Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 03:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe
-
Size
454KB
-
MD5
a4319609f28b9d61afba64238ae38020
-
SHA1
3e997874e47f6c90dce9e409d5c928199734ce41
-
SHA256
1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8
-
SHA512
a8e277f5e23510603da42044d17865e94e6351299917b67f15af91c45a0eecf456595b60cf29778209b4bc0b9a1a56657383b20f6b4fa990e3fa213c62816cd5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 36 IoCs
resource yara_rule behavioral1/memory/1924-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1288-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/552-556-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2848-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-765-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2988-921-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-1215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1924 20622.exe 2308 3pvvd.exe 2112 1nhbhh.exe 2480 jpddp.exe 2904 428460.exe 1288 rlrxllx.exe 2780 ttnntt.exe 2912 pdppp.exe 2776 48028.exe 2728 6468602.exe 2248 3tnhnh.exe 1852 nhttbb.exe 2892 e88426.exe 784 1dpdp.exe 2852 086622.exe 1568 nththb.exe 1136 ttnbtt.exe 1536 9rllrrf.exe 1152 jdddp.exe 3036 64006.exe 2120 202200.exe 2336 20246.exe 836 rfrllff.exe 1684 20606.exe 3060 7jvdd.exe 1692 rxflxxx.exe 748 6424628.exe 2408 g8624.exe 2116 08000.exe 2568 48000.exe 980 8648884.exe 1648 pdpvp.exe 1488 hbhhnh.exe 2744 lxflxxx.exe 2524 9rfxfff.exe 1564 hbtthb.exe 2952 frxxflf.exe 2460 9lfrxxl.exe 2480 e04460.exe 2788 lfxrrlr.exe 2860 q24026.exe 2772 3ntnnh.exe 2936 g4664.exe 2740 7htbtt.exe 2784 bhthnn.exe 2932 hthhnn.exe 1392 26024.exe 1480 jdpvv.exe 2964 86886.exe 948 m6446.exe 1568 rfrrfxl.exe 236 o462284.exe 1136 802800.exe 3012 g2002.exe 2064 6428402.exe 2412 86406.exe 3064 6262008.exe 2068 rrxffxf.exe 2340 rfxxfrr.exe 1108 3xlffff.exe 2348 htnntt.exe 1912 m8068.exe 2652 jdvjv.exe 3048 3rffffl.exe -
resource yara_rule behavioral1/memory/1924-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/732-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-810-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-883-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-896-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-921-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-934-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-1044-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-1099-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-1202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-1215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-1222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-1271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-1339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-1342-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2040402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4866480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i866446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8028668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k86244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i084228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 1924 1740 1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe 30 PID 1740 wrote to memory of 1924 1740 1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe 30 PID 1740 wrote to memory of 1924 1740 1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe 