Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 01:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe
-
Size
454KB
-
MD5
92b85edd63f3f3b9ff3d3cf26e07a98d
-
SHA1
e2a4f3706f63af38adf2890f940c3b8368bafaec
-
SHA256
745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a
-
SHA512
5b40eee4c56632dfe41ab3deb9dd6afa2a69c08611cf71466bda6da6e627456dd4a0de109042977c1f1ce0c22303f071f65be27a93e16a02113dec4c3d796dd7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1272-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1100-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-429-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1828-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-519-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2256-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-543-0x0000000000280000-0x00000000002AA000-memory.dmp family_blackmoon behavioral1/memory/1416-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-820-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2424-848-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1608-863-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3012-919-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1752-1024-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1636-1031-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/832-1062-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-1096-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/764-1111-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 620 jddvv.exe 2340 fxlxlfl.exe 1620 204844.exe 2232 c022266.exe 2880 s8002.exe 2848 8284628.exe 2264 7tthnb.exe 3036 w46626.exe 2748 w68808.exe 2744 86822.exe 3016 022286.exe 1784 4244000.exe 2792 3thhnn.exe 1956 e24688.exe 744 a6808.exe 2136 60884.exe 2364 q08866.exe 2732 1pddd.exe 1988 60664.exe 3064 608222.exe 1140 llffrrf.exe 2672 hhbbhh.exe 1624 8644406.exe 1900 a6002.exe 2448 086244.exe 736 7bhntt.exe 2484 2686882.exe 1316 1djjp.exe 552 e82800.exe 2000 1xllffl.exe 2080 nnnthn.exe 2612 vjvjd.exe 2552 7httbb.exe 1596 a0644.exe 2352 20262.exe 2572 rrflxxf.exe 2316 fxllxrl.exe 2872 084400.exe 2796 0862884.exe 2880 20228.exe 2840 bbbbnt.exe 2992 hbhntn.exe 2260 hthhtn.exe 3036 60280.exe 2980 042244.exe 2812 2400488.exe 2544 820066.exe 2528 vpvjj.exe 1100 m2662.exe 2908 26660.exe 2152 5vdvv.exe 1420 82284.exe 1828 5jvdp.exe 352 824888.exe 1928 7nbhnh.exe 2100 8644488.exe 2732 4222002.exe 2248 0240280.exe 2548 266840.exe 800 htnnbn.exe 336 480022.exe 1772 86806.exe 1304 3hnhhh.exe 3060 866622.exe -
resource yara_rule behavioral1/memory/1272-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/744-149-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/2364-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-429-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1828-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-999-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-1031-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/832-1062-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-1075-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-1118-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8688440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2426288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6424662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6282020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u244000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1272 wrote to memory of 620 1272 