Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 06:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe
-
Size
455KB
-
MD5
78bfed5b815582c768bd18dce3241f67
-
SHA1
14898a99e3a33ad92668e36adbb569066b473909
-
SHA256
4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9
-
SHA512
98e1ae6dfefd0e9d7d5a8abfc7bffb256aeb6a9bf2e3b0b340ac908bf2433cdd4ad3085fe5d613b6738eac386d4f854bae7942e160406cd725b270abe29614d6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbej:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2536-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1388-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1472-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-458-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3036-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1392-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-50-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2876-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-938-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/336-1107-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/552-1144-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/1240-1283-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2744 fxxxffl.exe 2536 1bnnhh.exe 2952 806066.exe 2540 80088.exe 2916 7tbbbh.exe 2132 nnbbhh.exe 2936 jvjdd.exe 760 9hnnnb.exe 2664 24046.exe 2740 3rflxrf.exe 1392 64846.exe 1092 m2446.exe 2996 btbbnb.exe 1000 g0846.exe 3016 468444.exe 1568 dppjj.exe 1136 s6444.exe 1536 6404000.exe 1152 424466.exe 3036 lrxxxrx.exe 2120 s8006.exe 2336 bnnbbb.exe 836 i400444.exe 1140 o204484.exe 3060 628800.exe 564 xrxxxrr.exe 2580 tnttbb.exe 1472 dpddv.exe 1716 04804.exe 1660 08066.exe 2280 208844.exe 2316 26464.exe 2324 5vppp.exe 2756 vdjjv.exe 2848 64606.exe 2864 hntnbn.exe 2104 7ppjj.exe 2816 k80066.exe 2788 806660.exe 2928 thtntn.exe 2832 bthnbt.exe 2700 nbhbtn.exe 3032 00086.exe 2944 0642068.exe 884 hbnthn.exe 336 tnbthb.exe 2892 26624.exe 1644 s0220.exe 1568 5jppp.exe 236 w64424.exe 536 06026.exe 1116 7tbbhn.exe 1440 jdpvd.exe 2896 g0266.exe 2492 dvjpj.exe 2708 022228.exe 2592 q64444.exe 1140 i462888.exe 2648 s6840.exe 1872 806004.exe 1528 9pddj.exe 728 hbbnnh.exe 888 ffrrffl.exe 2180 8684602.exe -
resource yara_rule behavioral1/memory/2536-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-904-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-917-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-938-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2584-969-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-982-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-1046-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-1163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-1177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-1214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-1251-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e80060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1388 wrote to memory of 2744 1388 4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe 30 PID 1388 wrote to memory of 2744 1388 4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe 30 PID 1388 wrote to memory of 2744 1388 4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe 30 PID 1388 wrote to memory of 2744 1388 4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe 30 PID 2744 wrote to memory of 2536 