Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 02:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe
-
Size
456KB
-
MD5
61bee24192605ddde54ac752eed43eb6
-
SHA1
49cddfb4e2cc7fe3b8a2f0c375425cb31eed6dc2
-
SHA256
86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3
-
SHA512
20948cd5bfdd8437d93d87c997e583c8eafa81bb31c7cbb1b5c9059358fb5d8473d8350e4d2e777e6345a6b6d107fb6e697ba25bb18c5c8c34a4d22625c9cdc4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRR:q7Tc2NYHUrAwfMp3CDRR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 37 IoCs
resource yara_rule behavioral1/memory/1968-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-36-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2864-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-60-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2900-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1072-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-1125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-1182-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1304 60806.exe 1236 fflrrxl.exe 2096 tnnntt.exe 2752 8688428.exe 2864 5nnhbt.exe 2816 642228.exe 1752 8688428.exe 2900 hthhnh.exe 2688 bthbhb.exe 2664 6406262.exe 2192 246626.exe 1224 644404.exe 1664 w20026.exe 2728 9tbbth.exe 1672 240022.exe 1436 08662.exe 2104 2028662.exe 2052 xrxxfff.exe 1072 4244446.exe 2964 1xfllrr.exe 2408 6400622.exe 1740 jdppd.exe 108 86828.exe 1856 086626.exe 1872 xrfllfr.exe 568 262800.exe 1012 i688488.exe 1536 4622288.exe 3012 lxfxxll.exe 2548 68484.exe 1988 20888.exe 800 u404488.exe 1304 lrfrrlr.exe 2564 0800000.exe 2568 lxlffxf.exe 2592 8688040.exe 2464 rllfxrx.exe 2752 w44408.exe 2872 4284046.exe 2804 fxflrlf.exe 2764 xlrxxxf.exe 2980 9nbbht.exe 2920 1pdpp.exe 2676 7hbhhn.exe 2940 vvpdv.exe 1512 nhtbbb.exe 2032 2022888.exe 400 nbnnbt.exe 1992 4242822.exe 2736 1bbtbt.exe 332 dvpvv.exe 2020 864848.exe 536 vvjjd.exe 1840 5nhhnn.exe 2264 jvddd.exe 2836 08602.exe 2908 7thtnh.exe 1540 vjppj.exe 1620 xlrxxrx.exe 3028 rlxxllx.exe 2992 vjdpp.exe 2432 1nbbbt.exe 2232 btbttt.exe 2316 s6828.exe -
resource yara_rule behavioral1/memory/1968-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1460-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-1016-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-1125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-1138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-1163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-1182-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1740-1227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-1276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-1289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-1327-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c424608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0460886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w60006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1304 1968 86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe 62 PID 1968 wrote to memory of 1304 1968 86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe 62 PID 1968 wrote to memory of 1304 1968 86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe 62 PID 1968 wrote to memory of 1304 1968 86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe 62 PID 1304 wrote to memory of 1236 1304 60806.exe 31 PID 1304 wrote to memory of 1236 1304 60806.exe 31 PID 1304 