745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe 30 PID 1272 wrote to memory of 620 1272 745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe 30 PID 1272 wrote to memory of 620 1272 745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe 30 PID 1272 wrote to memory of 620 1272 745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe 30 PID 620 wrote to memory of 2340 620 jddvv.exe 31 PID 620 wrote to memory of 2340 620 jddvv.exe 31 PID 620 wrote to memory of 2340 620 jddvv.exe 31 PID 620 wrote to memory of 2340 620 jddvv.exe 31 PID 2340 wrote to memory of 1620 2340 fxlxlfl.exe 32 PID 2340 wrote to memory of 1620 2340 fxlxlfl.exe 32 PID 2340 wrote to memory of 1620 2340 fxlxlfl.exe 32 PID 2340 wrote to memory of 1620 2340 fxlxlfl.exe 32 PID 1620 wrote to memory of 2232 1620 204844.exe 33 PID 1620 wrote to memory of 2232 1620 204844.exe 33 PID 1620 wrote to memory of 2232 1620 204844.exe 33 PID 1620 wrote to memory of 2232 1620 204844.exe 33 PID 2232 wrote to memory of 2880 2232 c022266.exe 34 PID 2232 wrote to memory of 2880 2232 c022266.exe 34 PID 2232 wrote to memory of 2880 2232 c022266.exe 34 PID 2232 wrote to memory of 2880 2232 c022266.exe 34 PID 2880 wrote to memory of 2848 2880 s8002.exe 35 PID 2880 wrote to memory of 2848 2880 s8002.exe 35 PID 2880 wrote to memory of 2848 2880 s8002.exe 35 PID 2880 wrote to memory of 2848 2880 s8002.exe 35 PID 2848 wrote to memory of 2264 2848 8284628.exe 36 PID 2848 wrote to memory of 2264 2848 8284628.exe 36 PID 2848 wrote to memory of 2264 2848 8284628.exe 36 PID 2848 wrote to memory of 2264 2848 8284628.exe 36 PID 2264 wrote to memory of 3036 2264 7tthnb.exe 37 PID 2264 wrote to memory of 3036 2264 7tthnb.exe 37 PID 2264 wrote to memory of 3036 2264 7tthnb.exe 37 PID 2264 wrote to memory of 3036 2264 7tthnb.exe 37 PID 3036 wrote to memory of 2748 3036 w46626.exe 38 PID 3036 wrote to memory of 2748 3036 w46626.exe 38 PID 3036 wrote to memory of 2748 3036 w46626.exe 38 PID 3036 wrote to memory of 2748 3036 w46626.exe 38 PID 2748 wrote to memory of 2744 2748 w68808.exe 39 PID 2748 wrote to memory of 2744 2748 w68808.exe 39 PID 2748 wrote to memory of 2744 2748 w68808.exe 39 PID 2748 wrote to memory of 2744 2748 w68808.exe 39 PID 2744 wrote to memory of 3016 2744 86822.exe 40 PID 2744 wrote to memory of 3016 2744 86822.exe 40 PID 2744 wrote to memory of 3016 2744 86822.exe 40 PID 2744 wrote to memory of 3016 2744 86822.exe 40 PID 3016 wrote to memory of 1784 3016 022286.exe 41 PID 3016 wrote to memory of 1784 3016 022286.exe 41 PID 3016 wrote to memory of 1784 3016 022286.exe 41 PID 3016 wrote to memory of 1784 3016 022286.exe 41 PID 1784 wrote to memory of 2792 1784 4244000.exe 42 PID 1784 wrote to memory of 2792 1784 4244000.exe 42 PID 1784 wrote to memory of 2792 1784 4244000.exe 42 PID 1784 wrote to memory of 2792 1784 4244000.exe 42 PID 2792 wrote to memory of 1956 2792 3thhnn.exe 43 PID 2792 wrote to memory of 1956 2792 3thhnn.exe 43 PID 2792 wrote to memory of 1956 2792 3thhnn.exe 43 PID 2792 wrote to memory of 1956 2792 3thhnn.exe 43 PID 1956 wrote to memory of 744 1956 e24688.exe 44 PID 1956 wrote to memory of 744 1956 e24688.exe 44 PID 1956 wrote to memory of 744 1956 e24688.exe 44 PID 1956 wrote to memory of 744 1956 e24688.exe 44 PID 744 wrote to memory of 2136 744 a6808.exe 45 PID 744 wrote to memory of 2136 744 a6808.exe 45 PID 744 wrote to memory of 2136 744 a6808.exe 45 PID 744 wrote to memory of 2136 744 a6808.