Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 07:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe
-
Size
455KB
-
MD5
1ca2e57352ce2fe08752aef1c385fe90
-
SHA1
d859e8f286e1fedf72435dc5d3c7a31dbb6b8835
-
SHA256
d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356
-
SHA512
06450a42f851b3a0e6510d79e4e0b3682ef267c2edb8a041bfe5a3f08922dc16b6d2964da2489105deef78c61cbd9f4550929e06ca5076c70520a93149d3a4c5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
resource yara_rule behavioral1/memory/2316-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-101-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/3060-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-127-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2600-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/372-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-165-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2796-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-183-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2848-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1328-253-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/292-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-301-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1604-299-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1604-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-316-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1080-344-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1080-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-359-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1440-373-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1440-375-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1096-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-408-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1096-426-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2864-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-485-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/828-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-570-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2616-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-670-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/656-783-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/632-790-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2224-809-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2052-870-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2348-877-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2840-902-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-921-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/856-1053-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3044 m8062.exe 348 fxlxlll.exe 2484 vjppp.exe 2336 bntnnn.exe 2644 q00060.exe 2760 o844484.exe 2696 6468444.exe 2820 806288.exe 2888 206222.exe 2608 tbhbbt.exe 2564 k80060.exe 3060 vdvvd.exe 1980 646622.exe 2600 jvjjj.exe 372 rlxxfxf.exe 1988 c644006.exe 1816 64662.exe 624 5lxrrrr.exe 2796 5xlflrx.exe 2848 64620.exe 2196 q46004.exe 3020 20222.exe 1872 vpvpd.exe 2020 08042.exe 836 68488.exe 1548 m4602.exe 1328 g2002.exe 292 6848822.exe 2416 frxxxxx.exe 540 pjvvd.exe 2204 g6484.exe 1604 hbnttt.exe 2352 646004.exe 3040 jvjdd.exe 284 46204.exe 2332 nhnhnh.exe 2736 frlrrrr.exe 1080 462626.exe 2772 02488.exe 2164 08484.exe 2668 7vjjj.exe 1440 hnttbb.exe 2764 dppjj.exe 2616 s6200.exe 2572 8060228.exe 1096 frflrrx.exe 2672 4284006.exe 2392 42840.exe 2248 460060.exe 1260 httttn.exe 1536 4600884.exe 1812 8628884.exe 1488 2024444.exe 1444 dpddj.exe 1768 8060222.exe 2800 vjppj.exe 2864 8022662.exe 2128 flfflfl.exe 828 o688884.exe 904 lxfflrx.exe 1720 462222.exe 1700 468848.exe 744 bhbttt.exe 928 u428044.exe -
