Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 04:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe
-
Size
454KB
-
MD5
cb4056c9e5c23957acee0948c044000b
-
SHA1
959b04a402d162153895bc73e01f1d831eb81ed6
-
SHA256
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce
-
SHA512
35bab2530a68303252e7522750f930f2e48e3f828ebd20203db939b55dcd3bd3cfc0b9cc3fa2557a88fc95f2a639c2223b466910f182b3b021522df7c5faddeb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2716-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1128-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/340-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/528-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-369-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2420-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-488-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2816-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-554-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2704-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-643-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2304-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-836-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1660-911-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-1002-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/840-1022-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2444-1121-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/784-1154-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2424-1254-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2236-1273-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2424-1274-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2012-1287-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2816 86846.exe 2736 08062.exe 2772 i088446.exe 2444 thnntt.exe 2608 5xfxllr.exe 1128 68224.exe 2780 rlxfrxl.exe 528 nhbttn.exe 1420 7vpjp.exe 2192 htbbhh.exe 340 5fllxfl.exe 2948 u868480.exe 2860 xlxxxrx.exe 2940 5pddp.exe 2712 rlxxfxf.exe 2984 64620.exe 1900 vddvd.exe 1572 6088484.exe 1844 7thhtn.exe 2408 5fxrrll.exe 2512 lffxflf.exe 2428 jvdpv.exe 1924 6422886.exe 2168 rlxxlrx.exe 1632 i866828.exe 1628 dpvpd.exe 2012 hbbtnt.exe 700 rlfxflx.exe 2332 82442.exe 1620 nnbbnh.exe 3048 ntntbn.exe 636 4806402.exe 2888 s0888.exe 1540 tnbttt.exe 2484 xlrffxx.exe 3016 fxlxxxf.exe 2632 0462840.exe 2444 2068006.exe 2620 dvppp.exe 2452 dpddj.exe 1908 4206224.exe 332 6000040.exe 2732 080682.exe 2152 420626.exe 2228 1nbbhn.exe 2968 8240628.exe 2988 lxfrrff.exe 1164 9xfrflr.exe 2696 680060.exe 1968 602840.exe 2084 3bnnnh.exe 2420 42222.exe 1792 824062.exe 2788 1lfxfff.exe 3040 hbhnbh.exe 2512 pjvpv.exe 2280 hbtthh.exe 2432 jvpvd.exe 1924 nbhnnn.exe 1676 lflllfr.exe 2996 k86288.exe 1088 20846.exe 1876 3xllrlx.exe 1384 dvjjp.exe -
resource yara_rule behavioral1/memory/2716-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1128-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/528-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/280-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-1022-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1532-1079-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-1116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-1191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-1288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-1295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-1347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-1354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-1373-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4828484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o266024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2816 