Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 04:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afca385949b9b86ac1e7281fcf17dd06d24969264e81960a8ee39608cb9807bcN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
afca385949b9b86ac1e7281fcf17dd06d24969264e81960a8ee39608cb9807bcN.exe
-
Size
453KB
-
MD5
6f3660785a4c6962e6f7dfcd83a37ec0
-
SHA1
ef0050719a52e41bc923286c8fef36f64d90f437
-
SHA256
afca385949b9b86ac1e7281fcf17dd06d24969264e81960a8ee39608cb9807bc
-
SHA512
1687b54dddb058b1bd1d7f2af5f14715e4e2d2c844c577d0f3b2b3907e8f1a2e42e236e5bfedd3583b8a765055ed2bf13a1eec42bdc6f421fc20614063f9b104
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/1788-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-26-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2516-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-41-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2800-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-46-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2752-66-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2752-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-64-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2844-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-87-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2744-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-85-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2556-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1064-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-188-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/2248-187-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/1036-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-219-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1860-245-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2996-254-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2388-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-311-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2464-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-378-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2860-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/688-505-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1864-522-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2304-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-589-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2136-634-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2856-641-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2168-667-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2756-691-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2208-740-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1360-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-779-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2304-856-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2652-888-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2144-895-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1788 62008.exe 2516 426284.exe 2252 vdpjj.exe 1604 w64088.exe 2800 dvpvp.exe 