\??\c:\lfxrrxr.exec:\lfxrrxr.exe65⤵
- Executes dropped EXE
PID:2464 -
\??\c:\864882.exec:\864882.exe66⤵PID:656
-
\??\c:\9tbhhh.exec:\9tbhhh.exe67⤵PID:896
-
\??\c:\tnhhtn.exec:\tnhhtn.exe68⤵PID:696
-
\??\c:\w62604.exec:\w62604.exe69⤵PID:2376
-
\??\c:\djpvv.exec:\djpvv.exe70⤵PID:2528
-
\??\c:\1rflxxf.exec:\1rflxxf.exe71⤵PID:2348
-
\??\c:\u024680.exec:\u024680.exe72⤵PID:1188
-
\??\c:\frxrxxf.exec:\frxrxxf.exe73⤵PID:2628
-
\??\c:\e24006.exec:\e24006.exe74⤵PID:2384
-
\??\c:\7jvvj.exec:\7jvvj.exe75⤵PID:2236
-
\??\c:\i864000.exec:\i864000.exe76⤵PID:2392
-
\??\c:\a6440.exec:\a6440.exe77⤵PID:2960
-
\??\c:\862282.exec:\862282.exe78⤵PID:2632
-
\??\c:\a6444.exec:\a6444.exe79⤵PID:2796
-
\??\c:\nhtbbb.exec:\nhtbbb.exe80⤵PID:2664
-
\??\c:\646688.exec:\646688.exe81⤵PID:2736
-
\??\c:\rxlrrrx.exec:\rxlrrrx.exe82⤵PID:2716
-
\??\c:\0866662.exec:\0866662.exe83⤵PID:1708
-
\??\c:\btnntb.exec:\btnntb.exe84⤵PID:1072
-
\??\c:\8642060.exec:\8642060.exe85⤵PID:692
-
\??\c:\8622262.exec:\8622262.exe86⤵PID:2344
-
\??\c:\m2000.exec:\m2000.exe87⤵PID:876
-
\??\c:\264022.exec:\264022.exe88⤵PID:1872
-
\??\c:\020888.exec:\020888.exe89⤵PID:2152
-
\??\c:\i828402.exec:\i828402.exe90⤵PID:912
-
\??\c:\i644068.exec:\i644068.exe91⤵PID:1228
-
\??\c:\pdppp.exec:\pdppp.exe92⤵PID:2856
-
\??\c:\7hhbhb.exec:\7hhbhb.exe93⤵PID:2568
-
\??\c:\208404.exec:\208404.exe94⤵PID:2648
-
\??\c:\4206228.exec:\4206228.exe95⤵PID:2860
-
\??\c:\o644006.exec:\o644006.exe96⤵PID:2840
-
\??\c:\2600884.exec:\2600884.exe97⤵PID:3064
-
\??\c:\xrflrrl.exec:\xrflrrl.exe98⤵PID:1340
-
\??\c:\646206.exec:\646206.exe99⤵PID:1940
-
\??\c:\8644006.exec:\8644006.exe100⤵PID:1004
-
\??\c:\w86062.exec:\w86062.exe101⤵PID:1020
-
\??\c:\08220.exec:\08220.exe102⤵PID:1540
-
\??\c:\htnntt.exec:\htnntt.exe103⤵PID:2088
-
\??\c:\7hbttb.exec:\7hbttb.exe104⤵PID:2004
-
\??\c:\a4280.exec:\a4280.exe105⤵PID:1568
-
\??\c:\c084668.exec:\c084668.exe106⤵PID:1200
-
\??\c:\2060006.exec:\2060006.exe107⤵PID:1632
-
\??\c:\dpdjj.exec:\dpdjj.exe108⤵PID:1916
-
\??\c:\thnthn.exec:\thnthn.exe109⤵PID:608
-
\??\c:\lllrffr.exec:\lllrffr.exe110⤵PID:1132
-
\??\c:\648804.exec:\648804.exe111⤵PID:1156
-
\??\c:\0800228.exec:\0800228.exe112⤵PID:2224
-
\??\c:\20840.exec:\20840.exe113⤵PID:328
-
\??\c:\8228068.exec:\8228068.exe114⤵PID:1920
-
\??\c:\3vddp.exec:\3vddp.exe115⤵PID:2348
-
\??\c:\086622.exec:\086622.exe116⤵PID:1412
-
\??\c:\ppvdj.exec:\ppvdj.exe117⤵PID:2372
-
\??\c:\862048.exec:\862048.exe118⤵PID:2908
-
\??\c:\a2668.exec:\a2668.exe119⤵PID:1512
-
\??\c:\64228.exec:\64228.exe120⤵PID:2944
-
\??\c:\204062.exec:\204062.exe121⤵PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-