Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 02:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe
-
Size
453KB
-
MD5
be4f0822935bc370b0f5fa418d398bec
-
SHA1
8fc11f4f863ab959f3bddff00b06a5469adb282f
-
SHA256
dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df
-
SHA512
e47d926a7a2c5dbd093082fcb0b2e9ba9ceffa9a7dc2d6f3096a81c28c28302226aaf0eb9b484ef7101a4bec30eeb93ce8aec3a5b0ba489741a05473bbe9d39d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2392-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/296-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-40-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2868-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/600-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1688-106-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1688-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-119-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1500-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-193-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2160-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/692-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/268-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-404-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2164-419-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/852-442-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2896-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1012-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-499-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2300-498-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2556-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-738-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1368-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-788-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2328-814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-829-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2852-878-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-1078-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2684-1080-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2468-1111-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2172-1140-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 296 pjpvj.exe 2040 m2062.exe 2664 hbtbnt.exe 2868 04242.exe 600 82402.exe 2220 86008.exe 2288 9xxxflr.exe 2880 082800.exe 2720 264466.exe 2432 266240.exe 1688 xfrrflr.exe 1828 tnnhtt.exe 2444 xrrxrrx.exe 1676 5dpdj.exe 1500 9pvdj.exe 468 4268002.exe 2956 i040668.exe 2576 1vjpv.exe 2232 g0846.exe 2272 fxxxllr.exe 2160 66002.exe 960 9dvjv.exe 1968 rxllrxx.exe 1528 m2680.exe 968 a4800.exe 1492 rfrxflr.exe 692 488466.exe 1696 vvvpj.exe 2364 flxlflf.exe 2092 pjdjv.exe 1944 bnhbbn.exe 1612 vjdjp.exe 2636 06200.exe 2172 fxlrflx.exe 2464 4806224.exe 3000 0860628.exe 2904 26002.exe 2864 xlrrxxf.exe 2936 tbtbnn.exe 2096 2008068.exe 2220 pdpdj.exe 3008 flflxlr.exe 2704 hhtbnt.exe 2748 s2062.exe 2720 c088440.exe 2784 w48084.exe 268 hbnthh.exe 1888 8644002.exe 2264 hhtbhh.exe 1672 e04022.exe 2164 w64088.exe 1460 2600240.exe 1724 8206406.exe 852 c662840.exe 2896 3nbhtt.exe 3020 6048440.exe 580 xlrxllr.exe 2252 pjddj.exe 1012 84280.exe 2796 e86244.exe 644 0868068.exe 2300 xxrrrxl.exe 2604 bbntbb.exe 1264 s6468.exe -