30 PID 1740 wrote to memory of 1924 1740 1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe 30 PID 1924 wrote to memory of 2308 1924 20622.exe 31 PID 1924 wrote to memory of 2308 1924 20622.exe 31 PID 1924 wrote to memory of 2308 1924 20622.exe 31 PID 1924 wrote to memory of 2308 1924 20622.exe 31 PID 2308 wrote to memory of 2112 2308 3pvvd.exe 32 PID 2308 wrote to memory of 2112 2308 3pvvd.exe 32 PID 2308 wrote to memory of 2112 2308 3pvvd.exe 32 PID 2308 wrote to memory of 2112 2308 3pvvd.exe 32 PID 2112 wrote to memory of 2480 2112 1nhbhh.exe 68 PID 2112 wrote to memory of 2480 2112 1nhbhh.exe 68 PID 2112 wrote to memory of 2480 2112 1nhbhh.exe 68 PID 2112 wrote to memory of 2480 2112 1nhbhh.exe 68 PID 2480 wrote to memory of 2904 2480 jpddp.exe 34 PID 2480 wrote to memory of 2904 2480 jpddp.exe 34 PID 2480 wrote to memory of 2904 2480 jpddp.exe 34 PID 2480 wrote to memory of 2904 2480 jpddp.exe 34 PID 2904 wrote to memory of 1288 2904 428460.exe 35 PID 2904 wrote to memory of 1288 2904 428460.exe 35 PID 2904 wrote to memory of 1288 2904 428460.exe 35 PID 2904 wrote to memory of 1288 2904 428460.exe 35 PID 1288 wrote to memory of 2780 1288 rlrxllx.exe 36 PID 1288 wrote to memory of 2780 1288 rlrxllx.exe 36 PID 1288 wrote to memory of 2780 1288 rlrxllx.exe 36 PID 1288 wrote to memory of 2780 1288 rlrxllx.exe 36 PID 2780 wrote to memory of 2912 2780 ttnntt.exe 37 PID 2780 wrote to memory of 2912 2780 ttnntt.exe 37 PID 2780 wrote to memory of 2912 2780 ttnntt.exe 37 PID 2780 wrote to memory of 2912 2780 ttnntt.exe 37 PID 2912 wrote to memory of 2776 2912 pdppp.exe 38 PID 2912 wrote to memory of 2776 2912 pdppp.exe 38 PID 2912 wrote to memory of 2776 2912 pdppp.exe 38 PID 2912 wrote to memory of 2776 2912 pdppp.exe 38 PID 2776 wrote to memory of 2728 2776 48028.exe 39 PID 2776 wrote to memory of 2728 2776 48028.exe 39 PID 2776 wrote to memory of 2728 2776 48028.exe 39 PID 2776 wrote to memory of 2728 2776 48028.exe 39 PID 2728 wrote to memory of 2248 2728 6468602.exe 40 PID 2728 wrote to memory of 2248 2728 6468602.exe 40 PID 2728 wrote to memory of 2248 2728 6468602.exe 40 PID 2728 wrote to memory of 2248 2728 6468602.exe 40 PID 2248 wrote to memory of 1852 2248 3tnhnh.exe 41 PID 2248 wrote to memory of 1852 2248 3tnhnh.exe 41 PID 2248 wrote to memory of 1852 2248 3tnhnh.exe 41 PID 2248 wrote to memory of 1852 2248 3tnhnh.exe 41 PID 1852 wrote to memory of 2892 1852 nhttbb.exe 42 PID 1852 wrote to memory of 2892 1852 nhttbb.exe 42 PID 1852 wrote to memory of 2892 1852 nhttbb.exe 42 PID 1852 wrote to memory of 2892 1852 nhttbb.exe 42 PID 2892 wrote to memory of 784 2892 e88426.exe 43 PID 2892 wrote to memory of 784 2892 e88426.exe 43 PID 2892 wrote to memory of 784 2892 e88426.exe 43 PID 2892 wrote to memory of 784 2892 e88426.exe 43 PID 784 wrote to memory of 2852 784 1dpdp.exe 44 PID 784 wrote to memory of 2852 784 1dpdp.exe 44 PID 784 wrote to memory of 2852 784 1dpdp.exe 44 PID 784 wrote to memory of 2852 784 1dpdp.exe 44 PID 2852 wrote to memory of 1568 2852 086622.exe 45 PID 2852 wrote to memory of 1568 2852 086622.exe 45 PID 2852 wrote to memory of 1568 2852 086622.exe 45 PID 2852 wrote to memory of 1568 2852 086622.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe"C:\Users\Admin\AppData\Local\Temp\1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\20622.exec:\20622.