2752 vvppd.exe 2844 w24062.exe 2744 c800228.exe 2556 3vjpd.exe 3052 2688444.exe 1064 208066.exe 2848 hhbhtn.exe 2368 dvdvd.exe 2872 3jppj.exe 1244 g6222.exe 1768 482840.exe 2924 482806.exe 2220 vddjj.exe 2248 08840.exe 1036 c862402.exe 3044 lfrxxff.exe 1628 9nbbnn.exe 1752 1jdjj.exe 2216 20846.exe 568 lxrrllr.exe 1860 vvdvv.exe 2996 tnbbhb.exe 2112 jdpdj.exe 2388 424402.exe 1316 bthbhh.exe 1956 s6860.exe 2624 rxllxll.exe 2772 nbttnn.exe 2464 5lrrllr.exe 2736 jdvjv.exe 2136 tnttbb.exe 2784 8246246.exe 2696 860628.exe 2804 5bhhhn.exe 2888 xrffrrx.exe 2936 llxffff.exe 2656 jdpdj.exe 2564 1rlllrr.exe 2560 4884224.exe 2100 rfxrxlx.exe 2944 8202446.exe 1032 q46660.exe 2860 tnhbnh.exe 2044 86268.exe 1824 6084402.exe 2864 xlflrrx.exe 2872 jvddd.exe 2908 htnnhn.exe 2928 vpvpj.exe 2892 288466.exe 2640 2288406.exe 2400 864400.exe 2384 lfxrrfr.exe 868 q60682.exe 872 64668.exe 3044 dpjdj.exe 1628 2022884.exe 688 5jjpj.exe 928 btnntt.exe -
resource yara_rule behavioral1/memory/1788-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-64-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2844-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-123-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2368-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-536-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2304-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-863-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q64062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6020228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 246622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64228.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 784 wrote to memory of 1788 784 afca385949b9b86ac1e7281fcf17dd06d24969264e81960a8ee39608cb9807bcN.exe 31 PID 784 wrote to memory of 1788 784 afca385949b9b86ac1e7281fcf17dd06d24969264e81960a8ee39608cb9807bcN.exe 31 PID 784 wrote to memory of 1788 784 afca385949b9b86ac1e7281fcf17dd06d24969264e81960a8ee39608cb9807bcN.exe 31 PID 784 wrote to memory of 1788 784 afca385949b9b86ac1e7281fcf17dd06d24969264e81960a8ee39608cb9807bcN.exe 31 PID 1788 wrote to memory of 2516 1788 62008.exe 32 PID 1788 wrote to memory of 2516 1788 62008.exe 32 PID 1788 wrote to memory of 2516 1788 62008.exe 32 PID 1788 wrote to memory of 2516 1788 62008.exe 32 PID 2516 wrote to memory of 2252 2516 426284.exe 33 PID 2516 wrote to memory of 2252 2516 426284.exe 33 PID 2516 wrote to memory of 2252 2516 426284.exe 33 PID 2516 wrote to memory of 2252 2516 426284.exe 33 PID 2252 wrote to memory of 1604 2252 vdpjj.exe 34 PID 2252 wrote to memory of 1604 2252 vdpjj.exe 34 PID 2252 wrote to memory of 1604 2252 vdpjj.exe 34 PID 2252 wrote to memory of 1604 2252 vdpjj.exe 34 PID 1604 wrote to memory of 2800 1604 w64088.exe 35 PID 1604 wrote to memory of 2800 1604 w64088.exe 35 PID 1604 wrote to memory of 2800 1604 w64088.exe 35 PID 1604 wrote to memory of 2800 1604 w64088.exe 35 PID 2800 wrote to memory of 2752 2800 dvpvp.exe 36 PID 2800 wrote to memory of 2752 2800 dvpvp.exe 36 PID 2800 wrote to memory of 2752 2800 dvpvp.exe 36 PID 2800 wrote to memory of 