Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 05:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe
-
Size
455KB
-
MD5
b02d0f5dbca4b4a74000cc28ff1a8c2f
-
SHA1
6febccd3d37816c5f48aab0399f2a9ea2302d2fe
-
SHA256
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209
-
SHA512
bbf03096c35eca93a9b9a3239ee19cc8d2ca525e991158aa65b19631cd15a1988f4c1ade992eeb6c6afb4cbaa46841f936677fac57bd42ee8f87d612ada9cfb5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/2116-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-54-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-110-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1808-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-128-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2876-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-185-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1276-184-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1996-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-218-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1748-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/804-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-236-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/804-250-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1728-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-291-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2412-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/744-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-530-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1596-568-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1716-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-604-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1336-612-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2740-645-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2740-647-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-641-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2860-674-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1384-710-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2780-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-818-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/380-832-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1504-846-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2572-885-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2400 3htbhn.exe 2348 u466884.exe 3020 tntbnh.exe 2784 nbnnnh.exe 2896 i266884.exe 2840 lllrffr.exe 3000 dvjjd.exe 3044 08406.exe 2748 hbhbnn.exe 2744 pdppv.exe 3016 02668.exe 1808 5dvjj.exe 2876 42402.exe 1792 264066.exe 1276 268406.exe 1960 xrflxxx.exe 1852 s0228.exe 1424 q80060.exe 2912 tthnnb.exe 296 20880.exe 1884 c840606.exe 1236 a2002.exe 1996 frlrfxf.exe 3060 xxllrrx.exe 1748 202206.exe 804 0422884.exe 1944 1xfllrf.exe 1628 1bnnnn.exe 2204 vvjjv.exe 1728 7jvpv.exe 2576 vpjpv.exe 620 1lrrxxf.exe 2412 fxlrxfl.exe 2348 7bbnbt.exe 2340 i200884.exe 1336 rxfxfxx.exe 3024 bnbbbn.exe 2996 k80664.exe 2824 m6446.exe 2840 862222.exe 2288 jjjpp.exe 1720 pvvpj.exe 2696 5xllllx.exe 2712 nnbbhh.exe 2736 ntbbbt.exe 2544 htttbt.exe 1100 7ddpp.exe 1904 g6828.exe 1796 242222.exe 2460 5dppj.exe 2936 1jdvj.exe 744 08808.exe 1960 s8044.exe 2760 6248828.exe 1864 868404.exe 1240 80668.exe 2332 08000.exe 296 tbhttn.exe 1324 pjpvd.exe 860 46006.exe 2256 4248826.exe 1984 o240284.exe 2976 5vdvj.exe 892 bnnhnn.exe -
