Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe
-
Size
456KB
-
MD5
8f178be0ca9f752e558bd8b9d85b64a0
-
SHA1
47d9337a31b23dae5f5f2ffe9fa700b13a82ab9f
-
SHA256
071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51
-
SHA512
eaab9f75dce5cf924748dd3e5a908272adddd1db731b8ff67e9f227df233dc5feadfb642807ffc7900b23b7b9081d90940419d40c7f359b88046bb2fe31d9a41
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2484-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-107-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2572-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1328-127-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1456-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/952-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/560-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-364-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2756-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1400-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-443-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2176-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-691-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2600-741-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1176-806-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-866-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2808-901-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1772-1047-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2508 086888.exe 2308 802004.exe 1952 7hnnhb.exe 1996 6080284.exe 1992 20228.exe 2792 1lflrrr.exe 2720 g0228.exe 2764 thhbhh.exe 2596 s6622.exe 3012 2088062.exe 2572 244822.exe 3028 6088446.exe 1328 68448.exe 1152 bthbbt.exe 2472 pjvpv.exe 1456 484000.exe 1948 082260.exe 1688 c248480.exe 2772 c222666.exe 2392 0244406.exe 596 hbhhnh.exe 280 5rrllll.exe 1072 64666.exe 1616 vjpdd.exe 876 42884.exe 1556 9pvjp.exe 1564 tthttn.exe 952 dvddv.exe 2020 dvdjj.exe 560 7jvvd.exe 2076 9ffxfff.exe 1508 0884444.exe 2484 6888040.exe 2340 1lfflff.exe 1956 xrffffx.exe 2320 k66644.exe 1952 frxrrlr.exe 3044 s2604.exe 2708 xfrrfrx.exe 2456 7dpvj.exe 2128 dpdvp.exe 2792 4648828.exe 2668 fxflrxr.exe 2756 5xllllr.exe 2724 4288624.exe 2672 pvjjj.exe 3012 5djjp.exe 2564 bthhnn.exe 1312 7hthnn.exe 1400 rfrrffl.exe 1496 o006044.exe 1268 1rflxfl.exe 2312 0804088.exe 2472 tnhntb.exe 1940 fxlrrlr.exe 1936 bbbhtt.exe 2912 480682.exe 2184 i044668.exe 2156 642248.exe 2176 9xfllrx.exe 1304 i244488.exe 1460 lfrrllx.exe 280 thnhnh.exe 1136 04222.exe -
resource yara_rule behavioral1/memory/2484-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/560-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-913-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-950-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-978-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-1102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-1189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-1299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-1337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-1356-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k42844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0088446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0422406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k02844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4648488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2508 2484 071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe 30 PID 2484 wrote to memory of 2508 2484 