2752 2800 dvpvp.exe 36 PID 2752 wrote to memory of 2844 2752 vvppd.exe 37 PID 2752 wrote to memory of 2844 2752 vvppd.exe 37 PID 2752 wrote to memory of 2844 2752 vvppd.exe 37 PID 2752 wrote to memory of 2844 2752 vvppd.exe 37 PID 2844 wrote to memory of 2744 2844 w24062.exe 38 PID 2844 wrote to memory of 2744 2844 w24062.exe 38 PID 2844 wrote to memory of 2744 2844 w24062.exe 38 PID 2844 wrote to memory of 2744 2844 w24062.exe 38 PID 2744 wrote to memory of 2556 2744 c800228.exe 39 PID 2744 wrote to memory of 2556 2744 c800228.exe 39 PID 2744 wrote to memory of 2556 2744 c800228.exe 39 PID 2744 wrote to memory of 2556 2744 c800228.exe 39 PID 2556 wrote to memory of 3052 2556 3vjpd.exe 40 PID 2556 wrote to memory of 3052 2556 3vjpd.exe 40 PID 2556 wrote to memory of 3052 2556 3vjpd.exe 40 PID 2556 wrote to memory of 3052 2556 3vjpd.exe 40 PID 3052 wrote to memory of 1064 3052 2688444.exe 41 PID 3052 wrote to memory of 1064 3052 2688444.exe 41 PID 3052 wrote to memory of 1064 3052 2688444.exe 41 PID 3052 wrote to memory of 1064 3052 2688444.exe 41 PID 1064 wrote to memory of 2848 1064 208066.exe 42 PID 1064 wrote to memory of 2848 1064 208066.exe 42 PID 1064 wrote to memory of 2848 1064 208066.exe 42 PID 1064 wrote to memory of 2848 1064 208066.exe 42 PID 2848 wrote to memory of 2368 2848 hhbhtn.exe 43 PID 2848 wrote to memory of 2368 2848 hhbhtn.exe 43 PID 2848 wrote to memory of 2368 2848 hhbhtn.exe 43 PID 2848 wrote to memory of 2368 2848 hhbhtn.exe 43 PID 2368 wrote to memory of 2872 2368 dvdvd.exe 44 PID 2368 wrote to memory of 2872 2368 dvdvd.exe 44 PID 2368 wrote to memory of 2872 2368 dvdvd.exe 44 PID 2368 wrote to memory of 2872 2368 dvdvd.exe 44 PID 2872 wrote to memory of 1244 2872 3jppj.exe 45 PID 2872 wrote to memory of 1244 2872 3jppj.exe 45 PID 2872 wrote to memory of 1244 2872 3jppj.exe 45 PID 2872 wrote to memory of 1244 2872 3jppj.exe 45 PID 1244 wrote to memory of 1768 1244 g6222.exe 46 PID 1244 wrote to memory of 1768 1244 g6222.exe 46 PID 1244 wrote to memory of 1768 1244 g6222.exe 46 PID 1244 wrote to memory of 1768 1244 g6222.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\afca385949b9b86ac1e7281fcf17dd06d24969264e81960a8ee39608cb9807bcN.exe"C:\Users\Admin\AppData\Local\Temp\afca385949b9b86ac1e7281fcf17dd06d24969264e81960a8ee39608cb9807bcN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\62008.exec:\62008.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\426284.exec:\426284.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\vdpjj.exec:\vdpjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\w64088.exec:\w64088.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\dvpvp.exec:\dvpvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\vvppd.exec:\vvppd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\w24062.exec:\w24062.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\c800228.exec:\c800228.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\3vjpd.exec:\3vjpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\2688444.exec:\2688444.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\208066.exec:\208066.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\hhbhtn.exec:\hhbhtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\dvdvd.exec:\dvdvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\3jppj.exec:\3jppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\g6222.exec:\g6222.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\482840.exec:\482840.exe17⤵