resource yara_rule behavioral1/memory/3044-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/372-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-367-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2764-378-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1096-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/828-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/656-783-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/632-790-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2396-952-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-990-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-997-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/856-1053-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6022288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4600884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e86466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o062408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 822428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4800846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2028406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 3044 2316 d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe 30 PID 2316 wrote to memory of 3044 2316 d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe 30 PID 2316 wrote to memory of 3044 2316 d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe 30 PID 2316 wrote to memory of 3044 2316 d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe 30 PID 3044 wrote to memory of 348 3044 m8062.exe 31 PID 3044 wrote to memory of 348 3044 m8062.exe 31 PID 3044 wrote to memory of 348 3044 m8062.exe 31 PID 3044 wrote to memory of 348 3044 m8062.exe 31 PID 348 wrote to memory of 2484 348 fxlxlll.exe 32 PID 348 wrote to memory of 2484 348 fxlxlll.exe 32 PID 348 wrote to memory of 2484 348 fxlxlll.exe 32 PID 348 wrote to memory of 2484 348 fxlxlll.exe 32 PID 2484 wrote to memory of 2336 2484 vjppp.exe 33 PID 2484 wrote to memory of 2336 2484 vjppp.exe 33 PID 2484 wrote to memory of 2336 2484 vjppp.exe 33 PID 2484 wrote to memory of 2336 2484 vjppp.exe 33 PID 2336 wrote to memory of 2644 2336 bntnnn.exe 34 PID 2336 wrote to memory of 2644 2336 bntnnn.exe 34 PID 2336 wrote to memory of 2644 2336 bntnnn.exe 34 PID 2336 wrote to memory of 2644 2336 bntnnn.exe 34 PID 2644 wrote to memory of 2760 2644 q00060.exe 35 PID 2644 wrote to memory of 2760 2644 q00060.exe 35 PID 2644 wrote to memory of 2760 2644 q00060.exe 35 PID 2644 wrote to memory of 2760 2644 q00060.exe 35 PID 2760 wrote to memory of 2696 2760 o844484.exe 36 PID 2760 wrote to memory of 2696 2760 o844484.exe 36 PID 2760 wrote to memory of 2696 2760 o844484.exe 36 PID 2760 wrote to memory of 2696 2760 o844484.exe 36 PID 2696 wrote to memory of 2820 2696 6468444.exe 37 PID 2696 wrote to memory of 2820 2696 6468444.exe 37 PID 2696 wrote to memory of 2820 2696 6468444.exe 37 PID 2696 wrote to memory of 2820 2696 6468444.exe 37 PID 2820 wrote to memory of 2888 2820 806288.exe 38 PID 2820 wrote to memory of 2888 2820 806288.exe 38 PID 2820 wrote to memory of 2888 2820 806288.exe 38 PID 2820 wrote to memory of 2888 2820 806288.exe 38 PID 2888 wrote to memory of 2608 2888 206222.exe 39 PID 2888 wrote to memory of 2608 2888 206222.exe 39 PID 2888 wrote to memory of 2608 2888 206222.exe 39 PID 2888 wrote to memory of 2608 2888 206222.exe 39 PID 2608 wrote to memory of 2564 2608 tbhbbt.exe 40 PID 2608 wrote to memory of 2564 2608 tbhbbt.exe 40 PID 2608 wrote to memory of 2564 2608 tbhbbt.exe 40 PID 2608 wrote to memory of 2564 2608 tbhbbt.exe 40 PID 2564 wrote to memory of 3060 2564 k80060.exe 41 PID 2564 wrote to memory of 3060 2564 k80060.exe 41 PID 2564 wrote to memory of 3060 2564 k80060.exe 41 PID 2564 wrote to memory of 3060 2564 k80060.exe 41 PID 3060 wrote to memory of 1980 3060 vdvvd.exe 42 PID 3060 wrote to memory of 1980 3060 vdvvd.exe 42 PID 3060 wrote to memory of 1980 3060 vdvvd.exe 42 PID 3060 wrote to memory of 1980 3060 vdvvd.exe 42 