071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe 30 PID 2484 wrote to memory of 2508 2484 071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe 30 PID 2484 wrote to memory of 2508 2484 071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe 30 PID 2508 wrote to memory of 2308 2508 086888.exe 31 PID 2508 wrote to memory of 2308 2508 086888.exe 31 PID 2508 wrote to memory of 2308 2508 086888.exe 31 PID 2508 wrote to memory of 2308 2508 086888.exe 31 PID 2308 wrote to memory of 1952 2308 802004.exe 32 PID 2308 wrote to memory of 1952 2308 802004.exe 32 PID 2308 wrote to memory of 1952 2308 802004.exe 32 PID 2308 wrote to memory of 1952 2308 802004.exe 32 PID 1952 wrote to memory of 1996 1952 7hnnhb.exe 33 PID 1952 wrote to memory of 1996 1952 7hnnhb.exe 33 PID 1952 wrote to memory of 1996 1952 7hnnhb.exe 33 PID 1952 wrote to memory of 1996 1952 7hnnhb.exe 33 PID 1996 wrote to memory of 1992 1996 6080284.exe 34 PID 1996 wrote to memory of 1992 1996 6080284.exe 34 PID 1996 wrote to memory of 1992 1996 6080284.exe 34 PID 1996 wrote to memory of 1992 1996 6080284.exe 34 PID 1992 wrote to memory of 2792 1992 20228.exe 35 PID 1992 wrote to memory of 2792 1992 20228.exe 35 PID 1992 wrote to memory of 2792 1992 20228.exe 35 PID 1992 wrote to memory of 2792 1992 20228.exe 35 PID 2792 wrote to memory of 2720 2792 1lflrrr.exe 36 PID 2792 wrote to memory of 2720 2792 1lflrrr.exe 36 PID 2792 wrote to memory of 2720 2792 1lflrrr.exe 36 PID 2792 wrote to memory of 2720 2792 1lflrrr.exe 36 PID 2720 wrote to memory of 2764 2720 g0228.exe 37 PID 2720 wrote to memory of 2764 2720 g0228.exe 37 PID 2720 wrote to memory of 2764 2720 g0228.exe 37 PID 2720 wrote to memory of 2764 2720 g0228.exe 37 PID 2764 wrote to memory of 2596 2764 thhbhh.exe 38 PID 2764 wrote to memory of 2596 2764 thhbhh.exe 38 PID 2764 wrote to memory of 2596 2764 thhbhh.exe 38 PID 2764 wrote to memory of 2596 2764 thhbhh.exe 38 PID 2596 wrote to memory of 3012 2596 s6622.exe 39 PID 2596 wrote to memory of 3012 2596 s6622.exe 39 PID 2596 wrote to memory of 3012 2596 s6622.exe 39 PID 2596 wrote to memory of 3012 2596 s6622.exe 39 PID 3012 wrote to memory of 2572 3012 2088062.exe 40 PID 3012 wrote to memory of 2572 3012 2088062.exe 40 PID 3012 wrote to memory of 2572 3012 2088062.exe 40 PID 3012 wrote to memory of 2572 3012 2088062.exe 40 PID 2572 wrote to memory of 3028 2572 244822.exe 41 PID 2572 wrote to memory of 3028 2572 244822.exe 41 PID 2572 wrote to memory of 3028 2572 244822.exe 41 PID 2572 wrote to memory of 3028 2572 244822.exe 41 PID 3028 wrote to memory of 1328 3028 6088446.exe 42 PID 3028 wrote to memory of 1328 3028 6088446.exe 42 PID 3028 wrote to memory of 1328 3028 6088446.exe 42 PID 3028 wrote to memory of 1328 3028 6088446.exe 42 PID 1328 wrote to memory of 1152 1328 68448.exe 43 PID 1328 wrote to memory of 1152 1328 68448.exe 43 PID 1328 wrote to memory of 1152 1328 68448.exe 43 PID 1328 wrote to memory of 1152 1328 68448.exe 43 PID 1152 wrote to memory of 2472 1152 bthbbt.exe 44 PID 1152 wrote to memory of 2472 1152 bthbbt.exe 44 PID 1152 wrote to memory of 2472 1152 bthbbt.exe 44 PID 1152 wrote to memory of 2472 1152 bthbbt.exe 44 PID 2472 wrote to memory of 1456 2472 pjvpv.exe 45 PID 2472 wrote to memory of 1456 2472 pjvpv.exe 45 PID 2472 wrote to memory of 1456 2472 pjvpv.exe 45 PID 2472 wrote to memory of 1456 2472 pjvpv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe"C:\Users\Admin\AppData\Local\Temp\071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\086888.exec:\086888.