resource yara_rule behavioral1/memory/2400-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/804-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-354-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2288-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/744-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-604-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2780-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-832-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2872-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-872-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-885-0x00000000003A0000-0x00000000003CA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6248828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i206600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2084440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q24400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2400 2116 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 30 PID 2116 wrote to memory of 2400 2116 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 30 PID 2116 wrote to memory of 2400 2116 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 30 PID 2116 wrote to memory of 2400 2116 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 30 PID 2400 wrote to memory of 2348 2400 3htbhn.exe 31 PID 2400 wrote to memory of 2348 2400 3htbhn.exe 31 PID 2400 wrote to memory of 2348 2400 3htbhn.exe 31 PID 2400 wrote to memory of 2348 2400 3htbhn.exe 31 PID 2348 wrote to memory of 3020 2348 u466884.exe 32 PID 2348 wrote to memory of 3020 2348 u466884.exe 32 PID 2348 wrote to memory of 3020 2348 u466884.exe 32 PID 2348 wrote to memory of 3020 2348 u466884.exe 32 PID 3020 wrote to memory of 2784 3020 tntbnh.exe 33 PID 3020 wrote to memory of 2784 3020 tntbnh.exe 33 PID 3020 wrote to memory of 2784 3020 tntbnh.exe 33 PID 3020 wrote to memory of 2784 3020 tntbnh.exe 33 PID 2784 wrote to memory of 2896 2784 nbnnnh.exe 34 PID 2784 wrote to memory of 2896 2784 nbnnnh.exe 34 PID 2784 wrote to memory of 2896 2784 nbnnnh.exe 34 PID 2784 wrote to memory of 2896 2784 nbnnnh.exe 34 PID 2896 wrote to memory of 2840 2896 i266884.exe 35 PID 2896 wrote to memory of 2840 2896 i266884.exe 35 PID 2896 wrote to memory of 2840 2896 i266884.exe 35 PID 2896 wrote to memory of 2840 2896 i266884.exe 35 PID 2840 wrote to memory of 3000 2840 lllrffr.exe 36 PID 2840 wrote to memory of 3000 2840 lllrffr.exe 36 PID 2840 wrote to memory of 3000 2840 lllrffr.exe 36 PID 2840 wrote to memory of 3000 2840 lllrffr.exe 36 PID 3000 wrote to memory of 3044 3000 dvjjd.exe 37 PID 3000 wrote to memory of 3044 3000 dvjjd.exe 37 PID 3000 wrote to memory of 3044 3000 dvjjd.exe 37 PID 3000 wrote to memory of 3044 3000 dvjjd.exe 37 PID 3044 wrote to memory of 2748 3044 08406.exe 38 PID 3044 wrote to memory of 2748 3044 08406.exe 38 PID 3044 wrote to memory of 2748 3044 08406.exe 38 PID 3044 wrote to memory of 2748 3044 08406.exe 38 PID 2748 wrote to memory of 2744 2748 hbhbnn.exe 39 PID 2748 wrote to memory of 2744 2748 hbhbnn.exe 39 PID 2748 wrote to memory of 2744 2748 hbhbnn.exe 39 PID 2748 wrote to memory of 2744 2748 hbhbnn.exe 39 PID 2744 wrote to memory of 3016 2744 pdppv.exe 40 PID 2744 wrote to memory of 3016 2744 pdppv.exe 40 PID 2744 wrote to memory of 3016 2744 pdppv.exe 40 PID 2744 wrote to memory of 3016 2744 pdppv.exe 40 PID 3016 wrote to memory of 1808 3016 02668.exe 41 PID 3016 wrote to memory of 1808 3016 02668.exe 41 PID 3016 wrote to memory of 1808 3016 02668.exe 41 PID 3016 wrote to memory of 1808 3016 02668.exe 41 PID 1808 wrote to memory of 2876 1808 5dvjj.exe 42 PID 1808 wrote to memory of 2876 1808 5dvjj.exe 42 PID 1808 wrote to memory of 2876 1808 5dvjj.exe 42 PID 1808 wrote to memory of 2876 1808 5dvjj.exe 42 PID 2876 wrote to memory of 1792 2876 42402.exe 43 PID 2876 wrote to memory of 1792 2876 42402.exe 43 PID 2876 wrote to memory of 1792 2876 42402.exe 43 PID 2876 wrote to memory of 1792 2876 42402.exe 43 PID 1792 wrote to memory of 1276 1792 264066.exe 44 PID 1792 wrote to memory of 1276 1792 264066.exe 44 PID 1792 wrote to memory of 1276 1792 264066.exe 44 PID 1792 wrote to memory of 1276 1792 264066.exe 44 PID 1276 wrote to memory of 1960 1276 268406.exe 45 PID 1276 wrote to memory of 1960 1276 268406.exe 45 PID 1276 wrote to memory of 1960 1276 268406.exe 45 PID 1276 wrote to memory of 1960 1276 268406.