- Executes dropped EXE
PID:1768 -
\??\c:\482806.exec:\482806.exe18⤵
- Executes dropped EXE
PID:2924 -
\??\c:\vddjj.exec:\vddjj.exe19⤵
- Executes dropped EXE
PID:2220 -
\??\c:\08840.exec:\08840.exe20⤵
- Executes dropped EXE
PID:2248 -
\??\c:\c862402.exec:\c862402.exe21⤵
- Executes dropped EXE
PID:1036 -
\??\c:\lfrxxff.exec:\lfrxxff.exe22⤵
- Executes dropped EXE
PID:3044 -
\??\c:\9nbbnn.exec:\9nbbnn.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628 -
\??\c:\1jdjj.exec:\1jdjj.exe24⤵
- Executes dropped EXE
PID:1752 -
\??\c:\20846.exec:\20846.exe25⤵
- Executes dropped EXE
PID:2216 -
\??\c:\lxrrllr.exec:\lxrrllr.exe26⤵
- Executes dropped EXE
PID:568 -
\??\c:\vvdvv.exec:\vvdvv.exe27⤵
- Executes dropped EXE
PID:1860 -
\??\c:\tnbbhb.exec:\tnbbhb.exe28⤵
- Executes dropped EXE
PID:2996 -
\??\c:\jdpdj.exec:\jdpdj.exe29⤵
- Executes dropped EXE
PID:2112 -
\??\c:\424402.exec:\424402.exe30⤵
- Executes dropped EXE
PID:2388 -
\??\c:\bthbhh.exec:\bthbhh.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1316 -
\??\c:\s6860.exec:\s6860.exe32⤵
- Executes dropped EXE
PID:1956 -
\??\c:\rxllxll.exec:\rxllxll.exe33⤵
- Executes dropped EXE
PID:2624 -
\??\c:\nbttnn.exec:\nbttnn.exe34⤵
- Executes dropped EXE
PID:2772 -
\??\c:\5lrrllr.exec:\5lrrllr.exe35⤵
- Executes dropped EXE
PID:2464 -
\??\c:\jdvjv.exec:\jdvjv.exe36⤵
- Executes dropped EXE
PID:2736 -
\??\c:\tnttbb.exec:\tnttbb.exe37⤵
- Executes dropped EXE
PID:2136 -
\??\c:\8246246.exec:\8246246.exe38⤵
- Executes dropped EXE
PID:2784 -
\??\c:\860628.exec:\860628.exe39⤵
- Executes dropped EXE
PID:2696 -
\??\c:\5bhhhn.exec:\5bhhhn.exe40⤵
- Executes dropped EXE
PID:2804 -
\??\c:\xrffrrx.exec:\xrffrrx.exe41⤵
- Executes dropped EXE
PID:2888 -
\??\c:\llxffff.exec:\llxffff.exe42⤵
- Executes dropped EXE
PID:2936 -
\??\c:\jdpdj.exec:\jdpdj.exe43⤵
- Executes dropped EXE
PID:2656 -
\??\c:\1rlllrr.exec:\1rlllrr.exe44⤵
- Executes dropped EXE
PID:2564 -
\??\c:\4884224.exec:\4884224.exe45⤵
- Executes dropped EXE
PID:2560 -
\??\c:\rfxrxlx.exec:\rfxrxlx.exe46⤵
- Executes dropped EXE
PID:2100 -
\??\c:\8202446.exec:\8202446.exe47⤵
- Executes dropped EXE
PID:2944 -
\??\c:\q46660.exec:\q46660.exe48⤵
- Executes dropped EXE
PID:1032 -
\??\c:\tnhbnh.exec:\tnhbnh.exe49⤵
- Executes dropped EXE
PID:2860 -
\??\c:\86268.exec:\86268.exe50⤵
- Executes dropped EXE
PID:2044 -
\??\c:\6084402.exec:\6084402.exe51⤵
- Executes dropped EXE
PID:1824 -
\??\c:\xlflrrx.exec:\xlflrrx.exe52⤵
- Executes dropped EXE
PID:2864 -
\??\c:\jvddd.exec:\jvddd.exe53⤵
- Executes dropped EXE
PID:2872 -
\??\c:\htnnhn.exec:\htnnhn.exe54⤵
- Executes dropped EXE
PID:2908 -
\??\c:\vpvpj.exec:\vpvpj.exe55⤵
- Executes dropped EXE
PID:2928 -
\??\c:\288466.exec:\288466.exe56⤵
- Executes dropped EXE
PID:2892 -
\??\c:\2288406.exec:\2288406.exe57⤵