wrote to memory of 1236 1304 60806.exe 31 PID 1304 wrote to memory of 1236 1304 60806.exe 31 PID 1236 wrote to memory of 2096 1236 fflrrxl.exe 32 PID 1236 wrote to memory of 2096 1236 fflrrxl.exe 32 PID 1236 wrote to memory of 2096 1236 fflrrxl.exe 32 PID 1236 wrote to memory of 2096 1236 fflrrxl.exe 32 PID 2096 wrote to memory of 2752 2096 tnnntt.exe 67 PID 2096 wrote to memory of 2752 2096 tnnntt.exe 67 PID 2096 wrote to memory of 2752 2096 tnnntt.exe 67 PID 2096 wrote to memory of 2752 2096 tnnntt.exe 67 PID 2752 wrote to memory of 2864 2752 8688428.exe 34 PID 2752 wrote to memory of 2864 2752 8688428.exe 34 PID 2752 wrote to memory of 2864 2752 8688428.exe 34 PID 2752 wrote to memory of 2864 2752 8688428.exe 34 PID 2864 wrote to memory of 2816 2864 5nnhbt.exe 35 PID 2864 wrote to memory of 2816 2864 5nnhbt.exe 35 PID 2864 wrote to memory of 2816 2864 5nnhbt.exe 35 PID 2864 wrote to memory of 2816 2864 5nnhbt.exe 35 PID 2816 wrote to memory of 1752 2816 642228.exe 36 PID 2816 wrote to memory of 1752 2816 642228.exe 36 PID 2816 wrote to memory of 1752 2816 642228.exe 36 PID 2816 wrote to memory of 1752 2816 642228.exe 36 PID 1752 wrote to memory of 2900 1752 8688428.exe 37 PID 1752 wrote to memory of 2900 1752 8688428.exe 37 PID 1752 wrote to memory of 2900 1752 8688428.exe 37 PID 1752 wrote to memory of 2900 1752 8688428.exe 37 PID 2900 wrote to memory of 2688 2900 hthhnh.exe 38 PID 2900 wrote to memory of 2688 2900 hthhnh.exe 38 PID 2900 wrote to memory of 2688 2900 hthhnh.exe 38 PID 2900 wrote to memory of 2688 2900 hthhnh.exe 38 PID 2688 wrote to memory of 2664 2688 bthbhb.exe 39 PID 2688 wrote to memory of 2664 2688 bthbhb.exe 39 PID 2688 wrote to memory of 2664 2688 bthbhb.exe 39 PID 2688 wrote to memory of 2664 2688 bthbhb.exe 39 PID 2664 wrote to memory of 2192 2664 6406262.exe 40 PID 2664 wrote to memory of 2192 2664 6406262.exe 40 PID 2664 wrote to memory of 2192 2664 6406262.exe 40 PID 2664 wrote to memory of 2192 2664 6406262.exe 40 PID 2192 wrote to memory of 1224 2192 246626.exe 41 PID 2192 wrote to memory of 1224 2192 246626.exe 41 PID 2192 wrote to memory of 1224 2192 246626.exe 41 PID 2192 wrote to memory of 1224 2192 246626.exe 41 PID 1224 wrote to memory of 1664 1224 644404.exe 42 PID 1224 wrote to memory of 1664 1224 644404.exe 42 PID 1224 wrote to memory of 1664 1224 644404.exe 42 PID 1224 wrote to memory of 1664 1224 644404.exe 42 PID 1664 wrote to memory of 2728 1664 w20026.exe 43 PID 1664 wrote to memory of 2728 1664 w20026.exe 43 PID 1664 wrote to memory of 2728 1664 w20026.exe 43 PID 1664 wrote to memory of 2728 1664 w20026.exe 43 PID 2728 wrote to memory of 1672 2728 9tbbth.exe 44 PID 2728 wrote to memory of 1672 2728 9tbbth.exe 44 PID 2728 wrote to memory of 1672 2728 9tbbth.exe 44 PID 2728 wrote to memory of 1672 2728 9tbbth.exe 44 PID 1672 wrote to memory of 1436 1672 240022.exe 45 PID 1672 wrote to memory of 1436 1672 240022.exe 45 PID 1672 wrote to memory of 1436 1672 240022.exe 45 PID 1672 wrote to memory of 1436 1672 240022.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe"C:\Users\Admin\AppData\Local\Temp\86bf2787fcb1b9cd5c62a6714d25177f2535be104877d744929bbac833c00cd3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\60806.exec:\60806.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\fflrrxl.exec:\fflrrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\tnnntt.exec:\tnnntt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\8688428.exec:\8688428.