PID 1980 wrote to memory of 2600 1980 646622.exe 43 PID 1980 wrote to memory of 2600 1980 646622.exe 43 PID 1980 wrote to memory of 2600 1980 646622.exe 43 PID 1980 wrote to memory of 2600 1980 646622.exe 43 PID 2600 wrote to memory of 372 2600 jvjjj.exe 44 PID 2600 wrote to memory of 372 2600 jvjjj.exe 44 PID 2600 wrote to memory of 372 2600 jvjjj.exe 44 PID 2600 wrote to memory of 372 2600 jvjjj.exe 44 PID 372 wrote to memory of 1988 372 rlxxfxf.exe 45 PID 372 wrote to memory of 1988 372 rlxxfxf.exe 45 PID 372 wrote to memory of 1988 372 rlxxfxf.exe 45 PID 372 wrote to memory of 1988 372 rlxxfxf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe"C:\Users\Admin\AppData\Local\Temp\d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\m8062.exec:\m8062.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\fxlxlll.exec:\fxlxlll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\vjppp.exec:\vjppp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\bntnnn.exec:\bntnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\q00060.exec:\q00060.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\o844484.exec:\o844484.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\6468444.exec:\6468444.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\806288.exec:\806288.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\206222.exec:\206222.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\tbhbbt.exec:\tbhbbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\k80060.exec:\k80060.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\vdvvd.exec:\vdvvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\646622.exec:\646622.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\jvjjj.exec:\jvjjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\rlxxfxf.exec:\rlxxfxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\c644006.exec:\c644006.exe17⤵
- Executes dropped EXE
PID:1988 -
\??\c:\64662.exec:\64662.exe18⤵
- Executes dropped EXE
PID:1816 -
\??\c:\5lxrrrr.exec:\5lxrrrr.exe19⤵
- Executes dropped EXE
PID:624 -
\??\c:\5xlflrx.exec:\5xlflrx.exe20⤵
- Executes dropped EXE
PID:2796 -
\??\c:\64620.exec:\64620.exe21⤵
- Executes dropped EXE
PID:2848 -
\??\c:\q46004.exec:\q46004.exe22⤵
- Executes dropped EXE
PID:2196 -
\??\c:\20222.exec:\20222.exe23⤵
- Executes dropped EXE
PID:3020 -
\??\c:\vpvpd.exec:\vpvpd.exe24⤵
- Executes dropped EXE
PID:1872 -
\??\c:\08042.exec:\08042.exe25⤵
- Executes dropped EXE
PID:2020 -
\??\c:\68488.exec:\68488.exe26⤵
- Executes dropped EXE
PID:836 -
\??\c:\m4602.exec:\m4602.exe27⤵
- Executes dropped EXE
PID:1548 -
\??\c:\g2002.exec:\g2002.exe28⤵
- Executes dropped EXE
PID:1328 -
\??\c:\6848822.exec:\6848822.exe29⤵
- Executes dropped EXE
PID:292 -
\??\c:\frxxxxx.exec:\frxxxxx.exe30⤵
- Executes dropped EXE
PID:2416 -
\??\c:\pjvvd.exec:\pjvvd.exe31⤵
- Executes dropped EXE
PID:540 -
\??\c:\g6484.exec:\g6484.exe32⤵
- Executes dropped EXE
PID:2204 -
\??\c:\hbnttt.exec:\hbnttt.exe33⤵
- Executes dropped EXE
PID:1604 -
\??\c:\646004.exec:\646004.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352 -
\??\c:\jvjdd.exec:\jvjdd.exe35⤵
- Executes dropped EXE
PID:3040 -
\??\c:\46204.exec:\46204.exe36⤵
- Executes dropped EXE
PID:284 -
\??\c:\nhnhnh.exec:\nhnhnh.exe37⤵
- Executes dropped EXE
PID:2332 -
\??\c:\frlrrrr.exec:\frlrrrr.exe38⤵
- Executes dropped EXE
PID:2736 -
\??\c:\462626.exec:\462626.exe39⤵
- Executes dropped EXE
PID:1080 -
\??\c:\02488.exec:\02488.exe40⤵
- Executes dropped EXE
PID:2772 -
\??\c:\08484.exec:\08484.exe41⤵
- Executes dropped EXE
PID:2164 -
\??\c:\7vjjj.exec:\7vjjj.exe42⤵
- Executes dropped EXE
PID:2668 -
\??\c:\hnttbb.exec:\hnttbb.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1440 -
\??\c:\dppjj.exec:\dppjj.exe44⤵
- Executes dropped EXE
PID:2764 -
\??\c:\s6200.exec:\s6200.exe45⤵
- Executes dropped EXE
PID:2616 -
\??\c:\8060228.exec:\8060228.exe46⤵
- Executes dropped EXE
PID:2572 -