- Executes dropped EXE
PID:2640 -
\??\c:\864400.exec:\864400.exe58⤵
- Executes dropped EXE
PID:2400 -
\??\c:\lfxrrfr.exec:\lfxrrfr.exe59⤵
- Executes dropped EXE
PID:2384 -
\??\c:\q60682.exec:\q60682.exe60⤵
- Executes dropped EXE
PID:868 -
\??\c:\64668.exec:\64668.exe61⤵
- Executes dropped EXE
PID:872 -
\??\c:\dpjdj.exec:\dpjdj.exe62⤵
- Executes dropped EXE
PID:3044 -
\??\c:\2022884.exec:\2022884.exe63⤵
- Executes dropped EXE
PID:1628 -
\??\c:\5jjpj.exec:\5jjpj.exe64⤵
- Executes dropped EXE
PID:688 -
\??\c:\btnntt.exec:\btnntt.exe65⤵
- Executes dropped EXE
PID:928 -
\??\c:\64224.exec:\64224.exe66⤵PID:1864
-
\??\c:\2466802.exec:\2466802.exe67⤵PID:2120
-
\??\c:\ddjpj.exec:\ddjpj.exe68⤵PID:3020
-
\??\c:\k08406.exec:\k08406.exe69⤵PID:1060
-
\??\c:\640406.exec:\640406.exe70⤵PID:1736
-
\??\c:\e64400.exec:\e64400.exe71⤵PID:2304
-
\??\c:\2262608.exec:\2262608.exe72⤵PID:904
-
\??\c:\btnbtb.exec:\btnbtb.exe73⤵PID:1404
-
\??\c:\httbht.exec:\httbht.exe74⤵PID:784
-
\??\c:\202806.exec:\202806.exe75⤵PID:2320
-
\??\c:\a0888.exec:\a0888.exe76⤵PID:1588
-
\??\c:\nnbhnh.exec:\nnbhnh.exe77⤵PID:608
-
\??\c:\642844.exec:\642844.exe78⤵PID:2192
-
\??\c:\0424620.exec:\0424620.exe79⤵PID:596
-
\??\c:\tbntbb.exec:\tbntbb.exe80⤵PID:2136
-
\??\c:\44446.exec:\44446.exe81⤵PID:2800
-
\??\c:\0422402.exec:\0422402.exe82⤵PID:2696
-
\??\c:\w08062.exec:\w08062.exe83⤵PID:2804
-
\??\c:\c206240.exec:\c206240.exe84⤵PID:2856
-
\??\c:\lfllrrf.exec:\lfllrrf.exe85⤵PID:2592
-
\??\c:\thbhtt.exec:\thbhtt.exe86⤵PID:2608
-
\??\c:\pjdjp.exec:\pjdjp.exe87⤵PID:1248
-
\??\c:\26402.exec:\26402.exe88⤵PID:2168
-
\??\c:\htnntt.exec:\htnntt.exe89⤵PID:1684
-
\??\c:\bnbbtn.exec:\bnbbtn.exe90⤵PID:2644
-
\??\c:\208040.exec:\208040.exe91⤵PID:1064
-
\??\c:\xlxfflr.exec:\xlxfflr.exe92⤵PID:2756
-
\??\c:\8040662.exec:\8040662.exe93⤵PID:2840
-
\??\c:\bnntbb.exec:\bnntbb.exe94⤵PID:1448
-
\??\c:\1dppv.exec:\1dppv.exe95⤵PID:1216
-
\??\c:\g4644.exec:\g4644.exe96⤵PID:2872
-
\??\c:\tnnnbb.exec:\tnnnbb.exe97⤵PID:2164
-
\??\c:\xxfrrxr.exec:\xxfrrxr.exe98⤵PID:2928
-
\??\c:\04266.exec:\04266.exe99⤵PID:2208
-
\??\c:\084888.exec:\084888.exe100⤵PID:2640
-
\??\c:\7hbbbb.exec:\7hbbbb.exe101⤵PID:1144
-
\??\c:\5tbbbt.exec:\5tbbbt.exe102⤵PID:2004
-
\??\c:\u460602.exec:\u460602.exe103⤵PID:1536
-
\??\c:\q80660.exec:\q80660.exe104⤵PID:1360
-
\??\c:\g4288.exec:\g4288.exe105⤵PID:1744
-
\??\c:\o206268.exec:\o206268.exe106⤵PID:924
-
\??\c:\6028062.exec:\6028062.exe107⤵PID:1348
-
\??\c:\4282440.exec:\4282440.exe108⤵PID:928
-
\??\c:\9ntnbh.exec:\9ntnbh.exe109⤵PID:1804
-
\??\c:\9hbntb.exec:\9hbntb.exe110⤵PID:2120
-
\??\c:\68006.exec:\68006.exe111⤵PID:3020
-
\??\c:\9jvdj.exec:\9jvdj.exe112⤵PID:2204
-
\??\c:\86000.exec:\86000.exe113⤵PID:1736
-
\??\c:\lrlxflx.exec:\lrlxflx.exe114⤵PID:2304
-
\??\c:\7thhhh.exec:\7thhhh.exe115⤵PID:1316
-
\??\c:\1hhthn.exec:\1hhthn.exe116⤵PID:1404
-
\??\c:\dvpvd.exec:\dvpvd.exe117⤵PID:2184
-
\??\c:\486200.exec:\486200.exe118⤵PID:2256
-
\??\c:\lfxxfrr.exec:\lfxxfrr.exe119⤵PID:1588
-
\??\c:\4866662.exec:\4866662.exe120⤵PID:2144
-
\??\c:\tthhnt.exec:\tthhnt.exe121⤵PID:2252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-