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe"C:\Users\Admin\AppData\Local\Temp\745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\jddvv.exec:\jddvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\fxlxlfl.exec:\fxlxlfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\204844.exec:\204844.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\c022266.exec:\c022266.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\s8002.exec:\s8002.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\8284628.exec:\8284628.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\7tthnb.exec:\7tthnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\w46626.exec:\w46626.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\w68808.exec:\w68808.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\86822.exec:\86822.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\022286.exec:\022286.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\4244000.exec:\4244000.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\3thhnn.exec:\3thhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\e24688.exec:\e24688.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\a6808.exec:\a6808.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\60884.exec:\60884.exe17⤵
- Executes dropped EXE
PID:2136 -
\??\c:\q08866.exec:\q08866.exe18⤵
- Executes dropped EXE
PID:2364 -
\??\c:\1pddd.exec:\1pddd.exe19⤵
- Executes dropped EXE
PID:2732 -
\??\c:\60664.exec:\60664.exe20⤵
- Executes dropped EXE
PID:1988 -
\??\c:\608222.exec:\608222.exe21⤵
- Executes dropped EXE
PID:3064 -
\??\c:\llffrrf.exec:\llffrrf.exe22⤵
- Executes dropped EXE
PID:1140 -
\??\c:\hhbbhh.exec:\hhbbhh.exe23⤵
- Executes dropped EXE
PID:2672 -
\??\c:\8644406.exec:\8644406.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
\??\c:\a6002.exec:\a6002.exe25⤵
- Executes dropped EXE
PID:1900 -
\??\c:\086244.exec:\086244.exe26⤵
- Executes dropped EXE
PID:2448 -
\??\c:\7bhntt.exec:\7bhntt.exe27⤵
- Executes dropped EXE
PID:736 -
\??\c:\2686882.exec:\2686882.exe28⤵
- Executes dropped EXE
PID:2484 -
\??\c:\1djjp.exec:\1djjp.exe29⤵
- Executes dropped EXE
PID:1316 -
\??\c:\e82800.exec:\e82800.exe30⤵
- Executes dropped EXE
PID:552 -
\??\c:\1xllffl.exec:\1xllffl.exe31⤵
- Executes dropped EXE
PID:2000 -
\??\c:\nnnthn.exec:\nnnthn.exe32⤵
- Executes dropped EXE
PID:2080 -
\??\c:\vjvjd.exec:\vjvjd.exe33⤵
- Executes dropped EXE
PID:2612 -
\??\c:\7httbb.exec:\7httbb.exe34⤵
- Executes dropped EXE
PID:2552 -
\??\c:\a0644.exec:\a0644.exe35⤵
- Executes dropped EXE
PID:1596 -
\??\c:\20262.exec:\20262.exe36⤵
- Executes dropped EXE
PID:2352 -
\??\c:\rrflxxf.exec:\rrflxxf.exe37⤵
- Executes dropped EXE
PID:2572 -
\??\c:\fxllxrl.exec:\fxllxrl.exe38⤵
- Executes dropped EXE
PID:2316 -
\??\c:\084400.exec:\084400.exe39⤵
- Executes dropped EXE
PID:2872 -
\??\c:\0862884.exec:\0862884.exe40⤵
- Executes dropped EXE
PID:2796 -
\??\c:\20228.exec:\20228.exe41⤵
- Executes dropped EXE
PID:2880 -
\??\c:\bbbbnt.exec:\bbbbnt.exe42⤵
- Executes dropped EXE
PID:2840 -
\??\c:\hbhntn.exec:\hbhntn.exe43⤵
- Executes dropped EXE
PID:2992 -
\??\c:\hthhtn.exec:\hthhtn.exe44⤵
- Executes dropped EXE
PID:2260 -
\??\c:\60280.exec:\60280.exe45⤵
- Executes dropped EXE
PID:3036 -
\??\c:\042244.exec:\042244.exe46⤵
- Executes dropped EXE
PID:2980 -
\??\c:\2400488.exec:\2400488.exe47⤵
- Executes dropped EXE
PID:2812 -
\??\c:\820066.exec:\820066.exe48⤵
- Executes dropped EXE
PID:2544 -
\??\c:\vpvjj.exec:\vpvjj.exe49⤵
- Executes dropped EXE
PID:2528 -
\??\c:\m2662.exec:\m2662.exe50⤵
- Executes dropped EXE
PID:1100 -
\??\c:\26660.exec:\26660.exe51⤵
- Executes dropped EXE
