Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 02:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe
-
Size
454KB
-
MD5
4b53e0855029216735975fdd3800c7f7
-
SHA1
333ed94a86789ef97220a5663c2fa798fafa7001
-
SHA256
4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7
-
SHA512
def9518627bd69ebacd9caaba5a5d0eea1d302e3d627beeaa9cc77bad20bd787d8a724a3fb52011840a35fd8484fbfd418be1fb44ac35041a2512b9d8ca90253
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTT:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2592-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-86-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1976-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-168-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2360-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/112-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-213-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/640-215-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1552-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-354-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2688-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-468-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/3000-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-756-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1164-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-861-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1124-1050-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1668-1086-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3048-1166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2632 086284.exe 2620 e48422.exe 2552 5xrlrfx.exe 2440 bntbhn.exe 2908 3rfflll.exe 2784 w42806.exe 2252 8206480.exe 2708 482800.exe 2728 e64888.exe 2724 80262.exe 2732 g2444.exe 3036 468286.exe 1976 20284.exe 3004 pjvvd.exe 1956 0806224.exe 1816 1nbttt.exe 2104 2428444.exe 1756 68628.exe 564 btnttt.exe 2360 2404444.exe 2124 42662.exe 112 bntnnn.exe 640 bnhhhb.exe 3000 pdvdj.exe 1552 nhtntt.exe 1764 82484.exe 632 08684.exe 1168 9bhbbt.exe 2268 0800602.exe 848 vjvvd.exe 2640 g4600.exe 2448 s4284.exe 884 862240.exe 2600 nhnhhh.exe 1712 42440.exe 2656 02400.exe 2500 k84404.exe 2596 640666.exe 2788 202288.exe 2896 o464068.exe 2804 1nhbnn.exe 2548 w02244.exe 2688 xxlxlrf.exe 2704 8622400.exe 2708 686022.exe 2852 htnthn.exe 2724 o888664.exe 2324 084066.exe 2976 6040280.exe 3036 e00088.exe 2880 btnthn.exe 2768 7lflrxr.exe 2876 086244.exe 1656 4200846.exe 1852 26462.exe 1564 rlxxffl.exe 2720 m4280.exe 1152 rlflrxl.exe 2532 0824062.exe 584 8200068.exe 1448 0862840.exe 2172 64628.exe 1848 64262.exe 1700 ppjpd.exe -
resource yara_rule behavioral1/memory/2592-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-354-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2688-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-790-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-822-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-861-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2372-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-984-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1124-1047-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-1099-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-1166-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e08844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8206480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2600668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6084484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2632 