resource yara_rule behavioral1/memory/2392-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1012-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1012-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1012-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-846-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-951-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-1066-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-1179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-1210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-1254-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0860628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8266846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0868068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0866066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0480286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q48004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 296 2392 dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe 31 PID 2392 wrote to memory of 296 2392 dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe 31 PID 2392 wrote to memory of 296 2392 dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe 31 PID 2392 wrote to memory of 296 2392 dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe 31 PID 296 wrote to memory of 2040 296 pjpvj.exe 32 PID 296 wrote to memory of 2040 296 pjpvj.exe 32 PID 296 wrote to memory of 2040 296 pjpvj.exe 32 PID 296 wrote to memory of 2040 296 pjpvj.exe 32 PID 2040 wrote to memory of 2664 2040 m2062.exe 33 PID 2040 wrote to memory of 2664 2040 m2062.exe 33 PID 2040 wrote to memory of 2664 2040 m2062.exe 33 PID 2040 wrote to memory of 2664 2040 m2062.exe 33 PID 2664 wrote to memory of 2868 2664 hbtbnt.exe 34 PID 2664 wrote to memory of 2868 2664 hbtbnt.exe 34 PID 2664 wrote to memory of 2868 2664 hbtbnt.exe 34 PID 2664 wrote to memory of 2868 2664 hbtbnt.exe 34 PID 2868 wrote to memory of 600 2868 04242.exe 35 PID 2868 wrote to memory of 600 2868 04242.exe 35 PID 2868 wrote to memory of 600 2868 04242.exe 35 PID 2868 wrote to memory of 600 2868 04242.exe 35 PID 600 wrote to memory of 2220 600 82402.exe 36 PID 600 wrote to memory of 2220 600 82402.exe 36 PID 600 wrote to memory of 2220 600 82402.exe 36 PID 600 wrote to memory of 2220 600 82402.exe 36 PID 2220 wrote to memory of 2288 2220 86008.exe 37 PID 2220 wrote to memory of 2288 2220 86008.exe 37 PID 2220 wrote to memory of 2288 2220 86008.exe 37 PID 2220 wrote to memory of 2288 2220 86008.exe 37 PID 2288 wrote to memory of 2880 2288 9xxxflr.exe 38 PID 2288 wrote to memory of 2880 2288 9xxxflr.exe 38 PID 2288 wrote to memory of 2880 2288 9xxxflr.exe 38 PID 2288 wrote to memory of 2880 2288 9xxxflr.exe 38 PID 2880 wrote to memory of 2720 2880 082800.exe 39 PID 2880 wrote to memory of 2720 2880 082800.exe 39 PID 2880 wrote to memory of 2720 2880 082800.exe 39 PID 2880 wrote to memory of 2720 2880 082800.exe 39 PID 2720 wrote to memory of 2432 2720 264466.exe 40 PID 2720 wrote to memory of 2432 2720 264466.exe 40 PID 2720 wrote to memory of 2432 2720 264466.exe 40 PID 2720 wrote to memory of 2432 2720 264466.exe 40 PID 2432 wrote to memory of 1688 2432 266240.exe 41 PID 2432 wrote to memory of 1688 2432 266240.exe 41 PID 2432 wrote to memory of 1688 2432 266240.exe 41 PID 2432 wrote to memory of 1688 2432 266240.exe 41 PID 1688 wrote to memory of 1828 1688 xfrrflr.exe 42 PID 1688 wrote to memory of 1828 1688 xfrrflr.exe 42 PID 1688 wrote to memory of 1828 1688 xfrrflr.exe 42 PID 1688 wrote to memory of 1828 1688 xfrrflr.exe 42 PID 1828 wrote to memory of 2444 1828 tnnhtt.exe 43 PID 1828 wrote to memory of 2444 1828 tnnhtt.exe 43 PID 1828 wrote to memory of 2444 1828 tnnhtt.exe 43 PID 1828 wrote to memory of 2444 1828 tnnhtt.exe 43 PID 2444 wrote to memory of 1676 2444 xrrxrrx.exe 44 PID 2444 wrote to memory of 1676 2444 xrrxrrx.exe 44 PID 2444 wrote to memory of 1676 2444 xrrxrrx.exe 44 PID 2444 wrote to memory of 1676 2444 xrrxrrx.exe 44 PID 1676 wrote to memory of 1500 1676 5dpdj.exe 45 PID 1676 wrote to memory of 1500 1676 5dpdj.exe 45 PID 1676 wrote to memory of 1500 1676 5dpdj.exe 45 PID 1676 wrote to memory of 1500 1676 5dpdj.exe 45 PID 1500 wrote to memory of 468 1500 9pvdj.exe 46 PID 1500 wrote to memory of 468 1500 9pvdj.exe 46 PID 1500 wrote to memory of 468 1500 9pvdj.exe 46 PID 1500 wrote to memory of 468 1500 9pvdj.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe"C:\Users\Admin\AppData\Local\Temp\dec3433cd127ca9e62c6726b25ec1bd69d7e77540b548532714279f1a8b422df.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\pjpvj.exec:\pjpvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:296 -
