Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 12:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
888cc60158312d295fbc5ed7e0923dfd5a6f2d5eb3eeb4987527bfbe63228abaN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
888cc60158312d295fbc5ed7e0923dfd5a6f2d5eb3eeb4987527bfbe63228abaN.exe
-
Size
453KB
-
MD5
493eeac21071183f331ddb46e5775bb0
-
SHA1
8a2b5bfca943fdcfb0dda63683c475dc6ac3e6c2
-
SHA256
888cc60158312d295fbc5ed7e0923dfd5a6f2d5eb3eeb4987527bfbe63228aba
-
SHA512
44d954fb720a44240041334b789f575f424eb6e9a6b194d43947c071fa94d7b6e4fdd6560b3e8dadececce4f9de0e091cf627f1adc35a291c22fb6c3f873fabb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1688-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/352-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-324-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2740-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-344-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2756-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-370-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1712-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-505-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1360-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-748-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2268-877-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2828-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-884-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2680-930-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1828-1076-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2824-1164-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2212-1200-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/672-1207-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/884-1220-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2396-1233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2688 jvjjv.exe 2540 jdpvd.exe 1956 60446.exe 2456 dvddj.exe 2744 dvjjp.exe 2912 ddvdj.exe 2612 804460.exe 2852 3hbhnn.exe 2764 s0884.exe 2620 thttbh.exe 2920 04062.exe 1980 08864.exe 1476 pvpjp.exe 840 s4846.exe 2396 ffrlffl.exe 1912 nhnttb.exe 1312 62246.exe 1296 rfrxffx.exe 2128 i268884.exe 352 htbhbt.exe 2552 4802028.exe 3020 0044062.exe 1396 088642.exe 1668 s4802.exe 1828 u680280.exe 1768 668662.exe 2196 48440.exe 3044 bthhnh.exe 2500 tthnth.exe 2088 8202846.exe 1632 bhnthn.exe 1244 048462.exe 1704 480806.exe 2152 7ppvd.exe 2384 k48828.exe 2412 424684.exe 988 jdpdp.exe 2740 u084680.exe 2708 824406.exe 2756 u240068.exe 2924 lfrxflr.exe 2692 jdjdd.exe 2852 xxrrxxf.exe 1712 i600220.exe 3068 482844.exe 2768 jdpdj.exe 2592 nnhhbh.exe 2244 226284.exe 2780 864622.exe 2948 pjvdj.exe 1852 4840848.exe 2880 60622.exe 2952 a4666.exe 2508 nnnthh.exe 1388 q08024.exe 1560 dvvdj.exe 2308 flxxffr.exe 2092 djdpj.exe 1636 042822.exe 2228 480600.exe 2236 9llrfrf.exe 992 btbhth.exe 1608 hhhhtt.exe 1360 e08028.exe -
resource yara_rule behavioral1/memory/1688-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-505-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1360-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-943-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-981-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-1069-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-1125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-1233-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8628808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q60628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u680280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4862442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4282600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i600220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e60626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2688 1688 888cc60158312d295fbc5ed7e0923dfd5a6f2d5eb3eeb4987527bfbe63228abaN.exe 30 PID 1688 wrote to memory of 2688 1688 888cc60158312d295fbc5ed7e0923dfd5a6f2d5eb3eeb4987527bfbe63228abaN.exe 30 PID 1688 wrote to memory of 2688 1688 888cc60158312d295fbc5ed7e0923dfd5a6f2d5eb3eeb4987527bfbe63228abaN.exe 30 PID 1688 wrote to memory of 2688 1688 888cc60158312d295fbc5ed7e0923dfd5a6f2d5eb3eeb4987527bfbe63228abaN.exe 30 PID 2688 wrote to memory of 2540 2688 jvjjv.exe 31 PID 2688 wrote to memory of 2540 2688 jvjjv.exe 31 PID 2688 wrote to memory of 2540 2688 jvjjv.exe 31 PID 2688 wrote to memory of 2540 2688 jvjjv.exe 31 PID 2540 wrote to memory of 1956 2540 jdpvd.exe 32 PID 2540 wrote to memory of 1956 2540 jdpvd.exe 32 PID 2540 wrote to memory of 1956 2540 jdpvd.exe 32 PID 2540 wrote to memory of 1956 2540 jdpvd.exe 32 PID 1956 wrote to memory