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\5nnhbt.exec:\5nnhbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\642228.exec:\642228.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\8688428.exec:\8688428.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\hthhnh.exec:\hthhnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\bthbhb.exec:\bthbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\6406262.exec:\6406262.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\246626.exec:\246626.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\644404.exec:\644404.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\w20026.exec:\w20026.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\9tbbth.exec:\9tbbth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\240022.exec:\240022.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\08662.exec:\08662.exe17⤵
- Executes dropped EXE
PID:1436 -
\??\c:\2028662.exec:\2028662.exe18⤵
- Executes dropped EXE
PID:2104 -
\??\c:\xrxxfff.exec:\xrxxfff.exe19⤵
- Executes dropped EXE
PID:2052 -
\??\c:\4244446.exec:\4244446.exe20⤵
- Executes dropped EXE
PID:1072 -
\??\c:\1xfllrr.exec:\1xfllrr.exe21⤵
- Executes dropped EXE
PID:2964 -
\??\c:\6400622.exec:\6400622.exe22⤵
- Executes dropped EXE
PID:2408 -
\??\c:\jdppd.exec:\jdppd.exe23⤵
- Executes dropped EXE
PID:1740 -
\??\c:\86828.exec:\86828.exe24⤵
- Executes dropped EXE
PID:108 -
\??\c:\086626.exec:\086626.exe25⤵
- Executes dropped EXE
PID:1856 -
\??\c:\xrfllfr.exec:\xrfllfr.exe26⤵
- Executes dropped EXE
PID:1872 -
\??\c:\262800.exec:\262800.exe27⤵
- Executes dropped EXE
PID:568 -
\??\c:\i688488.exec:\i688488.exe28⤵
- Executes dropped EXE
PID:1012 -
\??\c:\4622288.exec:\4622288.exe29⤵
- Executes dropped EXE
PID:1536 -
\??\c:\lxfxxll.exec:\lxfxxll.exe30⤵
- Executes dropped EXE
PID:3012 -
\??\c:\68484.exec:\68484.exe31⤵
- Executes dropped EXE
PID:2548 -
\??\c:\20888.exec:\20888.exe32⤵
- Executes dropped EXE
PID:1988 -
\??\c:\u404488.exec:\u404488.exe33⤵
- Executes dropped EXE
PID:800 -
\??\c:\lrfrrlr.exec:\lrfrrlr.exe34⤵
- Executes dropped EXE
PID:1304 -
\??\c:\0800000.exec:\0800000.exe35⤵
- Executes dropped EXE
PID:2564 -
\??\c:\lxlffxf.exec:\lxlffxf.exe36⤵
- Executes dropped EXE
PID:2568 -
\??\c:\8688040.exec:\8688040.exe37⤵
- Executes dropped EXE
PID:2592 -
\??\c:\rllfxrx.exec:\rllfxrx.exe38⤵
- Executes dropped EXE
PID:2464 -
\??\c:\w44408.exec:\w44408.exe39⤵
- Executes dropped EXE
PID:2752 -
\??\c:\4284046.exec:\4284046.exe40⤵
- Executes dropped EXE
PID:2872 -
\??\c:\fxflrlf.exec:\fxflrlf.exe41⤵
- Executes dropped EXE
PID:2804 -
\??\c:\xlrxxxf.exec:\xlrxxxf.exe42⤵
- Executes dropped EXE
PID:2764 -
\??\c:\9nbbht.exec:\9nbbht.exe43⤵
- Executes dropped EXE
PID:2980 -
\??\c:\1pdpp.exec:\1pdpp.exe44⤵
- Executes dropped EXE
PID:2920 -
\??\c:\7hbhhn.exec:\7hbhhn.exe45⤵
- Executes dropped EXE
PID:2676 -
\??\c:\vvpdv.exec:\vvpdv.exe46⤵
- Executes dropped EXE
PID:2940 -
\??\c:\nhtbbb.exec:\nhtbbb.exe47⤵
- Executes dropped EXE
PID:1512 -
\??\c:\2022888.exec:\2022888.exe48⤵
- Executes dropped EXE
PID:2032 -
\??\c:\nbnnbt.exec:\nbnnbt.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:400 -
\??\c:\4242822.exec:\4242822.exe50⤵
- Executes dropped EXE
PID:1992 -
\??\c:\1bbtbt.exec:\1bbtbt.exe51⤵
- Executes dropped EXE
PID:2736 -
\??\c:\dvpvv.exec:\dvpvv.exe52⤵
- Executes dropped EXE
PID:332 -
\??\c:\864848.exec:\864848.exe53⤵