\??\c:\m2062.exec:\m2062.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\hbtbnt.exec:\hbtbnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\04242.exec:\04242.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\82402.exec:\82402.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:600 -
\??\c:\86008.exec:\86008.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\9xxxflr.exec:\9xxxflr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\082800.exec:\082800.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\264466.exec:\264466.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\266240.exec:\266240.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\xfrrflr.exec:\xfrrflr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\tnnhtt.exec:\tnnhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\xrrxrrx.exec:\xrrxrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\5dpdj.exec:\5dpdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\9pvdj.exec:\9pvdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\4268002.exec:\4268002.exe17⤵
- Executes dropped EXE
PID:468 -
\??\c:\i040668.exec:\i040668.exe18⤵
- Executes dropped EXE
PID:2956 -
\??\c:\1vjpv.exec:\1vjpv.exe19⤵
- Executes dropped EXE
PID:2576 -
\??\c:\g0846.exec:\g0846.exe20⤵
- Executes dropped EXE
PID:2232 -
\??\c:\fxxxllr.exec:\fxxxllr.exe21⤵
- Executes dropped EXE
PID:2272 -
\??\c:\66002.exec:\66002.exe22⤵
- Executes dropped EXE
PID:2160 -
\??\c:\9dvjv.exec:\9dvjv.exe23⤵
- Executes dropped EXE
PID:960 -
\??\c:\rxllrxx.exec:\rxllrxx.exe24⤵
- Executes dropped EXE
PID:1968 -
\??\c:\m2680.exec:\m2680.exe25⤵
- Executes dropped EXE
PID:1528 -
\??\c:\a4800.exec:\a4800.exe26⤵
- Executes dropped EXE
PID:968 -
\??\c:\rfrxflr.exec:\rfrxflr.exe27⤵
- Executes dropped EXE
PID:1492 -
\??\c:\488466.exec:\488466.exe28⤵
- Executes dropped EXE
PID:692 -
\??\c:\vvvpj.exec:\vvvpj.exe29⤵
- Executes dropped EXE
PID:1696 -
\??\c:\flxlflf.exec:\flxlflf.exe30⤵
- Executes dropped EXE
PID:2364 -
\??\c:\pjdjv.exec:\pjdjv.exe31⤵
- Executes dropped EXE
PID:2092 -
\??\c:\bnhbbn.exec:\bnhbbn.exe32⤵
- Executes dropped EXE
PID:1944 -
\??\c:\vjdjp.exec:\vjdjp.exe33⤵
- Executes dropped EXE
PID:1612 -
\??\c:\06200.exec:\06200.exe34⤵
- Executes dropped EXE
PID:2636 -
\??\c:\fxlrflx.exec:\fxlrflx.exe35⤵
- Executes dropped EXE
PID:2172 -
\??\c:\4806224.exec:\4806224.exe36⤵
- Executes dropped EXE
PID:2464 -
\??\c:\0860628.exec:\0860628.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
\??\c:\26002.exec:\26002.exe38⤵
- Executes dropped EXE
PID:2904 -
\??\c:\xlrrxxf.exec:\xlrrxxf.exe39⤵
- Executes dropped EXE
PID:2864 -
\??\c:\tbtbnn.exec:\tbtbnn.exe40⤵
- Executes dropped EXE
PID:2936 -
\??\c:\2008068.exec:\2008068.exe41⤵
- Executes dropped EXE
PID:2096 -
\??\c:\pdpdj.exec:\pdpdj.exe42⤵
- Executes dropped EXE
PID:2220 -
\??\c:\flflxlr.exec:\flflxlr.exe43⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hhtbnt.exec:\hhtbnt.exe44⤵
- Executes dropped EXE
PID:2704 -
\??\c:\s2062.exec:\s2062.exe45⤵
- Executes dropped EXE
PID:2748 -
\??\c:\c088440.exec:\c088440.exe46⤵
- Executes dropped EXE
PID:2720 -
\??\c:\w48084.exec:\w48084.exe47⤵
- Executes dropped EXE
PID:2784 -
\??\c:\hbnthh.exec:\hbnthh.exe48⤵
- Executes dropped EXE
PID:268 -