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\3pvvd.exec:\3pvvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\1nhbhh.exec:\1nhbhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\jpddp.exec:\jpddp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\428460.exec:\428460.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\rlrxllx.exec:\rlrxllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\ttnntt.exec:\ttnntt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\pdppp.exec:\pdppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\48028.exec:\48028.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\6468602.exec:\6468602.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\3tnhnh.exec:\3tnhnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\nhttbb.exec:\nhttbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\e88426.exec:\e88426.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\1dpdp.exec:\1dpdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\086622.exec:\086622.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\nththb.exec:\nththb.exe17⤵
- Executes dropped EXE
PID:1568 -
\??\c:\ttnbtt.exec:\ttnbtt.exe18⤵
- Executes dropped EXE
PID:1136 -
\??\c:\9rllrrf.exec:\9rllrrf.exe19⤵
- Executes dropped EXE
PID:1536 -
\??\c:\jdddp.exec:\jdddp.exe20⤵
- Executes dropped EXE
PID:1152 -
\??\c:\64006.exec:\64006.exe21⤵
- Executes dropped EXE
PID:3036 -
\??\c:\202200.exec:\202200.exe22⤵
- Executes dropped EXE
PID:2120 -
\??\c:\20246.exec:\20246.exe23⤵
- Executes dropped EXE
PID:2336 -
\??\c:\rfrllff.exec:\rfrllff.exe24⤵
- Executes dropped EXE
PID:836 -
\??\c:\20606.exec:\20606.exe25⤵
- Executes dropped EXE
PID:1684 -
\??\c:\7jvdd.exec:\7jvdd.exe26⤵
- Executes dropped EXE
PID:3060 -
\??\c:\rxflxxx.exec:\rxflxxx.exe27⤵
- Executes dropped EXE
PID:1692 -
\??\c:\6424628.exec:\6424628.exe28⤵
- Executes dropped EXE
PID:748 -
\??\c:\g8624.exec:\g8624.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2408 -
\??\c:\08000.exec:\08000.exe30⤵
- Executes dropped EXE
PID:2116 -
\??\c:\48000.exec:\48000.exe31⤵
- Executes dropped EXE
PID:2568 -
\??\c:\8648884.exec:\8648884.exe32⤵
- Executes dropped EXE
PID:980 -
\??\c:\pdpvp.exec:\pdpvp.exe33⤵
- Executes dropped EXE
PID:1648 -
\??\c:\hbhhnh.exec:\hbhhnh.exe34⤵
- Executes dropped EXE
PID:1488 -
\??\c:\lxflxxx.exec:\lxflxxx.exe35⤵
- Executes dropped EXE
PID:2744 -
\??\c:\9rfxfff.exec:\9rfxfff.exe36⤵
- Executes dropped EXE
PID:2524 -
\??\c:\hbtthb.exec:\hbtthb.exe37⤵
- Executes dropped EXE
PID:1564 -
\??\c:\frxxflf.exec:\frxxflf.exe38⤵
- Executes dropped EXE
PID:2952 -
\??\c:\9lfrxxl.exec:\9lfrxxl.exe39⤵
- Executes dropped EXE
PID:2460 -
\??\c:\e04460.exec:\e04460.exe40⤵
- Executes dropped EXE
PID:2480 -
\??\c:\lfxrrlr.exec:\lfxrrlr.exe41⤵
- Executes dropped EXE
PID:2788 -
\??\c:\q24026.exec:\q24026.exe42⤵
- Executes dropped EXE
PID:2860 -
\??\c:\3ntnnh.exec:\3ntnnh.exe43⤵
- Executes dropped EXE
PID:2772 -
\??\c:\g4664.exec:\g4664.exe44⤵
- Executes dropped EXE
PID:2936 -
\??\c:\7htbtt.exec:\7htbtt.exe45⤵
- Executes dropped EXE
PID:2740 -
\??\c:\bhthnn.exec:\bhthnn.exe46⤵
- Executes dropped EXE
PID:2784 -
\??\c:\hthhnn.exec:\hthhnn.exe47⤵
- Executes dropped EXE
PID:2932 -
\??\c:\26024.exec:\26024.exe48⤵
- Executes dropped EXE
PID:1392 -
\??\c:\jdpvv.exec:\jdpvv.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480 -
\??\c:\86886.exec:\86886.exe50⤵
- Executes dropped EXE
PID:2964 -
\??\c:\m6446.exec:\m6446.exe51⤵
- Executes dropped EXE
PID:948 -
\??\c:\rfrrfxl.exec:\rfrrfxl.exe52⤵
- Executes dropped EXE
PID:1568 -
\??\c:\o462284.exec:\o462284.exe53⤵
- Executes dropped EXE