\??\c:\frflrrx.exec:\frflrrx.exe47⤵
- Executes dropped EXE
PID:1096 -
\??\c:\4284006.exec:\4284006.exe48⤵
- Executes dropped EXE
PID:2672 -
\??\c:\42840.exec:\42840.exe49⤵
- Executes dropped EXE
PID:2392 -
\??\c:\460060.exec:\460060.exe50⤵
- Executes dropped EXE
PID:2248 -
\??\c:\httttn.exec:\httttn.exe51⤵
- Executes dropped EXE
PID:1260 -
\??\c:\4600884.exec:\4600884.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
\??\c:\8628884.exec:\8628884.exe53⤵
- Executes dropped EXE
PID:1812 -
\??\c:\2024444.exec:\2024444.exe54⤵
- Executes dropped EXE
PID:1488 -
\??\c:\dpddj.exec:\dpddj.exe55⤵
- Executes dropped EXE
PID:1444 -
\??\c:\8060222.exec:\8060222.exe56⤵
- Executes dropped EXE
PID:1768 -
\??\c:\vjppj.exec:\vjppj.exe57⤵
- Executes dropped EXE
PID:2800 -
\??\c:\8022662.exec:\8022662.exe58⤵
- Executes dropped EXE
PID:2864 -
\??\c:\flfflfl.exec:\flfflfl.exe59⤵
- Executes dropped EXE
PID:2128 -
\??\c:\o688884.exec:\o688884.exe60⤵
- Executes dropped EXE
PID:828 -
\??\c:\lxfflrx.exec:\lxfflrx.exe61⤵
- Executes dropped EXE
PID:904 -
\??\c:\462222.exec:\462222.exe62⤵
- Executes dropped EXE
PID:1720 -
\??\c:\468848.exec:\468848.exe63⤵
- Executes dropped EXE
PID:1700 -
\??\c:\bhbttt.exec:\bhbttt.exe64⤵
- Executes dropped EXE
PID:744 -
\??\c:\u428044.exec:\u428044.exe65⤵
- Executes dropped EXE
PID:928 -
\??\c:\9flrxxf.exec:\9flrxxf.exe66⤵PID:2328
-
\??\c:\hthhhh.exec:\hthhhh.exe67⤵PID:2116
-
\??\c:\pdppp.exec:\pdppp.exe68⤵PID:568
-
\??\c:\9rfxlll.exec:\9rfxlll.exe69⤵PID:2232
-
\??\c:\9pvdp.exec:\9pvdp.exe70⤵PID:1804
-
\??\c:\s0280.exec:\s0280.exe71⤵PID:2216
-
\??\c:\i248822.exec:\i248822.exe72⤵PID:1716
-
\??\c:\xrrfrrf.exec:\xrrfrrf.exe73⤵PID:2632
-
\??\c:\9jdvd.exec:\9jdvd.exe74⤵PID:1944
-
\??\c:\86222.exec:\86222.exe75⤵PID:1972
-
\??\c:\428666.exec:\428666.exe76⤵PID:1712
-
\??\c:\c606284.exec:\c606284.exe77⤵PID:2484
-
\??\c:\i640224.exec:\i640224.exe78⤵PID:2408
-
\??\c:\86802.exec:\86802.exe79⤵PID:2692
-
\??\c:\028226.exec:\028226.exe80⤵PID:2244
-
\??\c:\7vddj.exec:\7vddj.exe81⤵PID:2936
-
\??\c:\688826.exec:\688826.exe82⤵PID:2252
-
\??\c:\6022288.exec:\6022288.exe83⤵
- System Location Discovery: System Language Discovery
PID:2924 -
\??\c:\28482.exec:\28482.exe84⤵PID:2808
-
\??\c:\xrflrxr.exec:\xrflrxr.exe85⤵PID:1688
-
\??\c:\nbbbtn.exec:\nbbbtn.exe86⤵PID:2664
-
\??\c:\lxrlrxl.exec:\lxrlrxl.exe87⤵PID:2616
-
\??\c:\48620.exec:\48620.exe88⤵PID:2564
-
\??\c:\g0440.exec:\g0440.exe89⤵PID:3012
-
\??\c:\1tbnnb.exec:\1tbnnb.exe90⤵PID:2672
-
\??\c:\9xfffff.exec:\9xfffff.exe91⤵PID:2112
-
\??\c:\0240284.exec:\0240284.exe92⤵PID:1324
-
\??\c:\hbtbhh.exec:\hbtbhh.exe93⤵PID:1696
-
\??\c:\i088620.exec:\i088620.exe94⤵PID:2512
-
\??\c:\008662.exec:\008662.exe95⤵PID:1988
-
\??\c:\3djvj.exec:\3djvj.exe96⤵PID:1916
-
\??\c:\ttnthn.exec:\ttnthn.exe97⤵PID:1732
-
\??\c:\btnthn.exec:\btnthn.exe98⤵PID:624
-
\??\c:\6862480.exec:\6862480.exe99⤵PID:2440
-
\??\c:\4266446.exec:\4266446.exe100⤵PID:2852
-
\??\c:\7pjpd.exec:\7pjpd.exe101⤵PID:2908
-
\??\c:\6424020.exec:\6424020.exe102⤵PID:2128
-
\??\c:\vvvdj.exec:\vvvdj.exe103⤵PID:1084
-
\??\c:\q04028.exec:\q04028.exe104⤵PID:2648
-
\??\c:\m4288.exec:\m4288.exe105⤵PID:1684
-
\??\c:\lfrlrrx.exec:\lfrlrrx.exe106⤵PID:656
-
\??\c:\608028.exec:\608028.exe107⤵PID:632
-
\??\c:\k42066.exec:\k42066.exe108⤵PID:2288
-
\??\c:\082802.exec:\082802.exe109⤵PID:1764
-
\??\c:\08620.exec:\08620.exe110⤵PID:2224
-
\??\c:\jjdpv.exec:\jjdpv.exe111⤵PID:2416
-
\??\c:\7tnntt.exec:\7tnntt.exe112⤵PID:2220
-
\??\c:\5fxrrfl.exec:\5fxrrfl.exe113⤵PID:1804
-
\??\c:\2088008.exec:\2088008.exe114⤵PID:2216
-
\??\c:\g4224.exec:\g4224.exe115⤵PID:1716
-
\??\c:\0862846.exec:\0862846.exe116⤵PID:2500
-
\??\c:\vjvjd.exec:\vjvjd.exe117⤵PID:2352
-
\??\c:\rllxfrx.exec:\rllxfrx.exe118⤵PID:2456
-
\??\c:\hthbbh.exec:\hthbbh.exe119⤵PID:2356
-
\??\c:\424084.exec:\424084.exe120⤵PID:2052
-
\??\c:\nnhtbn.exec:\nnhtbn.exe121⤵PID:2348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-