2592 4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe 30 PID 2592 wrote to memory of 2632 2592 4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe 30 PID 2592 wrote to memory of 2632 2592 4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe 30 PID 2592 wrote to memory of 2632 2592 4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe 30 PID 2632 wrote to memory of 2620 2632 086284.exe 31 PID 2632 wrote to memory of 2620 2632 086284.exe 31 PID 2632 wrote to memory of 2620 2632 086284.exe 31 PID 2632 wrote to memory of 2620 2632 086284.exe 31 PID 2620 wrote to memory of 2552 2620 e48422.exe 32 PID 2620 wrote to memory of 2552 2620 e48422.exe 32 PID 2620 wrote to memory of 2552 2620 e48422.exe 32 PID 2620 wrote to memory of 2552 2620 e48422.exe 32 PID 2552 wrote to memory of 2440 2552 5xrlrfx.exe 33 PID 2552 wrote to memory of 2440 2552 5xrlrfx.exe 33 PID 2552 wrote to memory of 2440 2552 5xrlrfx.exe 33 PID 2552 wrote to memory of 2440 2552 5xrlrfx.exe 33 PID 2440 wrote to memory of 2908 2440 bntbhn.exe 34 PID 2440 wrote to memory of 2908 2440 bntbhn.exe 34 PID 2440 wrote to memory of 2908 2440 bntbhn.exe 34 PID 2440 wrote to memory of 2908 2440 bntbhn.exe 34 PID 2908 wrote to memory of 2784 2908 3rfflll.exe 35 PID 2908 wrote to memory of 2784 2908 3rfflll.exe 35 PID 2908 wrote to memory of 2784 2908 3rfflll.exe 35 PID 2908 wrote to memory of 2784 2908 3rfflll.exe 35 PID 2784 wrote to memory of 2252 2784 w42806.exe 36 PID 2784 wrote to memory of 2252 2784 w42806.exe 36 PID 2784 wrote to memory of 2252 2784 w42806.exe 36 PID 2784 wrote to memory of 2252 2784 w42806.exe 36 PID 2252 wrote to memory of 2708 2252 8206480.exe 37 PID 2252 wrote to memory of 2708 2252 8206480.exe 37 PID 2252 wrote to memory of 2708 2252 8206480.exe 37 PID 2252 wrote to memory of 2708 2252 8206480.exe 37 PID 2708 wrote to memory of 2728 2708 482800.exe 38 PID 2708 wrote to memory of 2728 2708 482800.exe 38 PID 2708 wrote to memory of 2728 2708 482800.exe 38 PID 2708 wrote to memory of 2728 2708 482800.exe 38 PID 2728 wrote to memory of 2724 2728 e64888.exe 39 PID 2728 wrote to memory of 2724 2728 e64888.exe 39 PID 2728 wrote to memory of 2724 2728 e64888.exe 39 PID 2728 wrote to memory of 2724 2728 e64888.exe 39 PID 2724 wrote to memory of 2732 2724 80262.exe 40 PID 2724 wrote to memory of 2732 2724 80262.exe 40 PID 2724 wrote to memory of 2732 2724 80262.exe 40 PID 2724 wrote to memory of 2732 2724 80262.exe 40 PID 2732 wrote to memory of 3036 2732 g2444.exe 41 PID 2732 wrote to memory of 3036 2732 g2444.exe 41 PID 2732 wrote to memory of 3036 2732 g2444.exe 41 PID 2732 wrote to memory of 3036 2732 g2444.exe 41 PID 3036 wrote to memory of 1976 3036 468286.exe 42 PID 3036 wrote to memory of 1976 3036 468286.exe 42 PID 3036 wrote to memory of 1976 3036 468286.exe 42 PID 3036 wrote to memory of 1976 3036 468286.exe 42 PID 1976 wrote to memory of 3004 1976 20284.exe 43 PID 1976 wrote to memory of 3004 1976 20284.exe 43 PID 1976 wrote to memory of 3004 1976 20284.exe 43 PID 1976 wrote to memory of 3004 1976 20284.exe 43 PID 3004 wrote to memory of 1956 3004 pjvvd.exe 44 PID 3004 wrote to memory of 1956 3004 pjvvd.exe 44 PID 3004 wrote to memory of 1956 3004 pjvvd.exe 44 PID 3004 wrote to memory of 1956 3004 pjvvd.exe 44 PID 1956 wrote to memory of 1816 1956 0806224.exe 45 PID 1956 wrote to memory of 1816 1956 0806224.exe 45 PID 1956 wrote to memory of 1816 1956 0806224.exe 45 PID 1956 wrote to memory of 1816 1956 0806224.