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe"C:\Users\Admin\AppData\Local\Temp\c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\3htbhn.exec:\3htbhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\u466884.exec:\u466884.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\tntbnh.exec:\tntbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\nbnnnh.exec:\nbnnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\i266884.exec:\i266884.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\lllrffr.exec:\lllrffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\dvjjd.exec:\dvjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\08406.exec:\08406.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\hbhbnn.exec:\hbhbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\pdppv.exec:\pdppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\02668.exec:\02668.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\5dvjj.exec:\5dvjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\42402.exec:\42402.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\264066.exec:\264066.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\268406.exec:\268406.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\xrflxxx.exec:\xrflxxx.exe17⤵
- Executes dropped EXE
PID:1960 -
\??\c:\s0228.exec:\s0228.exe18⤵
- Executes dropped EXE
PID:1852 -
\??\c:\q80060.exec:\q80060.exe19⤵
- Executes dropped EXE
PID:1424 -
\??\c:\tthnnb.exec:\tthnnb.exe20⤵
- Executes dropped EXE
PID:2912 -
\??\c:\20880.exec:\20880.exe21⤵
- Executes dropped EXE
PID:296 -
\??\c:\c840606.exec:\c840606.exe22⤵
- Executes dropped EXE
PID:1884 -
\??\c:\a2002.exec:\a2002.exe23⤵
- Executes dropped EXE
PID:1236 -
\??\c:\frlrfxf.exec:\frlrfxf.exe24⤵
- Executes dropped EXE
PID:1996 -
\??\c:\xxllrrx.exec:\xxllrrx.exe25⤵
- Executes dropped EXE
PID:3060 -
\??\c:\202206.exec:\202206.exe26⤵
- Executes dropped EXE
PID:1748 -
\??\c:\0422884.exec:\0422884.exe27⤵
- Executes dropped EXE
PID:804 -
\??\c:\1xfllrf.exec:\1xfllrf.exe28⤵
- Executes dropped EXE
PID:1944 -
\??\c:\1bnnnn.exec:\1bnnnn.exe29⤵
- Executes dropped EXE
PID:1628 -
\??\c:\vvjjv.exec:\vvjjv.exe30⤵
- Executes dropped EXE
PID:2204 -
\??\c:\7jvpv.exec:\7jvpv.exe31⤵
- Executes dropped EXE
PID:1728 -
\??\c:\vpjpv.exec:\vpjpv.exe32⤵
- Executes dropped EXE
PID:2576 -
\??\c:\1lrrxxf.exec:\1lrrxxf.exe33⤵
- Executes dropped EXE
PID:620 -
\??\c:\fxlrxfl.exec:\fxlrxfl.exe34⤵
- Executes dropped EXE
PID:2412 -
\??\c:\7bbnbt.exec:\7bbnbt.exe35⤵
- Executes dropped EXE
PID:2348 -
\??\c:\i200884.exec:\i200884.exe36⤵
- Executes dropped EXE
PID:2340 -
\??\c:\rxfxfxx.exec:\rxfxfxx.exe37⤵
- Executes dropped EXE
PID:1336 -
\??\c:\bnbbbn.exec:\bnbbbn.exe38⤵
- Executes dropped EXE
PID:3024 -
\??\c:\k80664.exec:\k80664.exe39⤵
- Executes dropped EXE
PID:2996 -
\??\c:\m6446.exec:\m6446.exe40⤵
- Executes dropped EXE
PID:2824 -
\??\c:\862222.exec:\862222.exe41⤵
- Executes dropped EXE
PID:2840 -
\??\c:\jjjpp.exec:\jjjpp.exe42⤵
- Executes dropped EXE
PID:2288 -
\??\c:\pvvpj.exec:\pvvpj.exe43⤵
- Executes dropped EXE
PID:1720 -
\??\c:\5xllllx.exec:\5xllllx.exe44⤵
- Executes dropped EXE
PID:2696 -
\??\c:\nnbbhh.exec:\nnbbhh.exe45⤵
- Executes dropped EXE
PID:2712 -
\??\c:\ntbbbt.exec:\ntbbbt.exe46⤵
- Executes dropped EXE
PID:2736 -
\??\c:\htttbt.exec:\htttbt.exe47⤵
- Executes dropped EXE
PID:2544 -
\??\c:\7ddpp.exec:\7ddpp.exe48⤵