2744 fxxxffl.exe 31 PID 2744 wrote to memory of 2536 2744 fxxxffl.exe 31 PID 2744 wrote to memory of 2536 2744 fxxxffl.exe 31 PID 2744 wrote to memory of 2536 2744 fxxxffl.exe 31 PID 2536 wrote to memory of 2952 2536 1bnnhh.exe 32 PID 2536 wrote to memory of 2952 2536 1bnnhh.exe 32 PID 2536 wrote to memory of 2952 2536 1bnnhh.exe 32 PID 2536 wrote to memory of 2952 2536 1bnnhh.exe 32 PID 2952 wrote to memory of 2540 2952 806066.exe 33 PID 2952 wrote to memory of 2540 2952 806066.exe 33 PID 2952 wrote to memory of 2540 2952 806066.exe 33 PID 2952 wrote to memory of 2540 2952 806066.exe 33 PID 2540 wrote to memory of 2916 2540 80088.exe 34 PID 2540 wrote to memory of 2916 2540 80088.exe 34 PID 2540 wrote to memory of 2916 2540 80088.exe 34 PID 2540 wrote to memory of 2916 2540 80088.exe 34 PID 2916 wrote to memory of 2132 2916 7tbbbh.exe 35 PID 2916 wrote to memory of 2132 2916 7tbbbh.exe 35 PID 2916 wrote to memory of 2132 2916 7tbbbh.exe 35 PID 2916 wrote to memory of 2132 2916 7tbbbh.exe 35 PID 2132 wrote to memory of 2936 2132 nnbbhh.exe 36 PID 2132 wrote to memory of 2936 2132 nnbbhh.exe 36 PID 2132 wrote to memory of 2936 2132 nnbbhh.exe 36 PID 2132 wrote to memory of 2936 2132 nnbbhh.exe 36 PID 2936 wrote to memory of 760 2936 jvjdd.exe 37 PID 2936 wrote to memory of 760 2936 jvjdd.exe 37 PID 2936 wrote to memory of 760 2936 jvjdd.exe 37 PID 2936 wrote to memory of 760 2936 jvjdd.exe 37 PID 760 wrote to memory of 2664 760 9hnnnb.exe 38 PID 760 wrote to memory of 2664 760 9hnnnb.exe 38 PID 760 wrote to memory of 2664 760 9hnnnb.exe 38 PID 760 wrote to memory of 2664 760 9hnnnb.exe 38 PID 2664 wrote to memory of 2740 2664 24046.exe 39 PID 2664 wrote to memory of 2740 2664 24046.exe 39 PID 2664 wrote to memory of 2740 2664 24046.exe 39 PID 2664 wrote to memory of 2740 2664 24046.exe 39 PID 2740 wrote to memory of 1392 2740 3rflxrf.exe 40 PID 2740 wrote to memory of 1392 2740 3rflxrf.exe 40 PID 2740 wrote to memory of 1392 2740 3rflxrf.exe 40 PID 2740 wrote to memory of 1392 2740 3rflxrf.exe 40 PID 1392 wrote to memory of 1092 1392 64846.exe 41 PID 1392 wrote to memory of 1092 1392 64846.exe 41 PID 1392 wrote to memory of 1092 1392 64846.exe 41 PID 1392 wrote to memory of 1092 1392 64846.exe 41 PID 1092 wrote to memory of 2996 1092 m2446.exe 42 PID 1092 wrote to memory of 2996 1092 m2446.exe 42 PID 1092 wrote to memory of 2996 1092 m2446.exe 42 PID 1092 wrote to memory of 2996 1092 m2446.exe 42 PID 2996 wrote to memory of 1000 2996 btbbnb.exe 43 PID 2996 wrote to memory of 1000 2996 btbbnb.exe 43 PID 2996 wrote to memory of 1000 2996 btbbnb.exe 43 PID 2996 wrote to memory of 1000 2996 btbbnb.exe 43 PID 1000 wrote to memory of 3016 1000 g0846.exe 44 PID 1000 wrote to memory of 3016 1000 g0846.exe 44 PID 1000 wrote to memory of 3016 1000 g0846.exe 44 PID 1000 wrote to memory of 3016 1000 g0846.exe 44 PID 3016 wrote to memory of 1568 3016 468444.exe 45 PID 3016 wrote to memory of 1568 3016 468444.exe 45 PID 3016 wrote to memory of 1568 3016 468444.exe 45 PID 3016 wrote to memory of 1568 3016 468444.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe"C:\Users\Admin\AppData\Local\Temp\4244c14d8721c101c279d42ec3670aced61b6c7bcc653fa79d4434af6638f5b9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\fxxxffl.exec:\fxxxffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\1bnnhh.exec:\1bnnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\806066.exec:\806066.