PID:2908 -
\??\c:\5vdvv.exec:\5vdvv.exe52⤵
- Executes dropped EXE
PID:2152 -
\??\c:\82284.exec:\82284.exe53⤵
- Executes dropped EXE
PID:1420 -
\??\c:\5jvdp.exec:\5jvdp.exe54⤵
- Executes dropped EXE
PID:1828 -
\??\c:\824888.exec:\824888.exe55⤵
- Executes dropped EXE
PID:352 -
\??\c:\7nbhnh.exec:\7nbhnh.exe56⤵
- Executes dropped EXE
PID:1928 -
\??\c:\8644488.exec:\8644488.exe57⤵
- Executes dropped EXE
PID:2100 -
\??\c:\4222002.exec:\4222002.exe58⤵
- Executes dropped EXE
PID:2732 -
\??\c:\0240280.exec:\0240280.exe59⤵
- Executes dropped EXE
PID:2248 -
\??\c:\266840.exec:\266840.exe60⤵
- Executes dropped EXE
PID:2548 -
\??\c:\htnnbn.exec:\htnnbn.exe61⤵
- Executes dropped EXE
PID:800 -
\??\c:\480022.exec:\480022.exe62⤵
- Executes dropped EXE
PID:336 -
\??\c:\86806.exec:\86806.exe63⤵
- Executes dropped EXE
PID:1772 -
\??\c:\3hnhhh.exec:\3hnhhh.exe64⤵
- Executes dropped EXE
PID:1304 -
\??\c:\866622.exec:\866622.exe65⤵
- Executes dropped EXE
PID:3060 -
\??\c:\3lxrrrr.exec:\3lxrrrr.exe66⤵PID:2256
-
\??\c:\424406.exec:\424406.exe67⤵PID:1700
-
\??\c:\86884.exec:\86884.exe68⤵PID:1344
-
\??\c:\6422884.exec:\6422884.exe69⤵PID:1036
-
\??\c:\20840.exec:\20840.exe70⤵PID:2424
-
\??\c:\086282.exec:\086282.exe71⤵PID:1316
-
\??\c:\lxrlrrx.exec:\lxrlrrx.exe72⤵PID:1416
-
\??\c:\20646.exec:\20646.exe73⤵PID:2000
-
\??\c:\08048.exec:\08048.exe74⤵PID:2064
-
\??\c:\lrfrrxr.exec:\lrfrrxr.exe75⤵PID:1672
-
\??\c:\rlxxxxf.exec:\rlxxxxf.exe76⤵PID:2068
-
\??\c:\5flfxrl.exec:\5flfxrl.exe77⤵PID:620
-
\??\c:\dvjdj.exec:\dvjdj.exe78⤵PID:1596
-
\??\c:\pdddj.exec:\pdddj.exe79⤵PID:2556
-
\??\c:\frrflff.exec:\frrflff.exe80⤵PID:1268
-
\??\c:\5bhhnh.exec:\5bhhnh.exe81⤵PID:2516
-
\??\c:\46484.exec:\46484.exe82⤵PID:2972
-
\??\c:\frlxfrr.exec:\frlxfrr.exe83⤵PID:2816
-
\??\c:\u806628.exec:\u806628.exe84⤵PID:584
-
\??\c:\o288826.exec:\o288826.exe85⤵PID:2996
-
\??\c:\c222604.exec:\c222604.exe86⤵PID:3000
-
\??\c:\8666660.exec:\8666660.exe87⤵PID:3044
-
\??\c:\7dppj.exec:\7dppj.exe88⤵PID:2696
-
\??\c:\4248862.exec:\4248862.exe89⤵PID:2856
-
\??\c:\20626.exec:\20626.exe90⤵PID:2744
-
\??\c:\246408.exec:\246408.exe91⤵PID:2520
-
\??\c:\xrxrxrr.exec:\xrxrxrr.exe92⤵PID:1128
-
\??\c:\9frrxxl.exec:\9frrxxl.exe93⤵PID:1784
-
\??\c:\o240600.exec:\o240600.exe94⤵PID:2132
-
\??\c:\0680206.exec:\0680206.exe95⤵PID:1812
-
\??\c:\4244624.exec:\4244624.exe96⤵PID:1956
-
\??\c:\3fffllr.exec:\3fffllr.exe97⤵PID:1860
-
\??\c:\lxllrrx.exec:\lxllrrx.exe98⤵PID:976
-
\??\c:\pdjdd.exec:\pdjdd.exe99⤵PID:2944
-
\??\c:\rffxrrf.exec:\rffxrrf.exe100⤵PID:2960
-
\??\c:\w68404.exec:\w68404.exe101⤵PID:296
-
\??\c:\dpppj.exec:\dpppj.exe102⤵PID:320
-
\??\c:\42000.exec:\42000.exe103⤵PID:1736
-
\??\c:\hbhnnn.exec:\hbhnnn.exe104⤵PID:3064
-
\??\c:\w24400.exec:\w24400.exe105⤵PID:2052
-
\??\c:\g4662.exec:\g4662.exe106⤵PID:1140
-
\??\c:\2466266.exec:\2466266.exe107⤵PID:1820
-
\??\c:\264460.exec:\264460.exe108⤵PID:1324
-
\??\c:\xflxxll.exec:\xflxxll.exe109⤵PID:1020
-
\??\c:\lxfxfxx.exec:\lxfxfxx.exe110⤵PID:848
-
\??\c:\0862884.exec:\0862884.exe111⤵PID:1540
-
\??\c:\806066.exec:\806066.exe112⤵PID:2492
-
\??\c:\htbbhh.exec:\htbbhh.exe113⤵PID:108
-
\??\c:\bntttn.exec:\bntttn.exe114⤵PID:2224
-
\??\c:\xllflfl.exec:\xllflfl.exe115⤵PID:2424
-
\??\c:\bntnnb.exec:\bntnnb.exe116⤵PID:2292
-
\??\c:\642282.exec:\642282.exe117⤵PID:1416
-
\??\c:\0248222.exec:\0248222.exe118⤵PID:2644
-
\??\c:\nhnbnh.exec:\nhnbnh.exe119⤵PID:2116
-
\??\c:\c082822.exec:\c082822.exe120⤵PID:1608
-
\??\c:\jdddd.exec:\jdddd.exe121⤵PID:1564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-