- Executes dropped EXE
PID:2020 -
\??\c:\vvjjd.exec:\vvjjd.exe54⤵
- Executes dropped EXE
PID:536 -
\??\c:\5nhhnn.exec:\5nhhnn.exe55⤵
- Executes dropped EXE
PID:1840 -
\??\c:\jvddd.exec:\jvddd.exe56⤵
- Executes dropped EXE
PID:2264 -
\??\c:\08602.exec:\08602.exe57⤵
- Executes dropped EXE
PID:2836 -
\??\c:\7thtnh.exec:\7thtnh.exe58⤵
- Executes dropped EXE
PID:2908 -
\??\c:\vjppj.exec:\vjppj.exe59⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xlrxxrx.exec:\xlrxxrx.exe60⤵
- Executes dropped EXE
PID:1620 -
\??\c:\rlxxllx.exec:\rlxxllx.exe61⤵
- Executes dropped EXE
PID:3028 -
\??\c:\vjdpp.exec:\vjdpp.exe62⤵
- Executes dropped EXE
PID:2992 -
\??\c:\1nbbbt.exec:\1nbbbt.exe63⤵
- Executes dropped EXE
PID:2432 -
\??\c:\btbttt.exec:\btbttt.exe64⤵
- Executes dropped EXE
PID:2232 -
\??\c:\s6828.exec:\s6828.exe65⤵
- Executes dropped EXE
PID:2316 -
\??\c:\08400.exec:\08400.exe66⤵PID:2424
-
\??\c:\20222.exec:\20222.exe67⤵PID:2340
-
\??\c:\pjpvd.exec:\pjpvd.exe68⤵PID:1976
-
\??\c:\20224.exec:\20224.exe69⤵PID:2292
-
\??\c:\1jvvd.exec:\1jvvd.exe70⤵PID:2064
-
\??\c:\djppp.exec:\djppp.exe71⤵PID:2384
-
\??\c:\7lrrrrx.exec:\7lrrrrx.exe72⤵PID:2592
-
\??\c:\xlxxxxl.exec:\xlxxxxl.exe73⤵PID:1528
-
\??\c:\8622840.exec:\8622840.exe74⤵PID:2868
-
\??\c:\jvjpp.exec:\jvjpp.exe75⤵PID:2864
-
\??\c:\08668.exec:\08668.exe76⤵PID:2356
-
\??\c:\820626.exec:\820626.exe77⤵PID:2800
-
\??\c:\7btbnt.exec:\7btbnt.exe78⤵PID:2808
-
\??\c:\8242828.exec:\8242828.exe79⤵PID:2904
-
\??\c:\026000.exec:\026000.exe80⤵PID:2748
-
\??\c:\lxxrrrx.exec:\lxxrrrx.exe81⤵PID:2696
-
\??\c:\hthbbt.exec:\hthbbt.exe82⤵PID:2284
-
\??\c:\20204.exec:\20204.exe83⤵PID:2852
-
\??\c:\vjvvd.exec:\vjvvd.exe84⤵PID:2708
-
\??\c:\dpddv.exec:\dpddv.exe85⤵PID:2032
-
\??\c:\4622860.exec:\4622860.exe86⤵PID:2780
-
\??\c:\nbnbtn.exec:\nbnbtn.exe87⤵PID:112
-
\??\c:\bbtbnn.exec:\bbtbnn.exe88⤵PID:1664
-
\??\c:\868462.exec:\868462.exe89⤵PID:2728
-
\??\c:\464460.exec:\464460.exe90⤵PID:2720
-
\??\c:\rlxrrlr.exec:\rlxrrlr.exe91⤵PID:2880
-
\??\c:\xlrxxrl.exec:\xlrxxrl.exe92⤵PID:2516
-
\??\c:\1nthhn.exec:\1nthhn.exe93⤵PID:1900
-
\??\c:\dpddd.exec:\dpddd.exe94⤵PID:1720
-
\??\c:\02444.exec:\02444.exe95⤵PID:1964
-
\??\c:\xxlxfff.exec:\xxlxfff.exe96⤵PID:2420
-
\??\c:\46484.exec:\46484.exe97⤵PID:2740
-
\??\c:\7hnhhh.exec:\7hnhhh.exe98⤵PID:2588
-
\??\c:\jjpdj.exec:\jjpdj.exe99⤵PID:2264
-
\??\c:\a8062.exec:\a8062.exe100⤵PID:2256
-
\??\c:\064266.exec:\064266.exe101⤵PID:2908
-
\??\c:\dvjvp.exec:\dvjvp.exe102⤵PID:1844
-
\??\c:\7hnhbt.exec:\7hnhbt.exe103⤵PID:1392
-
\??\c:\3rrfxrl.exec:\3rrfxrl.exe104⤵PID:3028
-
\??\c:\lxfllfl.exec:\lxfllfl.exe105⤵PID:1472
-
\??\c:\u646668.exec:\u646668.exe106⤵PID:2432
-
\??\c:\s0288.exec:\s0288.exe107⤵PID:1460
-
\??\c:\6844884.exec:\6844884.exe108⤵PID:1628
-
\??\c:\ffxlrxr.exec:\ffxlrxr.exe109⤵PID:2636
-
\??\c:\646226.exec:\646226.exe110⤵
- System Location Discovery: System Language Discovery
PID:544 -
\??\c:\tbbtbt.exec:\tbbtbt.exe111⤵PID:3056
-
\??\c:\46884.exec:\46884.exe112⤵PID:1520
-
\??\c:\20222.exec:\20222.exe113⤵PID:3060
-
\??\c:\1jvvv.exec:\1jvvv.exe114⤵PID:2384
-
\??\c:\46260.exec:\46260.exe115⤵PID:2496
-
\??\c:\42428.exec:\42428.exe116⤵PID:644
-
\??\c:\lxlfrxx.exec:\lxlfrxx.exe117⤵PID:1496
-
\??\c:\3dpvd.exec:\3dpvd.exe118⤵PID:1172
-
\??\c:\pjvvd.exec:\pjvvd.exe119⤵PID:2840
-
\??\c:\6804640.exec:\6804640.exe120⤵PID:2888
-
\??\c:\8026266.exec:\8026266.exe121⤵PID:1256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-