Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 11:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe
-
Size
453KB
-
MD5
e65d18fbe1dda42036301b909ab5d2e0
-
SHA1
eba3c76a1fb3d84cb6bf9256df86f6db82ab04bc
-
SHA256
5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaa
-
SHA512
c7adc0e1695709e03d4124cd51ed42b1fa636b5bf72f401157b1a55c3dd54f6cb6bd0497a23728a752cc31da32894839b19d81d189cf27bc6d546020d6d6bf88
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2568-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-474-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2188-461-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2036-424-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2760-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-333-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2104-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-319-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2060-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-293-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1752-276-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1044-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-258-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1968-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-223-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1916-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-134-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-97-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2636-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/344-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 344 1vjvd.exe 2332 rxrfrfl.exe 2344 djpjd.exe 2104 64620.exe 2452 ttthnn.exe 2636 hbtthh.exe 2856 xffrxxf.exe 2264 pdjpd.exe 2732 3vvvv.exe 2860 rfllllr.exe 2672 7pddd.exe 2688 202660.exe 568 e46626.exe 2076 08440.exe 1904 646626.exe 1272 20440.exe 2948 vjvvj.exe 1244 46442.exe 1964 pjvpv.exe 2468 m6484.exe 1916 rfrxxxf.exe 2328 5nbhbb.exe 620 jdjpd.exe 1308 646004.exe 1136 8644006.exe 876 2062440.exe 1968 0844044.exe 2168 xfrrrll.exe 1044 frffffl.exe 1752 vjvjv.exe 2480 608862.exe 1484 rlxxlrf.exe 1572 7htnbh.exe 1488 a0880.exe 2060 4262464.exe 2104 a0440.exe 2736 1lllrrx.exe 2344 dpdjp.exe 2824 xrllxlf.exe 2876 1hbbnt.exe 2808 8262408.exe 2872 hnhntb.exe 2760 22624.exe 2624 lfrxrxl.exe 2124 048088.exe 2928 bthhnn.exe 2908 ffflxfx.exe 1620 vppvj.exe 2744 llfflxl.exe 2944 864622.exe 1984 nhbhtb.exe 2036 82064.exe 1916 8644068.exe 2056 022460.exe 1960 nnhhnn.exe 1080 u040880.exe 1656 hbbhbb.exe 2188 a6404.exe 876 60846.exe 912 26042.exe 1940 tnbntb.exe 1612 04408.exe 992 864062.exe 2052 hbnnbn.exe -
resource yara_rule behavioral1/memory/2568-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-474-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2036-424-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2760-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-258-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1968-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/344-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/984-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1124-952-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-1008-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-1094-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-1131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-1210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/432-1253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-1320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-1333-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4622266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q20622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u040880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 