PID:236 -
\??\c:\802800.exec:\802800.exe54⤵
- Executes dropped EXE
PID:1136 -
\??\c:\g2002.exec:\g2002.exe55⤵
- Executes dropped EXE
PID:3012 -
\??\c:\6428402.exec:\6428402.exe56⤵
- Executes dropped EXE
PID:2064 -
\??\c:\86406.exec:\86406.exe57⤵
- Executes dropped EXE
PID:2412 -
\??\c:\6262008.exec:\6262008.exe58⤵
- Executes dropped EXE
PID:3064 -
\??\c:\rrxffxf.exec:\rrxffxf.exe59⤵
- Executes dropped EXE
PID:2068 -
\??\c:\rfxxfrr.exec:\rfxxfrr.exe60⤵
- Executes dropped EXE
PID:2340 -
\??\c:\3xlffff.exec:\3xlffff.exe61⤵
- Executes dropped EXE
PID:1108 -
\??\c:\htnntt.exec:\htnntt.exe62⤵
- Executes dropped EXE
PID:2348 -
\??\c:\m8068.exec:\m8068.exe63⤵
- Executes dropped EXE
PID:1912 -
\??\c:\jdvjv.exec:\jdvjv.exe64⤵
- Executes dropped EXE
PID:2652 -
\??\c:\3rffffl.exec:\3rffffl.exe65⤵
- Executes dropped EXE
PID:3048 -
\??\c:\7frxxxl.exec:\7frxxxl.exe66⤵PID:1860
-
\??\c:\9lxrxxx.exec:\9lxrxxx.exe67⤵PID:732
-
\??\c:\5bnhnn.exec:\5bnhnn.exe68⤵PID:2268
-
\??\c:\6462268.exec:\6462268.exe69⤵PID:2584
-
\??\c:\868882.exec:\868882.exe70⤵PID:1716
-
\??\c:\9bnhhb.exec:\9bnhhb.exe71⤵PID:1724
-
\??\c:\bnbhnh.exec:\bnbhnh.exe72⤵PID:764
-
\??\c:\jdppd.exec:\jdppd.exe73⤵PID:552
-
\??\c:\s8284.exec:\s8284.exe74⤵PID:1888
-
\??\c:\flrrffl.exec:\flrrffl.exe75⤵PID:2088
-
\??\c:\lfllxrx.exec:\lfllxrx.exe76⤵PID:1200
-
\??\c:\8082480.exec:\8082480.exe77⤵PID:2480
-
\??\c:\w04024.exec:\w04024.exe78⤵PID:2848
-
\??\c:\08242.exec:\08242.exe79⤵PID:2792
-
\??\c:\9thhhn.exec:\9thhhn.exe80⤵PID:2748
-
\??\c:\lfxffxr.exec:\lfxffxr.exe81⤵PID:2920
-
\??\c:\nhbhtt.exec:\nhbhtt.exe82⤵PID:2664
-
\??\c:\48240.exec:\48240.exe83⤵PID:2688
-
\??\c:\pjvdp.exec:\pjvdp.exe84⤵PID:2944
-
\??\c:\646244.exec:\646244.exe85⤵PID:3040
-
\??\c:\9dpjv.exec:\9dpjv.exe86⤵PID:2660
-
\??\c:\btnntt.exec:\btnntt.exe87⤵PID:2360
-
\??\c:\8206280.exec:\8206280.exe88⤵PID:1260
-
\??\c:\vpdpj.exec:\vpdpj.exe89⤵PID:2964
-
\??\c:\0266286.exec:\0266286.exe90⤵PID:2988
-
\??\c:\thttbt.exec:\thttbt.exe91⤵PID:1568
-
\??\c:\428886.exec:\428886.exe92⤵PID:2032
-
\??\c:\3pddj.exec:\3pddj.exe93⤵PID:1048
-
\??\c:\u802480.exec:\u802480.exe94⤵PID:2732
-
\??\c:\2084228.exec:\2084228.exe95⤵PID:2916
-
\??\c:\6040408.exec:\6040408.exe96⤵PID:1440
-
\??\c:\4866480.exec:\4866480.exe97⤵
- System Location Discovery: System Language Discovery
PID:2224 -
\??\c:\82684.exec:\82684.exe98⤵PID:1620
-
\??\c:\42662.exec:\42662.exe99⤵PID:3012
-
\??\c:\i646880.exec:\i646880.exe100⤵PID:2064
-
\??\c:\486428.exec:\486428.exe101⤵PID:2492
-
\??\c:\m8226.exec:\m8226.exe102⤵PID:3052
-
\??\c:\086682.exec:\086682.exe103⤵PID:2068
-
\??\c:\q04000.exec:\q04000.exe104⤵PID:2128
-
\??\c:\86800.exec:\86800.exe105⤵PID:2768
-
\??\c:\1vppp.exec:\1vppp.exe106⤵PID:2152
-
\??\c:\260244.exec:\260244.exe107⤵PID:2036
-
\??\c:\660688.exec:\660688.exe108⤵PID:748
-
\??\c:\424460.exec:\424460.exe109⤵PID:320
-
\??\c:\nnbhtb.exec:\nnbhtb.exe110⤵PID:2056
-
\??\c:\pdppd.exec:\pdppd.exe111⤵PID:2696
-
\??\c:\86062.exec:\86062.exe112⤵PID:1668
-
\??\c:\0046840.exec:\0046840.exe113⤵PID:592
-
\??\c:\3rrflrl.exec:\3rrflrl.exe114⤵PID:540
-
\??\c:\tnhntb.exec:\tnhntb.exe115⤵PID:1840
-
\??\c:\486806.exec:\486806.exe116⤵PID:2724
-
\??\c:\djdjp.exec:\djdjp.exe117⤵
- System Location Discovery: System Language Discovery
PID:1736 -
\??\c:\482288.exec:\482288.exe118⤵PID:1700
-
\??\c:\1xlxrxx.exec:\1xlxrxx.exe119⤵PID:2088
-
\??\c:\86408.exec:\86408.exe120⤵PID:1708
-
\??\c:\xflxfrx.exec:\xflxfrx.exe121⤵PID:2308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-