2716 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 30 PID 2716 wrote to memory of 2816 2716 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 30 PID 2716 wrote to memory of 2816 2716 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 30 PID 2716 wrote to memory of 2816 2716 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 30 PID 2816 wrote to memory of 2736 2816 86846.exe 31 PID 2816 wrote to memory of 2736 2816 86846.exe 31 PID 2816 wrote to memory of 2736 2816 86846.exe 31 PID 2816 wrote to memory of 2736 2816 86846.exe 31 PID 2736 wrote to memory of 2772 2736 08062.exe 32 PID 2736 wrote to memory of 2772 2736 08062.exe 32 PID 2736 wrote to memory of 2772 2736 08062.exe 32 PID 2736 wrote to memory of 2772 2736 08062.exe 32 PID 2772 wrote to memory of 2444 2772 i088446.exe 67 PID 2772 wrote to memory of 2444 2772 i088446.exe 67 PID 2772 wrote to memory of 2444 2772 i088446.exe 67 PID 2772 wrote to memory of 2444 2772 i088446.exe 67 PID 2444 wrote to memory of 2608 2444 thnntt.exe 34 PID 2444 wrote to memory of 2608 2444 thnntt.exe 34 PID 2444 wrote to memory of 2608 2444 thnntt.exe 34 PID 2444 wrote to memory of 2608 2444 thnntt.exe 34 PID 2608 wrote to memory of 1128 2608 5xfxllr.exe 35 PID 2608 wrote to memory of 1128 2608 5xfxllr.exe 35 PID 2608 wrote to memory of 1128 2608 5xfxllr.exe 35 PID 2608 wrote to memory of 1128 2608 5xfxllr.exe 35 PID 1128 wrote to memory of 2780 1128 68224.exe 36 PID 1128 wrote to memory of 2780 1128 68224.exe 36 PID 1128 wrote to memory of 2780 1128 68224.exe 36 PID 1128 wrote to memory of 2780 1128 68224.exe 36 PID 2780 wrote to memory of 528 2780 rlxfrxl.exe 37 PID 2780 wrote to memory of 528 2780 rlxfrxl.exe 37 PID 2780 wrote to memory of 528 2780 rlxfrxl.exe 37 PID 2780 wrote to memory of 528 2780 rlxfrxl.exe 37 PID 528 wrote to memory of 1420 528 nhbttn.exe 38 PID 528 wrote to memory of 1420 528 nhbttn.exe 38 PID 528 wrote to memory of 1420 528 nhbttn.exe 38 PID 528 wrote to memory of 1420 528 nhbttn.exe 38 PID 1420 wrote to memory of 2192 1420 7vpjp.exe 39 PID 1420 wrote to memory of 2192 1420 7vpjp.exe 39 PID 1420 wrote to memory of 2192 1420 7vpjp.exe 39 PID 1420 wrote to memory of 2192 1420 7vpjp.exe 39 PID 2192 wrote to memory of 340 2192 htbbhh.exe 40 PID 2192 wrote to memory of 340 2192 htbbhh.exe 40 PID 2192 wrote to memory of 340 2192 htbbhh.exe 40 PID 2192 wrote to memory of 340 2192 htbbhh.exe 40 PID 340 wrote to memory of 2948 340 5fllxfl.exe 41 PID 340 wrote to memory of 2948 340 5fllxfl.exe 41 PID 340 wrote to memory of 2948 340 5fllxfl.exe 41 PID 340 wrote to memory of 2948 340 5fllxfl.exe 41 PID 2948 wrote to memory of 2860 2948 u868480.exe 42 PID 2948 wrote to memory of 2860 2948 u868480.exe 42 PID 2948 wrote to memory of 2860 2948 u868480.exe 42 PID 2948 wrote to memory of 2860 2948 u868480.exe 42 PID 2860 wrote to memory of 2940 2860 xlxxxrx.exe 43 PID 2860 wrote to memory of 2940 2860 xlxxxrx.exe 43 PID 2860 wrote to memory of 2940 2860 xlxxxrx.exe 43 PID 2860 wrote to memory of 2940 2860 xlxxxrx.exe 43 PID 2940 wrote to memory of 2712 2940 5pddp.exe 44 PID 2940 wrote to memory of 2712 2940 5pddp.exe 44 PID 2940 wrote to memory of 2712 2940 5pddp.exe 44 PID 2940 wrote to memory of 2712 2940 5pddp.exe 44 PID 2712 wrote to memory of 2984 2712 rlxxfxf.exe 45 PID 2712 wrote to memory of 2984 2712 rlxxfxf.exe 45 PID 2712 wrote to memory of 2984 2712 rlxxfxf.exe 45 PID 2712 wrote to memory of 2984 2712 rlxxfxf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe"C:\Users\Admin\AppData\Local\Temp\29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\86846.exec:\86846.