344 2568 5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe 30 PID 2568 wrote to memory of 344 2568 5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe 30 PID 2568 wrote to memory of 344 2568 5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe 30 PID 2568 wrote to memory of 344 2568 5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe 30 PID 344 wrote to memory of 2332 344 1vjvd.exe 31 PID 344 wrote to memory of 2332 344 1vjvd.exe 31 PID 344 wrote to memory of 2332 344 1vjvd.exe 31 PID 344 wrote to memory of 2332 344 1vjvd.exe 31 PID 2332 wrote to memory of 2344 2332 rxrfrfl.exe 67 PID 2332 wrote to memory of 2344 2332 rxrfrfl.exe 67 PID 2332 wrote to memory of 2344 2332 rxrfrfl.exe 67 PID 2332 wrote to memory of 2344 2332 rxrfrfl.exe 67 PID 2344 wrote to memory of 2104 2344 djpjd.exe 65 PID 2344 wrote to memory of 2104 2344 djpjd.exe 65 PID 2344 wrote to memory of 2104 2344 djpjd.exe 65 PID 2344 wrote to memory of 2104 2344 djpjd.exe 65 PID 2104 wrote to memory of 2452 2104 64620.exe 34 PID 2104 wrote to memory of 2452 2104 64620.exe 34 PID 2104 wrote to memory of 2452 2104 64620.exe 34 PID 2104 wrote to memory of 2452 2104 64620.exe 34 PID 2452 wrote to memory of 2636 2452 ttthnn.exe 35 PID 2452 wrote to memory of 2636 2452 ttthnn.exe 35 PID 2452 wrote to memory of 2636 2452 ttthnn.exe 35 PID 2452 wrote to memory of 2636 2452 ttthnn.exe 35 PID 2636 wrote to memory of 2856 2636 hbtthh.exe 36 PID 2636 wrote to memory of 2856 2636 hbtthh.exe 36 PID 2636 wrote to memory of 2856 2636 hbtthh.exe 36 PID 2636 wrote to memory of 2856 2636 hbtthh.exe 36 PID 2856 wrote to memory of 2264 2856 xffrxxf.exe 37 PID 2856 wrote to memory of 2264 2856 xffrxxf.exe 37 PID 2856 wrote to memory of 2264 2856 xffrxxf.exe 37 PID 2856 wrote to memory of 2264 2856 xffrxxf.exe 37 PID 2264 wrote to memory of 2732 2264 pdjpd.exe 38 PID 2264 wrote to memory of 2732 2264 pdjpd.exe 38 PID 2264 wrote to memory of 2732 2264 pdjpd.exe 38 PID 2264 wrote to memory of 2732 2264 pdjpd.exe 38 PID 2732 wrote to memory of 2860 2732 3vvvv.exe 39 PID 2732 wrote to memory of 2860 2732 3vvvv.exe 39 PID 2732 wrote to memory of 2860 2732 3vvvv.exe 39 PID 2732 wrote to memory of 2860 2732 3vvvv.exe 39 PID 2860 wrote to memory of 2672 2860 rfllllr.exe 40 PID 2860 wrote to memory of 2672 2860 rfllllr.exe 40 PID 2860 wrote to memory of 2672 2860 rfllllr.exe 40 PID 2860 wrote to memory of 2672 2860 rfllllr.exe 40 PID 2672 wrote to memory of 2688 2672 7pddd.exe 41 PID 2672 wrote to memory of 2688 2672 7pddd.exe 41 PID 2672 wrote to memory of 2688 2672 7pddd.exe 41 PID 2672 wrote to memory of 2688 2672 7pddd.exe 41 PID 2688 wrote to memory of 568 2688 202660.exe 42 PID 2688 wrote to memory of 568 2688 202660.exe 42 PID 2688 wrote to memory of 568 2688 202660.exe 42 PID 2688 wrote to memory of 568 2688 202660.exe 42 PID 568 wrote to memory of 2076 568 e46626.exe 43 PID 568 wrote to memory of 2076 568 e46626.exe 43 PID 568 wrote to memory of 2076 568 e46626.exe 43 PID 568 wrote to memory of 2076 568 e46626.exe 43 PID 2076 wrote to memory of 1904 2076 08440.exe 44 PID 2076 wrote to memory of 1904 2076 08440.exe 44 PID 2076 wrote to memory of 1904 2076 08440.exe 44 PID 2076 wrote to memory of 1904 2076 08440.exe 44 PID 1904 wrote to memory of 1272 1904 646626.exe 45 PID 1904 wrote to memory of 1272 1904 646626.exe 45 PID 1904 wrote to memory of 1272 1904 646626.exe 45 PID 1904 wrote to memory of 1272 1904 646626.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe"C:\Users\Admin\AppData\Local\Temp\5a02b216bcb8ff2d97031f6f641bd2f366b9599a82acf0f9e63a94952c8dbcaaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\1vjvd.exec:\1vjvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:344 -