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe"C:\Users\Admin\AppData\Local\Temp\4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\086284.exec:\086284.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\e48422.exec:\e48422.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\5xrlrfx.exec:\5xrlrfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\bntbhn.exec:\bntbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\3rfflll.exec:\3rfflll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\w42806.exec:\w42806.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\8206480.exec:\8206480.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\482800.exec:\482800.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\e64888.exec:\e64888.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\80262.exec:\80262.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\g2444.exec:\g2444.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\468286.exec:\468286.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\20284.exec:\20284.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\pjvvd.exec:\pjvvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\0806224.exec:\0806224.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\1nbttt.exec:\1nbttt.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1816 -
\??\c:\2428444.exec:\2428444.exe18⤵
- Executes dropped EXE
PID:2104 -
\??\c:\68628.exec:\68628.exe19⤵
- Executes dropped EXE
PID:1756 -
\??\c:\btnttt.exec:\btnttt.exe20⤵
- Executes dropped EXE
PID:564 -
\??\c:\2404444.exec:\2404444.exe21⤵
- Executes dropped EXE
PID:2360 -
\??\c:\42662.exec:\42662.exe22⤵
- Executes dropped EXE
PID:2124 -
\??\c:\bntnnn.exec:\bntnnn.exe23⤵
- Executes dropped EXE
PID:112 -
\??\c:\bnhhhb.exec:\bnhhhb.exe24⤵
- Executes dropped EXE
PID:640 -
\??\c:\pdvdj.exec:\pdvdj.exe25⤵
- Executes dropped EXE
PID:3000 -
\??\c:\nhtntt.exec:\nhtntt.exe26⤵
- Executes dropped EXE
PID:1552 -
\??\c:\82484.exec:\82484.exe27⤵
- Executes dropped EXE
PID:1764 -
\??\c:\08684.exec:\08684.exe28⤵
- Executes dropped EXE
PID:632 -
\??\c:\9bhbbt.exec:\9bhbbt.exe29⤵
- Executes dropped EXE
PID:1168 -
\??\c:\0800602.exec:\0800602.exe30⤵
- Executes dropped EXE
PID:2268 -
\??\c:\vjvvd.exec:\vjvvd.exe31⤵
- Executes dropped EXE
PID:848 -
\??\c:\g4600.exec:\g4600.exe32⤵
- Executes dropped EXE
PID:2640 -
\??\c:\s4284.exec:\s4284.exe33⤵
- Executes dropped EXE
PID:2448 -
\??\c:\862240.exec:\862240.exe34⤵
- Executes dropped EXE
PID:884 -
\??\c:\nhnhhh.exec:\nhnhhh.exe35⤵
- Executes dropped EXE
PID:2600 -
\??\c:\42440.exec:\42440.exe36⤵
- Executes dropped EXE
PID:1712 -
\??\c:\02400.exec:\02400.exe37⤵
- Executes dropped EXE
PID:2656 -
\??\c:\k84404.exec:\k84404.exe38⤵
- Executes dropped EXE
PID:2500 -
\??\c:\640666.exec:\640666.exe39⤵
- Executes dropped EXE
PID:2596 -
\??\c:\202288.exec:\202288.exe40⤵
- Executes dropped EXE
PID:2788 -
\??\c:\o464068.exec:\o464068.exe41⤵
- Executes dropped EXE
PID:2896 -
\??\c:\1nhbnn.exec:\1nhbnn.exe42⤵
- Executes dropped EXE
PID:2804 -
\??\c:\w02244.exec:\w02244.exe43⤵
- Executes dropped EXE
PID:2548 -
\??\c:\xxlxlrf.exec:\xxlxlrf.exe44⤵
- Executes dropped EXE
PID:2688 -
\??\c:\8622400.exec:\8622400.exe45⤵
- Executes dropped EXE
PID:2704 -
\??\c:\686022.exec:\686022.exe46⤵
- Executes dropped EXE
PID:2708 -
\??\c:\htnthn.exec:\htnthn.exe47⤵
- Executes dropped EXE
PID:2852 -
\??\c:\o888664.exec:\o888664.exe48⤵
- Executes dropped EXE
PID:2724 -
\??\c:\084066.exec:\084066.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
\??\c:\6040280.exec:\6040280.exe50⤵
- Executes dropped EXE
PID:2976 -