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\08062.exec:\08062.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\i088446.exec:\i088446.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\thnntt.exec:\thnntt.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\5xfxllr.exec:\5xfxllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\68224.exec:\68224.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\rlxfrxl.exec:\rlxfrxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\nhbttn.exec:\nhbttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\7vpjp.exec:\7vpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\htbbhh.exec:\htbbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\5fllxfl.exec:\5fllxfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:340 -
\??\c:\u868480.exec:\u868480.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\xlxxxrx.exec:\xlxxxrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\5pddp.exec:\5pddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\rlxxfxf.exec:\rlxxfxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\64620.exec:\64620.exe17⤵
- Executes dropped EXE
PID:2984 -
\??\c:\vddvd.exec:\vddvd.exe18⤵
- Executes dropped EXE
PID:1900 -
\??\c:\6088484.exec:\6088484.exe19⤵
- Executes dropped EXE
PID:1572 -
\??\c:\7thhtn.exec:\7thhtn.exe20⤵
- Executes dropped EXE
PID:1844 -
\??\c:\5fxrrll.exec:\5fxrrll.exe21⤵
- Executes dropped EXE
PID:2408 -
\??\c:\lffxflf.exec:\lffxflf.exe22⤵
- Executes dropped EXE
PID:2512 -
\??\c:\jvdpv.exec:\jvdpv.exe23⤵
- Executes dropped EXE
PID:2428 -
\??\c:\6422886.exec:\6422886.exe24⤵
- Executes dropped EXE
PID:1924 -
\??\c:\rlxxlrx.exec:\rlxxlrx.exe25⤵
- Executes dropped EXE
PID:2168 -
\??\c:\i866828.exec:\i866828.exe26⤵
- Executes dropped EXE
PID:1632 -
\??\c:\dpvpd.exec:\dpvpd.exe27⤵
- Executes dropped EXE
PID:1628 -
\??\c:\hbbtnt.exec:\hbbtnt.exe28⤵
- Executes dropped EXE
PID:2012 -
\??\c:\rlfxflx.exec:\rlfxflx.exe29⤵
- Executes dropped EXE
PID:700 -
\??\c:\82442.exec:\82442.exe30⤵
- Executes dropped EXE
PID:2332 -
\??\c:\nnbbnh.exec:\nnbbnh.exe31⤵
- Executes dropped EXE
PID:1620 -
\??\c:\ntntbn.exec:\ntntbn.exe32⤵
- Executes dropped EXE
PID:3048 -
\??\c:\4806402.exec:\4806402.exe33⤵
- Executes dropped EXE
PID:636 -
\??\c:\s0888.exec:\s0888.exe34⤵
- Executes dropped EXE
PID:2888 -
\??\c:\tnbttt.exec:\tnbttt.exe35⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xlrffxx.exec:\xlrffxx.exe36⤵
- Executes dropped EXE
PID:2484 -
\??\c:\fxlxxxf.exec:\fxlxxxf.exe37⤵
- Executes dropped EXE
PID:3016 -
\??\c:\0462840.exec:\0462840.exe38⤵
- Executes dropped EXE
PID:2632 -
\??\c:\2068006.exec:\2068006.exe39⤵
- Executes dropped EXE
PID:2444 -
\??\c:\dvppp.exec:\dvppp.exe40⤵
- Executes dropped EXE
PID:2620 -
\??\c:\dpddj.exec:\dpddj.exe41⤵
- Executes dropped EXE
PID:2452 -
\??\c:\4206224.exec:\4206224.exe42⤵
- Executes dropped EXE
PID:1908 -
\??\c:\6000040.exec:\6000040.exe43⤵
- Executes dropped EXE
PID:332 -
\??\c:\080682.exec:\080682.exe44⤵
- Executes dropped EXE
PID:2732 -
\??\c:\420626.exec:\420626.exe45⤵
- Executes dropped EXE
PID:2152 -
\??\c:\1nbbhn.exec:\1nbbhn.exe46⤵
- Executes dropped EXE
PID:2228 -
\??\c:\8240628.exec:\8240628.exe47⤵
- Executes dropped EXE
PID:2968 -
\??\c:\lxfrrff.exec:\lxfrrff.exe48⤵
- Executes dropped EXE
PID:2988 -
\??\c:\9xfrflr.exec:\9xfrflr.exe49⤵
- Executes dropped EXE
PID:1164 -
\??\c:\680060.exec:\680060.exe50⤵
- Executes dropped EXE