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\802004.exec:\802004.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\7hnnhb.exec:\7hnnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\6080284.exec:\6080284.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\20228.exec:\20228.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\1lflrrr.exec:\1lflrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\g0228.exec:\g0228.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\thhbhh.exec:\thhbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\s6622.exec:\s6622.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\2088062.exec:\2088062.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\244822.exec:\244822.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\6088446.exec:\6088446.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\68448.exec:\68448.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\bthbbt.exec:\bthbbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\pjvpv.exec:\pjvpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\484000.exec:\484000.exe17⤵
- Executes dropped EXE
PID:1456 -
\??\c:\082260.exec:\082260.exe18⤵
- Executes dropped EXE
PID:1948 -
\??\c:\c248480.exec:\c248480.exe19⤵
- Executes dropped EXE
PID:1688 -
\??\c:\c222666.exec:\c222666.exe20⤵
- Executes dropped EXE
PID:2772 -
\??\c:\0244406.exec:\0244406.exe21⤵
- Executes dropped EXE
PID:2392 -
\??\c:\hbhhnh.exec:\hbhhnh.exe22⤵
- Executes dropped EXE
PID:596 -
\??\c:\5rrllll.exec:\5rrllll.exe23⤵
- Executes dropped EXE
PID:280 -
\??\c:\64666.exec:\64666.exe24⤵
- Executes dropped EXE
PID:1072 -
\??\c:\vjpdd.exec:\vjpdd.exe25⤵
- Executes dropped EXE
PID:1616 -
\??\c:\42884.exec:\42884.exe26⤵
- Executes dropped EXE
PID:876 -
\??\c:\9pvjp.exec:\9pvjp.exe27⤵
- Executes dropped EXE
PID:1556 -
\??\c:\tthttn.exec:\tthttn.exe28⤵
- Executes dropped EXE
PID:1564 -
\??\c:\dvddv.exec:\dvddv.exe29⤵
- Executes dropped EXE
PID:952 -
\??\c:\dvdjj.exec:\dvdjj.exe30⤵
- Executes dropped EXE
PID:2020 -
\??\c:\7jvvd.exec:\7jvvd.exe31⤵
- Executes dropped EXE
PID:560 -
\??\c:\9ffxfff.exec:\9ffxfff.exe32⤵
- Executes dropped EXE
PID:2076 -
\??\c:\0884444.exec:\0884444.exe33⤵
- Executes dropped EXE
PID:1508 -
\??\c:\6888040.exec:\6888040.exe34⤵
- Executes dropped EXE
PID:2484 -
\??\c:\1lfflff.exec:\1lfflff.exe35⤵
- Executes dropped EXE
PID:2340 -
\??\c:\xrffffx.exec:\xrffffx.exe36⤵
- Executes dropped EXE
PID:1956 -
\??\c:\k66644.exec:\k66644.exe37⤵
- Executes dropped EXE
PID:2320 -
\??\c:\frxrrlr.exec:\frxrrlr.exe38⤵
- Executes dropped EXE
PID:1952 -
\??\c:\s2604.exec:\s2604.exe39⤵
- Executes dropped EXE
PID:3044 -
\??\c:\xfrrfrx.exec:\xfrrfrx.exe40⤵
- Executes dropped EXE
PID:2708 -
\??\c:\7dpvj.exec:\7dpvj.exe41⤵
- Executes dropped EXE
PID:2456 -
\??\c:\dpdvp.exec:\dpdvp.exe42⤵
- Executes dropped EXE
PID:2128 -
\??\c:\4648828.exec:\4648828.exe43⤵
- Executes dropped EXE
PID:2792 -
\??\c:\fxflrxr.exec:\fxflrxr.exe44⤵
- Executes dropped EXE
PID:2668 -
\??\c:\5xllllr.exec:\5xllllr.exe45⤵
- Executes dropped EXE
PID:2756 -
\??\c:\4288624.exec:\4288624.exe46⤵
- Executes dropped EXE
PID:2724 -
\??\c:\pvjjj.exec:\pvjjj.exe47⤵
- Executes dropped EXE
PID:2672 -
\??\c:\5djjp.exec:\5djjp.exe48⤵
- Executes dropped EXE
PID:3012 -
\??\c:\bthhnn.exec:\bthhnn.exe49⤵
- Executes dropped EXE
PID:2564 -
\??\c:\7hthnn.exec:\7hthnn.exe50⤵
- Executes dropped EXE
PID:1312 -
\??\c:\rfrrffl.exec:\rfrrffl.exe51⤵
- Executes dropped EXE
PID:1400 -
\??\c:\o006044.exec:\o006044.exe52⤵
- Executes dropped EXE
PID:1496 -
\??\c:\1rflxfl.exec:\1rflxfl.exe53⤵
- Executes dropped EXE