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\80088.exec:\80088.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\7tbbbh.exec:\7tbbbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\nnbbhh.exec:\nnbbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\jvjdd.exec:\jvjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\9hnnnb.exec:\9hnnnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\24046.exec:\24046.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\3rflxrf.exec:\3rflxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\64846.exec:\64846.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\m2446.exec:\m2446.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\btbbnb.exec:\btbbnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\g0846.exec:\g0846.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\468444.exec:\468444.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\dppjj.exec:\dppjj.exe17⤵
- Executes dropped EXE
PID:1568 -
\??\c:\s6444.exec:\s6444.exe18⤵
- Executes dropped EXE
PID:1136 -
\??\c:\6404000.exec:\6404000.exe19⤵
- Executes dropped EXE
PID:1536 -
\??\c:\424466.exec:\424466.exe20⤵
- Executes dropped EXE
PID:1152 -
\??\c:\lrxxxrx.exec:\lrxxxrx.exe21⤵
- Executes dropped EXE
PID:3036 -
\??\c:\s8006.exec:\s8006.exe22⤵
- Executes dropped EXE
PID:2120 -
\??\c:\bnnbbb.exec:\bnnbbb.exe23⤵
- Executes dropped EXE
PID:2336 -
\??\c:\i400444.exec:\i400444.exe24⤵
- Executes dropped EXE
PID:836 -
\??\c:\o204484.exec:\o204484.exe25⤵
- Executes dropped EXE
PID:1140 -
\??\c:\628800.exec:\628800.exe26⤵
- Executes dropped EXE
PID:3060 -
\??\c:\xrxxxrr.exec:\xrxxxrr.exe27⤵
- Executes dropped EXE
PID:564 -
\??\c:\tnttbb.exec:\tnttbb.exe28⤵
- Executes dropped EXE
PID:2580 -
\??\c:\dpddv.exec:\dpddv.exe29⤵
- Executes dropped EXE
PID:1472 -
\??\c:\04804.exec:\04804.exe30⤵
- Executes dropped EXE
PID:1716 -
\??\c:\08066.exec:\08066.exe31⤵
- Executes dropped EXE
PID:1660 -
\??\c:\208844.exec:\208844.exe32⤵
- Executes dropped EXE
PID:2280 -
\??\c:\26464.exec:\26464.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
\??\c:\5vppp.exec:\5vppp.exe34⤵
- Executes dropped EXE
PID:2324 -
\??\c:\vdjjv.exec:\vdjjv.exe35⤵
- Executes dropped EXE
PID:2756 -
\??\c:\64606.exec:\64606.exe36⤵
- Executes dropped EXE
PID:2848 -
\??\c:\hntnbn.exec:\hntnbn.exe37⤵
- Executes dropped EXE
PID:2864 -
\??\c:\7ppjj.exec:\7ppjj.exe38⤵
- Executes dropped EXE
PID:2104 -
\??\c:\k80066.exec:\k80066.exe39⤵
- Executes dropped EXE
PID:2816 -
\??\c:\806660.exec:\806660.exe40⤵
- Executes dropped EXE
PID:2788 -
\??\c:\thtntn.exec:\thtntn.exe41⤵
- Executes dropped EXE
PID:2928 -
\??\c:\bthnbt.exec:\bthnbt.exe42⤵
- Executes dropped EXE
PID:2832 -
\??\c:\nbhbtn.exec:\nbhbtn.exe43⤵
- Executes dropped EXE
PID:2700 -
\??\c:\00086.exec:\00086.exe44⤵
- Executes dropped EXE
PID:3032 -
\??\c:\0642068.exec:\0642068.exe45⤵
- Executes dropped EXE
PID:2944 -
\??\c:\hbnthn.exec:\hbnthn.exe46⤵
- Executes dropped EXE
PID:884 -
\??\c:\tnbthb.exec:\tnbthb.exe47⤵
- Executes dropped EXE
PID:336 -
\??\c:\26624.exec:\26624.exe48⤵
- Executes dropped EXE
PID:2892 -
\??\c:\s0220.exec:\s0220.exe49⤵
- Executes dropped EXE
PID:1644 -
\??\c:\5jppp.exec:\5jppp.exe50⤵
- Executes dropped EXE
PID:1568 -
\??\c:\w64424.exec:\w64424.exe51⤵
- Executes dropped EXE
PID:236 -
\??\c:\06026.exec:\06026.exe52⤵
- Executes dropped EXE
PID:536 -