\??\c:\rxrfrfl.exec:\rxrfrfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\djpjd.exec:\djpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\64620.exec:\64620.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\ttthnn.exec:\ttthnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\hbtthh.exec:\hbtthh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\xffrxxf.exec:\xffrxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\pdjpd.exec:\pdjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\3vvvv.exec:\3vvvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\rfllllr.exec:\rfllllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\7pddd.exec:\7pddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\202660.exec:\202660.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\e46626.exec:\e46626.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
\??\c:\08440.exec:\08440.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\646626.exec:\646626.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\20440.exec:\20440.exe17⤵
- Executes dropped EXE
PID:1272 -
\??\c:\vjvvj.exec:\vjvvj.exe18⤵
- Executes dropped EXE
PID:2948 -
\??\c:\46442.exec:\46442.exe19⤵
- Executes dropped EXE
PID:1244 -
\??\c:\pjvpv.exec:\pjvpv.exe20⤵
- Executes dropped EXE
PID:1964 -
\??\c:\m6484.exec:\m6484.exe21⤵
- Executes dropped EXE
PID:2468 -
\??\c:\rfrxxxf.exec:\rfrxxxf.exe22⤵
- Executes dropped EXE
PID:1916 -
\??\c:\5nbhbb.exec:\5nbhbb.exe23⤵
- Executes dropped EXE
PID:2328 -
\??\c:\jdjpd.exec:\jdjpd.exe24⤵
- Executes dropped EXE
PID:620 -
\??\c:\646004.exec:\646004.exe25⤵
- Executes dropped EXE
PID:1308 -
\??\c:\8644006.exec:\8644006.exe26⤵
- Executes dropped EXE
PID:1136 -
\??\c:\2062440.exec:\2062440.exe27⤵
- Executes dropped EXE
PID:876 -
\??\c:\0844044.exec:\0844044.exe28⤵
- Executes dropped EXE
PID:1968 -
\??\c:\xfrrrll.exec:\xfrrrll.exe29⤵
- Executes dropped EXE
PID:2168 -
\??\c:\frffffl.exec:\frffffl.exe30⤵
- Executes dropped EXE
PID:1044 -
\??\c:\vjvjv.exec:\vjvjv.exe31⤵
- Executes dropped EXE
PID:1752 -
\??\c:\608862.exec:\608862.exe32⤵
- Executes dropped EXE
PID:2480 -
\??\c:\rlxxlrf.exec:\rlxxlrf.exe33⤵
- Executes dropped EXE
PID:1484 -
\??\c:\7htnbh.exec:\7htnbh.exe34⤵
- Executes dropped EXE
PID:1572 -
\??\c:\a0880.exec:\a0880.exe35⤵
- Executes dropped EXE
PID:1488 -
\??\c:\4262464.exec:\4262464.exe36⤵
- Executes dropped EXE
PID:2060 -
\??\c:\a0440.exec:\a0440.exe37⤵
- Executes dropped EXE
PID:2104 -
\??\c:\1lllrrx.exec:\1lllrrx.exe38⤵
- Executes dropped EXE
PID:2736 -
\??\c:\dpdjp.exec:\dpdjp.exe39⤵
- Executes dropped EXE
PID:2344 -
\??\c:\xrllxlf.exec:\xrllxlf.exe40⤵
- Executes dropped EXE
PID:2824 -
\??\c:\1hbbnt.exec:\1hbbnt.exe41⤵
- Executes dropped EXE
PID:2876 -
\??\c:\8262408.exec:\8262408.exe42⤵
- Executes dropped EXE
PID:2808 -
\??\c:\hnhntb.exec:\hnhntb.exe43⤵
- Executes dropped EXE
PID:2872 -
\??\c:\22624.exec:\22624.exe44⤵
- Executes dropped EXE
PID:2760 -
\??\c:\lfrxrxl.exec:\lfrxrxl.exe45⤵
- Executes dropped EXE
PID:2624 -
\??\c:\048088.exec:\048088.exe46⤵
- Executes dropped EXE
PID:2124 -
\??\c:\bthhnn.exec:\bthhnn.exe47⤵
- Executes dropped EXE
PID:2928 -
\??\c:\ffflxfx.exec:\ffflxfx.exe48⤵
- Executes dropped EXE
PID:2908 -
\??\c:\vppvj.exec:\vppvj.exe49⤵
- Executes dropped EXE
PID:1620 -
\??\c:\llfflxl.exec:\llfflxl.exe50⤵
- Executes dropped EXE
PID:2744 -
\??\c:\864622.exec:\864622.exe51⤵