\??\c:\e00088.exec:\e00088.exe51⤵
- Executes dropped EXE
PID:3036 -
\??\c:\btnthn.exec:\btnthn.exe52⤵
- Executes dropped EXE
PID:2880 -
\??\c:\7lflrxr.exec:\7lflrxr.exe53⤵
- Executes dropped EXE
PID:2768 -
\??\c:\086244.exec:\086244.exe54⤵
- Executes dropped EXE
PID:2876 -
\??\c:\4200846.exec:\4200846.exe55⤵
- Executes dropped EXE
PID:1656 -
\??\c:\26462.exec:\26462.exe56⤵
- Executes dropped EXE
PID:1852 -
\??\c:\rlxxffl.exec:\rlxxffl.exe57⤵
- Executes dropped EXE
PID:1564 -
\??\c:\m4280.exec:\m4280.exe58⤵
- Executes dropped EXE
PID:2720 -
\??\c:\rlflrxl.exec:\rlflrxl.exe59⤵
- Executes dropped EXE
PID:1152 -
\??\c:\0824062.exec:\0824062.exe60⤵
- Executes dropped EXE
PID:2532 -
\??\c:\8200068.exec:\8200068.exe61⤵
- Executes dropped EXE
PID:584 -
\??\c:\0862840.exec:\0862840.exe62⤵
- Executes dropped EXE
PID:1448 -
\??\c:\64628.exec:\64628.exe63⤵
- Executes dropped EXE
PID:2172 -
\??\c:\64262.exec:\64262.exe64⤵
- Executes dropped EXE
PID:1848 -
\??\c:\ppjpd.exec:\ppjpd.exe65⤵
- Executes dropped EXE
PID:1700 -
\??\c:\nhbhhh.exec:\nhbhhh.exe66⤵PID:3000
-
\??\c:\pjddj.exec:\pjddj.exe67⤵PID:936
-
\??\c:\604462.exec:\604462.exe68⤵PID:1432
-
\??\c:\4262028.exec:\4262028.exe69⤵PID:908
-
\??\c:\xrflxxf.exec:\xrflxxf.exe70⤵PID:956
-
\??\c:\s2224.exec:\s2224.exe71⤵PID:2516
-
\??\c:\tthntt.exec:\tthntt.exe72⤵PID:2344
-
\??\c:\jdvvd.exec:\jdvvd.exe73⤵PID:2208
-
\??\c:\24628.exec:\24628.exe74⤵PID:2428
-
\??\c:\fxrrrrf.exec:\fxrrrrf.exe75⤵PID:1504
-
\??\c:\frrlrxf.exec:\frrlrxf.exe76⤵PID:1960
-
\??\c:\o422846.exec:\o422846.exe77⤵PID:2248
-
\??\c:\hhbnbh.exec:\hhbnbh.exe78⤵PID:2372
-
\??\c:\646688.exec:\646688.exe79⤵PID:2452
-
\??\c:\08402.exec:\08402.exe80⤵PID:2400
-
\??\c:\64620.exec:\64620.exe81⤵PID:2760
-
\??\c:\ddvpj.exec:\ddvpj.exe82⤵PID:2552
-
\??\c:\tnhbbb.exec:\tnhbbb.exe83⤵PID:2596
-
\??\c:\5rfxllx.exec:\5rfxllx.exe84⤵PID:2788
-
\??\c:\vdvvj.exec:\vdvvj.exe85⤵PID:2896
-
\??\c:\frllrrx.exec:\frllrrx.exe86⤵PID:2784
-
\??\c:\llxxflx.exec:\llxxflx.exe87⤵PID:3060
-
\??\c:\hbthnn.exec:\hbthnn.exe88⤵PID:2860
-
\??\c:\nntttn.exec:\nntttn.exe89⤵PID:2252
-
\??\c:\q24466.exec:\q24466.exe90⤵PID:2676
-
\??\c:\q26862.exec:\q26862.exe91⤵PID:2736
-
\??\c:\82080.exec:\82080.exe92⤵PID:2196
-
\??\c:\208440.exec:\208440.exe93⤵PID:2340
-
\??\c:\bbnbtn.exec:\bbnbtn.exe94⤵PID:3044
-
\??\c:\thbbhh.exec:\thbbhh.exe95⤵PID:2748
-
\??\c:\nhbhtb.exec:\nhbhtb.exe96⤵PID:2952
-
\??\c:\hbntnn.exec:\hbntnn.exe97⤵PID:2420
-
\??\c:\hbbnnn.exec:\hbbnnn.exe98⤵PID:1312
-
\??\c:\2628442.exec:\2628442.exe99⤵PID:1112
-
\??\c:\642806.exec:\642806.exe100⤵PID:1284
-
\??\c:\ffrrrxf.exec:\ffrrrxf.exe101⤵PID:772
-
\??\c:\9lflllr.exec:\9lflllr.exe102⤵PID:2776
-
\??\c:\9vppd.exec:\9vppd.exe103⤵PID:580
-
\??\c:\5bbttb.exec:\5bbttb.exe104⤵PID:564
-
\??\c:\2028406.exec:\2028406.exe105⤵PID:1164
-
\??\c:\04808.exec:\04808.exe106⤵PID:2144
-
\??\c:\fxxlrrl.exec:\fxxlrrl.exe107⤵PID:812
-
\??\c:\xlllxff.exec:\xlllxff.exe108⤵PID:440
-
\??\c:\5vjpv.exec:\5vjpv.exe109⤵PID:2244
-
\??\c:\5lxxxxf.exec:\5lxxxxf.exe110⤵PID:1700
-
\??\c:\82040.exec:\82040.exe111⤵PID:3000
-
\??\c:\ffffrxf.exec:\ffffrxf.exe112⤵PID:1304
-
\??\c:\4888006.exec:\4888006.exe113⤵PID:1252
-
\??\c:\w82462.exec:\w82462.exe114⤵PID:908
-
\??\c:\1vppd.exec:\1vppd.exe115⤵PID:956
-
\??\c:\0484668.exec:\0484668.exe116⤵PID:1032
-
\??\c:\6028006.exec:\6028006.exe117⤵PID:2216
-
\??\c:\i088440.exec:\i088440.exe118⤵PID:2240
-
\??\c:\lfrxlrr.exec:\lfrxlrr.exe119⤵PID:1040
-
\??\c:\9rfflrx.exec:\9rfflrx.exe120⤵PID:1504
-
\??\c:\26462.exec:\26462.exe121⤵PID:2448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-