- Executes dropped EXE
PID:1100 -
\??\c:\g6828.exec:\g6828.exe49⤵
- Executes dropped EXE
PID:1904 -
\??\c:\242222.exec:\242222.exe50⤵
- Executes dropped EXE
PID:1796 -
\??\c:\5dppj.exec:\5dppj.exe51⤵
- Executes dropped EXE
PID:2460 -
\??\c:\1jdvj.exec:\1jdvj.exe52⤵
- Executes dropped EXE
PID:2936 -
\??\c:\08808.exec:\08808.exe53⤵
- Executes dropped EXE
PID:744 -
\??\c:\s8044.exec:\s8044.exe54⤵
- Executes dropped EXE
PID:1960 -
\??\c:\6248828.exec:\6248828.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760 -
\??\c:\868404.exec:\868404.exe56⤵
- Executes dropped EXE
PID:1864 -
\??\c:\80668.exec:\80668.exe57⤵
- Executes dropped EXE
PID:1240 -
\??\c:\08000.exec:\08000.exe58⤵
- Executes dropped EXE
PID:2332 -
\??\c:\tbhttn.exec:\tbhttn.exe59⤵
- Executes dropped EXE
PID:296 -
\??\c:\pjpvd.exec:\pjpvd.exe60⤵
- Executes dropped EXE
PID:1324 -
\??\c:\46006.exec:\46006.exe61⤵
- Executes dropped EXE
PID:860 -
\??\c:\4248826.exec:\4248826.exe62⤵
- Executes dropped EXE
PID:2256 -
\??\c:\o240284.exec:\o240284.exe63⤵
- Executes dropped EXE
PID:1984 -
\??\c:\5vdvj.exec:\5vdvj.exe64⤵
- Executes dropped EXE
PID:2976 -
\??\c:\bnnhnn.exec:\bnnhnn.exe65⤵
- Executes dropped EXE
PID:892 -
\??\c:\dpvpp.exec:\dpvpp.exe66⤵PID:1560
-
\??\c:\nbnntn.exec:\nbnntn.exe67⤵PID:1540
-
\??\c:\8022480.exec:\8022480.exe68⤵PID:2104
-
\??\c:\lxfllrx.exec:\lxfllrx.exe69⤵PID:772
-
\??\c:\6466484.exec:\6466484.exe70⤵PID:600
-
\??\c:\nnbhtb.exec:\nnbhtb.exe71⤵PID:2488
-
\??\c:\jvvjp.exec:\jvvjp.exe72⤵PID:2092
-
\??\c:\64446.exec:\64446.exe73⤵PID:2620
-
\??\c:\c688484.exec:\c688484.exe74⤵PID:1596
-
\??\c:\xfrlxrx.exec:\xfrlxrx.exe75⤵PID:1716
-
\??\c:\7lxxrrr.exec:\7lxxrrr.exe76⤵PID:1656
-
\??\c:\02826.exec:\02826.exe77⤵PID:2556
-
\??\c:\824062.exec:\824062.exe78⤵PID:2568
-
\??\c:\lxllxlx.exec:\lxllxlx.exe79⤵PID:2572
-
\??\c:\nbhhtt.exec:\nbhhtt.exe80⤵PID:1336
-
\??\c:\820688.exec:\820688.exe81⤵PID:2820
-
\??\c:\4244002.exec:\4244002.exe82⤵PID:1496
-
\??\c:\frxlrxl.exec:\frxlrxl.exe83⤵PID:2852
-
\??\c:\o826668.exec:\o826668.exe84⤵PID:2856
-
\??\c:\86224.exec:\86224.exe85⤵PID:2740
-
\??\c:\202248.exec:\202248.exe86⤵PID:2860
-
\??\c:\1rfxxff.exec:\1rfxxff.exe87⤵PID:2528
-
\??\c:\bbtnnb.exec:\bbtnnb.exe88⤵PID:2216
-
\??\c:\228882.exec:\228882.exe89⤵PID:1696
-
\??\c:\w02626.exec:\w02626.exe90⤵PID:1808
-
\??\c:\1rfflrx.exec:\1rfflrx.exe91⤵PID:1152
-
\??\c:\482804.exec:\482804.exe92⤵PID:1432
-
\??\c:\6084606.exec:\6084606.exe93⤵PID:2928
-
\??\c:\tthntb.exec:\tthntb.exe94⤵PID:976
-
\??\c:\4244606.exec:\4244606.exe95⤵PID:1384
-
\??\c:\7djdj.exec:\7djdj.exe96⤵PID:1644
-
\??\c:\u644668.exec:\u644668.exe97⤵PID:1852
-
\??\c:\lxflxxl.exec:\lxflxxl.exe98⤵PID:2932
-
\??\c:\606284.exec:\606284.exe99⤵PID:2780
-
\??\c:\lfxrxxf.exec:\lfxrxxf.exe100⤵PID:2332
-
\??\c:\640626.exec:\640626.exe101⤵PID:296
-
\??\c:\s8220.exec:\s8220.exe102⤵PID:444
-
\??\c:\7xfflll.exec:\7xfflll.exe103⤵PID:860
-
\??\c:\64600.exec:\64600.exe104⤵PID:936
-
\??\c:\q40688.exec:\q40688.exe105⤵PID:568
-
\??\c:\1vvvd.exec:\1vvvd.exe106⤵PID:1704
-
\??\c:\26008.exec:\26008.exe107⤵PID:1768
-
\??\c:\1frllrf.exec:\1frllrf.exe108⤵PID:1932
-
\??\c:\vjvdj.exec:\vjvdj.exe109⤵PID:1036
-
\??\c:\80808.exec:\80808.exe110⤵PID:2064
-
\??\c:\9thnbh.exec:\9thnbh.exe111⤵PID:2388
-
\??\c:\080626.exec:\080626.exe112⤵PID:1396
-
\??\c:\lfrrfff.exec:\lfrrfff.exe113⤵PID:380
-
\??\c:\xrxxffr.exec:\xrxxffr.exe114⤵PID:884
-
\??\c:\lfrrxfl.exec:\lfrrxfl.exe115⤵PID:1504
-
\??\c:\08006.exec:\08006.exe116⤵PID:1660
-
\??\c:\264026.exec:\264026.exe117⤵PID:2352
-
\??\c:\1ntttt.exec:\1ntttt.exe118⤵PID:2600
-
\??\c:\w40404.exec:\w40404.exe119⤵PID:2872
-
\??\c:\9frrffr.exec:\9frrffr.exe120⤵PID:1620
-
\??\c:\202020.exec:\202020.exe121⤵PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-