- Executes dropped EXE
PID:2944 -
\??\c:\nhbhtb.exec:\nhbhtb.exe52⤵
- Executes dropped EXE
PID:1984 -
\??\c:\82064.exec:\82064.exe53⤵
- Executes dropped EXE
PID:2036 -
\??\c:\8644068.exec:\8644068.exe54⤵
- Executes dropped EXE
PID:1916 -
\??\c:\022460.exec:\022460.exe55⤵
- Executes dropped EXE
PID:2056 -
\??\c:\nnhhnn.exec:\nnhhnn.exe56⤵
- Executes dropped EXE
PID:1960 -
\??\c:\u040880.exec:\u040880.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080 -
\??\c:\hbbhbb.exec:\hbbhbb.exe58⤵
- Executes dropped EXE
PID:1656 -
\??\c:\a6404.exec:\a6404.exe59⤵
- Executes dropped EXE
PID:2188 -
\??\c:\60846.exec:\60846.exe60⤵
- Executes dropped EXE
PID:876 -
\??\c:\26042.exec:\26042.exe61⤵
- Executes dropped EXE
PID:912 -
\??\c:\tnbntb.exec:\tnbntb.exe62⤵
- Executes dropped EXE
PID:1940 -
\??\c:\04408.exec:\04408.exe63⤵
- Executes dropped EXE
PID:1612 -
\??\c:\864062.exec:\864062.exe64⤵
- Executes dropped EXE
PID:992 -
\??\c:\hbnnbn.exec:\hbnnbn.exe65⤵
- Executes dropped EXE
PID:2052 -
\??\c:\tnhbtb.exec:\tnhbtb.exe66⤵PID:2308
-
\??\c:\jdvdv.exec:\jdvdv.exe67⤵PID:2464
-
\??\c:\26062.exec:\26062.exe68⤵PID:2336
-
\??\c:\2684628.exec:\2684628.exe69⤵PID:2236
-
\??\c:\nntbhb.exec:\nntbhb.exe70⤵PID:1568
-
\??\c:\9xfxxlr.exec:\9xfxxlr.exe71⤵PID:2740
-
\??\c:\q46062.exec:\q46062.exe72⤵PID:1808
-
\??\c:\rfllllr.exec:\rfllllr.exe73⤵PID:2484
-
\??\c:\202626.exec:\202626.exe74⤵PID:2544
-
\??\c:\m0488.exec:\m0488.exe75⤵PID:1288
-
\??\c:\jjvvj.exec:\jjvvj.exe76⤵PID:2020
-
\??\c:\e02222.exec:\e02222.exe77⤵PID:2840
-
\??\c:\6460040.exec:\6460040.exe78⤵PID:1696
-
\??\c:\m8006.exec:\m8006.exe79⤵PID:2816
-
\??\c:\pjvvj.exec:\pjvvj.exe80⤵PID:2664
-
\??\c:\bnhbnb.exec:\bnhbnb.exe81⤵PID:2924
-
\??\c:\m8606.exec:\m8606.exe82⤵PID:1620
-
\??\c:\82026.exec:\82026.exe83⤵PID:3020
-
\??\c:\080662.exec:\080662.exe84⤵PID:2216
-
\??\c:\268844.exec:\268844.exe85⤵PID:568
-
\??\c:\424060.exec:\424060.exe86⤵PID:2324
-
\??\c:\pdpjj.exec:\pdpjj.exe87⤵PID:1800
-
\??\c:\4682228.exec:\4682228.exe88⤵PID:2692
-
\??\c:\s8484.exec:\s8484.exe89⤵PID:2836
-
\??\c:\vjddj.exec:\vjddj.exe90⤵PID:536
-
\??\c:\02602.exec:\02602.exe91⤵PID:2256
-
\??\c:\hthbbt.exec:\hthbbt.exe92⤵
- System Location Discovery: System Language Discovery
PID:1924 -
\??\c:\8622662.exec:\8622662.exe93⤵PID:2328
-
\??\c:\s6440.exec:\s6440.exe94⤵PID:2728
-
\??\c:\080622.exec:\080622.exe95⤵PID:332
-
\??\c:\u466224.exec:\u466224.exe96⤵PID:1224
-
\??\c:\0428048.exec:\0428048.exe97⤵PID:912
-
\??\c:\djpvj.exec:\djpvj.exe98⤵PID:984
-
\??\c:\xrflrxl.exec:\xrflrxl.exe99⤵PID:2232
-
\??\c:\862060.exec:\862060.exe100⤵PID:628
-
\??\c:\nnbbbb.exec:\nnbbbb.exe101⤵PID:2452
-
\??\c:\7lfxxxf.exec:\7lfxxxf.exe102⤵PID:832
-
\??\c:\20888.exec:\20888.exe103⤵PID:2852
-
\??\c:\lxxrxfl.exec:\lxxrxfl.exe104⤵PID:548
-
\??\c:\6428046.exec:\6428046.exe105⤵PID:1484
-
\??\c:\pjvjp.exec:\pjvjp.exe106⤵PID:1284
-
\??\c:\80266.exec:\80266.exe107⤵PID:2412
-
\??\c:\1nhbbb.exec:\1nhbbb.exe108⤵PID:2920
-
\??\c:\4884286.exec:\4884286.exe109⤵PID:2568
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe110⤵PID:2712
-
\??\c:\frlxrxl.exec:\frlxrxl.exe111⤵PID:2196
-
\??\c:\288002.exec:\288002.exe112⤵PID:2104
-
\??\c:\6402286.exec:\6402286.exe113⤵PID:1664
-
\??\c:\m4802.exec:\m4802.exe114⤵
- System Location Discovery: System Language Discovery
PID:2192 -
\??\c:\84602.exec:\84602.exe115⤵PID:1084
-
\??\c:\60884.exec:\60884.exe116⤵PID:2876
-
\??\c:\48840.exec:\48840.exe117⤵PID:2128
-
\??\c:\hbnbhn.exec:\hbnbhn.exe118⤵PID:2348
-
\??\c:\00846.exec:\00846.exe119⤵PID:1288
-
\??\c:\7hntbb.exec:\7hntbb.exe120⤵PID:2020
-
\??\c:\w64684.exec:\w64684.exe121⤵PID:2124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-