\??\c:\8644002.exec:\8644002.exe49⤵
- Executes dropped EXE
PID:1888 -
\??\c:\hhtbhh.exec:\hhtbhh.exe50⤵
- Executes dropped EXE
PID:2264 -
\??\c:\e04022.exec:\e04022.exe51⤵
- Executes dropped EXE
PID:1672 -
\??\c:\w64088.exec:\w64088.exe52⤵
- Executes dropped EXE
PID:2164 -
\??\c:\2600240.exec:\2600240.exe53⤵
- Executes dropped EXE
PID:1460 -
\??\c:\8206406.exec:\8206406.exe54⤵
- Executes dropped EXE
PID:1724 -
\??\c:\c662840.exec:\c662840.exe55⤵
- Executes dropped EXE
PID:852 -
\??\c:\3nbhtt.exec:\3nbhtt.exe56⤵
- Executes dropped EXE
PID:2896 -
\??\c:\6048440.exec:\6048440.exe57⤵
- Executes dropped EXE
PID:3020 -
\??\c:\xlrxllr.exec:\xlrxllr.exe58⤵
- Executes dropped EXE
PID:580 -
\??\c:\pjddj.exec:\pjddj.exe59⤵
- Executes dropped EXE
PID:2252 -
\??\c:\84280.exec:\84280.exe60⤵
- Executes dropped EXE
PID:1012 -
\??\c:\e86244.exec:\e86244.exe61⤵
- Executes dropped EXE
PID:2796 -
\??\c:\0868068.exec:\0868068.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:644 -
\??\c:\xxrrrxl.exec:\xxrrrxl.exe63⤵
- Executes dropped EXE
PID:2300 -
\??\c:\bbntbb.exec:\bbntbb.exe64⤵
- Executes dropped EXE
PID:2604 -
\??\c:\s6468.exec:\s6468.exe65⤵
- Executes dropped EXE
PID:1264 -
\??\c:\q88460.exec:\q88460.exe66⤵PID:2304
-
\??\c:\602044.exec:\602044.exe67⤵PID:1604
-
\??\c:\vppvv.exec:\vppvv.exe68⤵PID:2224
-
\??\c:\dddpv.exec:\dddpv.exe69⤵PID:2200
-
\??\c:\088462.exec:\088462.exe70⤵PID:2556
-
\??\c:\7vpdp.exec:\7vpdp.exe71⤵PID:2560
-
\??\c:\m6006.exec:\m6006.exe72⤵PID:2572
-
\??\c:\5thbhn.exec:\5thbhn.exe73⤵PID:2600
-
\??\c:\a8628.exec:\a8628.exe74⤵PID:2128
-
\??\c:\nbtbtt.exec:\nbtbtt.exe75⤵PID:2100
-
\??\c:\nbntbh.exec:\nbntbh.exe76⤵
- System Location Discovery: System Language Discovery
PID:2416 -
\??\c:\vjvpv.exec:\vjvpv.exe77⤵PID:2636
-
\??\c:\k60688.exec:\k60688.exe78⤵PID:2296
-
\??\c:\0808448.exec:\0808448.exe79⤵PID:572
-
\??\c:\042640.exec:\042640.exe80⤵PID:2800
-
\??\c:\dvjdv.exec:\dvjdv.exe81⤵PID:2976
-
\??\c:\9rrlrlx.exec:\9rrlrlx.exe82⤵PID:2816
-
\??\c:\86002.exec:\86002.exe83⤵PID:2712
-
\??\c:\1bbhtt.exec:\1bbhtt.exe84⤵PID:2968
-
\??\c:\204846.exec:\204846.exe85⤵PID:2728
-
\??\c:\c468440.exec:\c468440.exe86⤵PID:2824
-
\??\c:\nntthb.exec:\nntthb.exe87⤵PID:1464
-
\??\c:\q64460.exec:\q64460.exe88⤵PID:2832
-
\??\c:\dvpvj.exec:\dvpvj.exe89⤵PID:2136
-
\??\c:\860062.exec:\860062.exe90⤵PID:1212
-
\??\c:\0428844.exec:\0428844.exe91⤵PID:2076
-
\??\c:\jdvdp.exec:\jdvdp.exe92⤵PID:1116
-
\??\c:\a4468.exec:\a4468.exe93⤵PID:1200
-
\??\c:\0424006.exec:\0424006.exe94⤵PID:1360
-
\??\c:\1bnbhn.exec:\1bnbhn.exe95⤵PID:1684
-
\??\c:\bbnthh.exec:\bbnthh.exe96⤵PID:1676
-
\??\c:\g0286.exec:\g0286.exe97⤵PID:1460
-
\??\c:\xxxxflx.exec:\xxxxflx.exe98⤵PID:1724
-
\??\c:\bbbhtb.exec:\bbbhtb.exe99⤵PID:316
-
\??\c:\tnhntb.exec:\tnhntb.exe100⤵PID:1008
-
\??\c:\220200.exec:\220200.exe101⤵PID:3020
-
\??\c:\88284.exec:\88284.exe102⤵PID:2476
-
\??\c:\xfxfrrl.exec:\xfxfrrl.exe103⤵PID:3048
-
\??\c:\dvpjj.exec:\dvpjj.exe104⤵PID:2184
-
\??\c:\lfxrxxl.exec:\lfxrxxl.exe105⤵PID:2160
-
\??\c:\0468402.exec:\0468402.exe106⤵PID:696
-
\??\c:\48006.exec:\48006.exe107⤵PID:1308
-
\??\c:\dvppp.exec:\dvppp.exe108⤵PID:1368
-
\??\c:\ppjjd.exec:\ppjjd.exe109⤵PID:1788
-
\??\c:\642022.exec:\642022.exe110⤵PID:1572
-
\??\c:\420404.exec:\420404.exe111⤵PID:848
-
\??\c:\426622.exec:\426622.exe112⤵PID:1740
-
\??\c:\rfrrffl.exec:\rfrrffl.exe113⤵PID:2124
-
\??\c:\frlrrrx.exec:\frlrrrx.exe114⤵PID:2328
-
\??\c:\g8628.exec:\g8628.exe115⤵PID:620
-
\??\c:\thnnnn.exec:\thnnnn.exe116⤵PID:2104
-
\??\c:\608400.exec:\608400.exe117⤵PID:2188
-
\??\c:\5vjpv.exec:\5vjpv.exe118⤵PID:1944
-
\??\c:\o604440.exec:\o604440.exe119⤵PID:2308
-
\??\c:\bbnbhh.exec:\bbnbhh.exe120⤵PID:2392
-
\??\c:\tnbbtn.exec:\tnbbtn.exe121⤵PID:1940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-