\??\c:\7tbbhn.exec:\7tbbhn.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
\??\c:\jdpvd.exec:\jdpvd.exe54⤵
- Executes dropped EXE
PID:1440 -
\??\c:\g0266.exec:\g0266.exe55⤵
- Executes dropped EXE
PID:2896 -
\??\c:\dvjpj.exec:\dvjpj.exe56⤵
- Executes dropped EXE
PID:2492 -
\??\c:\022228.exec:\022228.exe57⤵
- Executes dropped EXE
PID:2708 -
\??\c:\q64444.exec:\q64444.exe58⤵
- Executes dropped EXE
PID:2592 -
\??\c:\i462888.exec:\i462888.exe59⤵
- Executes dropped EXE
PID:1140 -
\??\c:\s6840.exec:\s6840.exe60⤵
- Executes dropped EXE
PID:2648 -
\??\c:\806004.exec:\806004.exe61⤵
- Executes dropped EXE
PID:1872 -
\??\c:\9pddj.exec:\9pddj.exe62⤵
- Executes dropped EXE
PID:1528 -
\??\c:\hbbnnh.exec:\hbbnnh.exe63⤵
- Executes dropped EXE
PID:728 -
\??\c:\ffrrffl.exec:\ffrrffl.exe64⤵
- Executes dropped EXE
PID:888 -
\??\c:\8684602.exec:\8684602.exe65⤵
- Executes dropped EXE
PID:2180 -
\??\c:\tntthb.exec:\tntthb.exe66⤵PID:548
-
\??\c:\nhtnhb.exec:\nhtnhb.exe67⤵PID:1840
-
\??\c:\fxrlflx.exec:\fxrlflx.exe68⤵PID:2324
-
\??\c:\7xxrxxf.exec:\7xxrxxf.exe69⤵PID:2456
-
\??\c:\g8628.exec:\g8628.exe70⤵PID:2744
-
\??\c:\tbttnn.exec:\tbttnn.exe71⤵PID:596
-
\??\c:\5tnhtt.exec:\5tnhtt.exe72⤵PID:568
-
\??\c:\k42844.exec:\k42844.exe73⤵PID:2904
-
\??\c:\202288.exec:\202288.exe74⤵PID:1676
-
\??\c:\428288.exec:\428288.exe75⤵PID:2308
-
\??\c:\c422440.exec:\c422440.exe76⤵PID:2876
-
\??\c:\m2000.exec:\m2000.exe77⤵PID:2556
-
\??\c:\42446.exec:\42446.exe78⤵PID:2900
-
\??\c:\3dpjj.exec:\3dpjj.exe79⤵PID:2936
-
\??\c:\dvdjp.exec:\dvdjp.exe80⤵PID:616
-
\??\c:\82002.exec:\82002.exe81⤵PID:2676
-
\??\c:\04624.exec:\04624.exe82⤵PID:2244
-
\??\c:\tnbtbt.exec:\tnbtbt.exe83⤵PID:1644
-
\??\c:\k86240.exec:\k86240.exe84⤵PID:2784
-
\??\c:\1btbbh.exec:\1btbbh.exe85⤵PID:1568
-
\??\c:\pjdvd.exec:\pjdvd.exe86⤵PID:2504
-
\??\c:\dpdvp.exec:\dpdvp.exe87⤵PID:536
-
\??\c:\w06688.exec:\w06688.exe88⤵PID:484
-
\??\c:\4244280.exec:\4244280.exe89⤵PID:1272
-
\??\c:\6844004.exec:\6844004.exe90⤵PID:2332
-
\??\c:\9jdjv.exec:\9jdjv.exe91⤵PID:2636
-
\??\c:\422288.exec:\422288.exe92⤵PID:1976
-
\??\c:\s4624.exec:\s4624.exe93⤵PID:2644
-
\??\c:\3lxxllx.exec:\3lxxllx.exe94⤵PID:2704
-
\??\c:\2060840.exec:\2060840.exe95⤵PID:2044
-
\??\c:\rfrxlrl.exec:\rfrxlrl.exe96⤵PID:1340
-
\??\c:\a2068.exec:\a2068.exe97⤵PID:1932
-
\??\c:\k48800.exec:\k48800.exe98⤵PID:1140
-
\??\c:\vpddp.exec:\vpddp.exe99⤵PID:308
-
\??\c:\6400220.exec:\6400220.exe100⤵PID:1296
-
\??\c:\024022.exec:\024022.exe101⤵PID:912
-
\??\c:\pjdvd.exec:\pjdvd.exe102⤵PID:1548
-
\??\c:\dpddj.exec:\dpddj.exe103⤵PID:1500
-
\??\c:\dddvd.exec:\dddvd.exe104⤵PID:1520
-
\??\c:\hhtthb.exec:\hhtthb.exe105⤵PID:1972
-
\??\c:\9vjjj.exec:\9vjjj.exe106⤵PID:2096
-
\??\c:\rxlllff.exec:\rxlllff.exe107⤵PID:2380
-
\??\c:\vjvdv.exec:\vjvdv.exe108⤵PID:2272
-
\??\c:\ddvdj.exec:\ddvdj.exe109⤵PID:980
-
\??\c:\thbbhh.exec:\thbbhh.exe110⤵PID:880
-
\??\c:\642282.exec:\642282.exe111⤵PID:2732
-
\??\c:\bnttnn.exec:\bnttnn.exe112⤵PID:1888
-
\??\c:\5thtbb.exec:\5thtbb.exe113⤵PID:1792
-
\??\c:\frflrrx.exec:\frflrrx.exe114⤵PID:1596
-
\??\c:\g2824.exec:\g2824.exe115⤵PID:2952
-
\??\c:\826248.exec:\826248.exe116⤵PID:1708
-
\??\c:\86406.exec:\86406.exe117⤵PID:2132
-
\??\c:\864404.exec:\864404.exe118⤵PID:2528
-
\??\c:\6426606.exec:\6426606.exe119⤵PID:2924
-
\??\c:\4228002.exec:\4228002.exe120⤵PID:2696
-
\??\c:\4206884.exec:\4206884.exe121⤵PID:2916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-