PID:2696 -
\??\c:\602840.exec:\602840.exe51⤵
- Executes dropped EXE
PID:1968 -
\??\c:\3bnnnh.exec:\3bnnnh.exe52⤵
- Executes dropped EXE
PID:2084 -
\??\c:\42222.exec:\42222.exe53⤵
- Executes dropped EXE
PID:2420 -
\??\c:\824062.exec:\824062.exe54⤵
- Executes dropped EXE
PID:1792 -
\??\c:\1lfxfff.exec:\1lfxfff.exe55⤵
- Executes dropped EXE
PID:2788 -
\??\c:\hbhnbh.exec:\hbhnbh.exe56⤵
- Executes dropped EXE
PID:3040 -
\??\c:\pjvpv.exec:\pjvpv.exe57⤵
- Executes dropped EXE
PID:2512 -
\??\c:\hbtthh.exec:\hbtthh.exe58⤵
- Executes dropped EXE
PID:2280 -
\??\c:\jvpvd.exec:\jvpvd.exe59⤵
- Executes dropped EXE
PID:2432 -
\??\c:\nbhnnn.exec:\nbhnnn.exe60⤵
- Executes dropped EXE
PID:1924 -
\??\c:\lflllfr.exec:\lflllfr.exe61⤵
- Executes dropped EXE
PID:1676 -
\??\c:\k86288.exec:\k86288.exe62⤵
- Executes dropped EXE
PID:2996 -
\??\c:\20846.exec:\20846.exe63⤵
- Executes dropped EXE
PID:1088 -
\??\c:\3xllrlx.exec:\3xllrlx.exe64⤵
- Executes dropped EXE
PID:1876 -
\??\c:\dvjjp.exec:\dvjjp.exe65⤵
- Executes dropped EXE
PID:1384 -
\??\c:\48680.exec:\48680.exe66⤵PID:768
-
\??\c:\1thtnn.exec:\1thtnn.exe67⤵PID:2008
-
\??\c:\26884.exec:\26884.exe68⤵PID:1020
-
\??\c:\5xfrrff.exec:\5xfrrff.exe69⤵PID:1996
-
\??\c:\08284.exec:\08284.exe70⤵PID:1904
-
\??\c:\0406242.exec:\0406242.exe71⤵PID:2056
-
\??\c:\hbtbbt.exec:\hbtbbt.exe72⤵PID:1036
-
\??\c:\420604.exec:\420604.exe73⤵PID:2740
-
\??\c:\802684.exec:\802684.exe74⤵PID:2816
-
\??\c:\5nhnth.exec:\5nhnth.exe75⤵PID:1524
-
\??\c:\424644.exec:\424644.exe76⤵PID:2900
-
\??\c:\68440.exec:\68440.exe77⤵PID:2764
-
\??\c:\4828402.exec:\4828402.exe78⤵PID:2728
-
\??\c:\4826262.exec:\4826262.exe79⤵PID:2840
-
\??\c:\m4620.exec:\m4620.exe80⤵PID:2628
-
\??\c:\dpdjj.exec:\dpdjj.exe81⤵PID:2700
-
\??\c:\2662406.exec:\2662406.exe82⤵PID:2404
-
\??\c:\vppvd.exec:\vppvd.exe83⤵PID:2668
-
\??\c:\08048.exec:\08048.exe84⤵PID:528
-
\??\c:\9pvvd.exec:\9pvvd.exe85⤵PID:968
-
\??\c:\86268.exec:\86268.exe86⤵PID:2704
-
\??\c:\20840.exec:\20840.exe87⤵PID:1692
-
\??\c:\bthnnh.exec:\bthnnh.exe88⤵PID:2228
-
\??\c:\0800600.exec:\0800600.exe89⤵PID:2304
-
\??\c:\tnbtbb.exec:\tnbtbb.exe90⤵PID:2920
-
\??\c:\8084222.exec:\8084222.exe91⤵PID:1748
-
\??\c:\1jjpp.exec:\1jjpp.exe92⤵PID:2984
-
\??\c:\hthnnn.exec:\hthnnn.exe93⤵PID:2248
-
\??\c:\vjppp.exec:\vjppp.exe94⤵PID:1900
-
\??\c:\vpdjd.exec:\vpdjd.exe95⤵
- System Location Discovery: System Language Discovery
PID:396 -
\??\c:\xrxxfxf.exec:\xrxxfxf.exe96⤵PID:2348
-
\??\c:\frfrfll.exec:\frfrfll.exe97⤵PID:2356
-
\??\c:\dpdjd.exec:\dpdjd.exe98⤵PID:2944
-
\??\c:\pjvvd.exec:\pjvvd.exe99⤵PID:2412
-
\??\c:\44846.exec:\44846.exe100⤵PID:2068
-
\??\c:\3dvdd.exec:\3dvdd.exe101⤵PID:2432
-
\??\c:\llrxrfx.exec:\llrxrfx.exe102⤵PID:852
-
\??\c:\42446.exec:\42446.exe103⤵PID:2168
-
\??\c:\pjvpp.exec:\pjvpp.exe104⤵PID:1092
-
\??\c:\pvpvd.exec:\pvpvd.exe105⤵PID:1912
-
\??\c:\u844044.exec:\u844044.exe106⤵PID:700
-
\??\c:\424404.exec:\424404.exe107⤵PID:1476
-
\??\c:\5vdpp.exec:\5vdpp.exe108⤵PID:1680
-
\??\c:\6422840.exec:\6422840.exe109⤵PID:2332
-
\??\c:\g6842.exec:\g6842.exe110⤵PID:1208
-
\??\c:\vppvp.exec:\vppvp.exe111⤵PID:900
-
\??\c:\868440.exec:\868440.exe112⤵PID:2688
-
\??\c:\7djpp.exec:\7djpp.exe113⤵PID:2056
-
\??\c:\rflrrlr.exec:\rflrrlr.exe114⤵PID:1036
-
\??\c:\862882.exec:\862882.exe115⤵PID:2740
-
\??\c:\hhtbbb.exec:\hhtbbb.exe116⤵PID:780
-
\??\c:\o266888.exec:\o266888.exe117⤵PID:2800
-
\??\c:\vdppv.exec:\vdppv.exe118⤵PID:280
-
\??\c:\8688828.exec:\8688828.exe119⤵PID:2764
-
\??\c:\9bhbtt.exec:\9bhbtt.exe120⤵PID:2604
-
\??\c:\0806262.exec:\0806262.exe121⤵PID:1236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-