PID:1268 -
\??\c:\0804088.exec:\0804088.exe54⤵
- Executes dropped EXE
PID:2312 -
\??\c:\tnhntb.exec:\tnhntb.exe55⤵
- Executes dropped EXE
PID:2472 -
\??\c:\fxlrrlr.exec:\fxlrrlr.exe56⤵
- Executes dropped EXE
PID:1940 -
\??\c:\bbbhtt.exec:\bbbhtt.exe57⤵
- Executes dropped EXE
PID:1936 -
\??\c:\480682.exec:\480682.exe58⤵
- Executes dropped EXE
PID:2912 -
\??\c:\i044668.exec:\i044668.exe59⤵
- Executes dropped EXE
PID:2184 -
\??\c:\642248.exec:\642248.exe60⤵
- Executes dropped EXE
PID:2156 -
\??\c:\9xfllrx.exec:\9xfllrx.exe61⤵
- Executes dropped EXE
PID:2176 -
\??\c:\i244488.exec:\i244488.exe62⤵
- Executes dropped EXE
PID:1304 -
\??\c:\lfrrllx.exec:\lfrrllx.exe63⤵
- Executes dropped EXE
PID:1460 -
\??\c:\thnhnh.exec:\thnhnh.exe64⤵
- Executes dropped EXE
PID:280 -
\??\c:\04222.exec:\04222.exe65⤵
- Executes dropped EXE
PID:1136 -
\??\c:\xlrlxxx.exec:\xlrlxxx.exe66⤵PID:1616
-
\??\c:\7ddpv.exec:\7ddpv.exe67⤵PID:2080
-
\??\c:\nhhhhh.exec:\nhhhhh.exe68⤵PID:2088
-
\??\c:\86020.exec:\86020.exe69⤵PID:920
-
\??\c:\dvjjp.exec:\dvjjp.exe70⤵PID:1368
-
\??\c:\602844.exec:\602844.exe71⤵PID:952
-
\??\c:\ddppv.exec:\ddppv.exe72⤵PID:1816
-
\??\c:\vvjjv.exec:\vvjjv.exe73⤵PID:3068
-
\??\c:\604062.exec:\604062.exe74⤵PID:320
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe75⤵PID:584
-
\??\c:\6462006.exec:\6462006.exe76⤵PID:2932
-
\??\c:\vjdjv.exec:\vjdjv.exe77⤵PID:2112
-
\??\c:\3httbb.exec:\3httbb.exe78⤵PID:2508
-
\??\c:\bthntt.exec:\bthntt.exe79⤵PID:2324
-
\??\c:\3vddv.exec:\3vddv.exe80⤵PID:2196
-
\??\c:\1pddj.exec:\1pddj.exe81⤵PID:2320
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe82⤵PID:2532
-
\??\c:\rrflxfr.exec:\rrflxfr.exe83⤵PID:1748
-
\??\c:\jjvvj.exec:\jjvvj.exe84⤵PID:2056
-
\??\c:\8606440.exec:\8606440.exe85⤵PID:2652
-
\??\c:\q82862.exec:\q82862.exe86⤵PID:2800
-
\??\c:\fxxxrlf.exec:\fxxxrlf.exe87⤵PID:2792
-
\??\c:\ddpvd.exec:\ddpvd.exe88⤵PID:2676
-
\??\c:\1fxrrrx.exec:\1fxrrrx.exe89⤵PID:2756
-
\??\c:\hbntnt.exec:\hbntnt.exe90⤵PID:2776
-
\??\c:\m2408.exec:\m2408.exe91⤵PID:2748
-
\??\c:\o600006.exec:\o600006.exe92⤵PID:2580
-
\??\c:\bthbhh.exec:\bthbhh.exe93⤵PID:2608
-
\??\c:\s0222.exec:\s0222.exe94⤵PID:2572
-
\??\c:\tnbbhh.exec:\tnbbhh.exe95⤵PID:3032
-
\??\c:\rflffll.exec:\rflffll.exe96⤵PID:1292
-
\??\c:\0806840.exec:\0806840.exe97⤵PID:1248
-
\??\c:\frffrlf.exec:\frffrlf.exe98⤵PID:1536
-
\??\c:\xxlrxfr.exec:\xxlrxfr.exe99⤵PID:1944
-
\??\c:\9jvvv.exec:\9jvvv.exe100⤵PID:2860
-
\??\c:\pjddd.exec:\pjddd.exe101⤵PID:2628
-
\??\c:\4660600.exec:\4660600.exe102⤵PID:3016
-
\??\c:\1rfrxfr.exec:\1rfrxfr.exe103⤵PID:2600
-
\??\c:\486622.exec:\486622.exe104⤵PID:2848
-
\??\c:\86002.exec:\86002.exe105⤵PID:1480
-
\??\c:\bnnntn.exec:\bnnntn.exe106⤵PID:1080
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe107⤵PID:1680
-
\??\c:\8688446.exec:\8688446.exe108⤵PID:852
-
\??\c:\jjdvd.exec:\jjdvd.exe109⤵
- System Location Discovery: System Language Discovery
PID:280 -
\??\c:\0228040.exec:\0228040.exe110⤵PID:1176
-
\??\c:\2022444.exec:\2022444.exe111⤵PID:1596
-
\??\c:\240448.exec:\240448.exe112⤵PID:1520
-
\??\c:\hbnntb.exec:\hbnntb.exe113⤵PID:2088
-
\??\c:\lxlffxx.exec:\lxlffxx.exe114⤵
- System Location Discovery: System Language Discovery
PID:2696 -
\??\c:\nhttbb.exec:\nhttbb.exe115⤵PID:1368
-
\??\c:\lfxrxxf.exec:\lfxrxxf.exe116⤵PID:2280
-
\??\c:\2028446.exec:\2028446.exe117⤵PID:1816
-
\??\c:\e84848.exec:\e84848.exe118⤵PID:1980
-
\??\c:\480684.exec:\480684.exe119⤵PID:320
-
\??\c:\428466.exec:\428466.exe120⤵PID:1508
-
\??\c:\xrfxllf.exec:\xrfxllf.exe121⤵PID:2932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-