of 2456 1956 60446.exe 33 PID 1956 wrote to memory of 2456 1956 60446.exe 33 PID 1956 wrote to memory of 2456 1956 60446.exe 33 PID 1956 wrote to memory of 2456 1956 60446.exe 33 PID 2456 wrote to memory of 2744 2456 dvddj.exe 34 PID 2456 wrote to memory of 2744 2456 dvddj.exe 34 PID 2456 wrote to memory of 2744 2456 dvddj.exe 34 PID 2456 wrote to memory of 2744 2456 dvddj.exe 34 PID 2744 wrote to memory of 2912 2744 dvjjp.exe 35 PID 2744 wrote to memory of 2912 2744 dvjjp.exe 35 PID 2744 wrote to memory of 2912 2744 dvjjp.exe 35 PID 2744 wrote to memory of 2912 2744 dvjjp.exe 35 PID 2912 wrote to memory of 2612 2912 ddvdj.exe 36 PID 2912 wrote to memory of 2612 2912 ddvdj.exe 36 PID 2912 wrote to memory of 2612 2912 ddvdj.exe 36 PID 2912 wrote to memory of 2612 2912 ddvdj.exe 36 PID 2612 wrote to memory of 2852 2612 804460.exe 37 PID 2612 wrote to memory of 2852 2612 804460.exe 37 PID 2612 wrote to memory of 2852 2612 804460.exe 37 PID 2612 wrote to memory of 2852 2612 804460.exe 37 PID 2852 wrote to memory of 2764 2852 3hbhnn.exe 38 PID 2852 wrote to memory of 2764 2852 3hbhnn.exe 38 PID 2852 wrote to memory of 2764 2852 3hbhnn.exe 38 PID 2852 wrote to memory of 2764 2852 3hbhnn.exe 38 PID 2764 wrote to memory of 2620 2764 s0884.exe 39 PID 2764 wrote to memory of 2620 2764 s0884.exe 39 PID 2764 wrote to memory of 2620 2764 s0884.exe 39 PID 2764 wrote to memory of 2620 2764 s0884.exe 39 PID 2620 wrote to memory of 2920 2620 thttbh.exe 40 PID 2620 wrote to memory of 2920 2620 thttbh.exe 40 PID 2620 wrote to memory of 2920 2620 thttbh.exe 40 PID 2620 wrote to memory of 2920 2620 thttbh.exe 40 PID 2920 wrote to memory of 1980 2920 04062.exe 41 PID 2920 wrote to memory of 1980 2920 04062.exe 41 PID 2920 wrote to memory of 1980 2920 04062.exe 41 PID 2920 wrote to memory of 1980 2920 04062.exe 41 PID 1980 wrote to memory of 1476 1980 08864.exe 42 PID 1980 wrote to memory of 1476 1980 08864.exe 42 PID 1980 wrote to memory of 1476 1980 08864.exe 42 PID 1980 wrote to memory of 1476 1980 08864.exe 42 PID 1476 wrote to memory of 840 1476 pvpjp.exe 43 PID 1476 wrote to memory of 840 1476 pvpjp.exe 43 PID 1476 wrote to memory of 840 1476 pvpjp.exe 43 PID 1476 wrote to memory of 840 1476 pvpjp.exe 43 PID 840 wrote to memory of 2396 840 s4846.exe 44 PID 840 wrote to memory of 2396 840 s4846.exe 44 PID 840 wrote to memory of 2396 840 s4846.exe 44 PID 840 wrote to memory of 2396 840 s4846.exe 44 PID 2396 wrote to memory of 1912 2396 ffrlffl.exe 45 PID 2396 wrote to memory of 1912 2396 ffrlffl.exe 45 PID 2396 wrote to memory of 1912 2396 ffrlffl.exe 45 PID 2396 wrote to memory of 1912 2396 ffrlffl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\888cc60158312d295fbc5ed7e0923dfd5a6f2d5eb3eeb4987527bfbe63228abaN.exe"C:\Users\Admin\AppData\Local\Temp\888cc60158312d295fbc5ed7e0923dfd5a6f2d5eb3eeb4987527bfbe63228abaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\jvjjv.exec:\jvjjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\jdpvd.exec:\jdpvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\60446.exec:\60446.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\dvddj.exec:\dvddj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\dvjjp.exec:\dvjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\ddvdj.exec:\ddvdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\804460.exec:\804460.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\3hbhnn.exec:\3hbhnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\s0884.exec:\s0884.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\thttbh.exec:\thttbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\04062.exec:\04062.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\08864.exec:\08864.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\pvpjp.exec:\pvpjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\s4846.exec:\s4846.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\ffrlffl.exec:\ffrlffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\nhnttb.exec:\nhnttb.exe17⤵
- Executes dropped EXE
PID:1912 -
\??\c:\62246.exec:\62246.exe18⤵
- Executes dropped EXE
PID:1312 -
\??\c:\rfrxffx.exec:\rfrxffx.exe19⤵
- Executes dropped EXE
PID:1296 -
\??\c:\i268884.exec:\i268884.exe20⤵
- Executes dropped EXE
PID:2128 -
\??\c:\htbhbt.exec:\htbhbt.exe21⤵
- Executes dropped EXE
PID:352 -
\??\c:\4802028.exec:\4802028.exe22⤵
- Executes dropped EXE
PID:2552 -
\??\c:\0044062.exec:\0044062.exe23⤵
- Executes dropped EXE
PID:3020 -
\??\c:\088642.exec:\088642.exe24⤵
- Executes dropped EXE
PID:1396 -
\??\c:\s4802.exec:\s4802.exe25⤵
- Executes dropped EXE
PID:1668 -
\??\c:\u680280.exec:\u680280.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1828 -
\??\c:\668662.exec:\668662.exe27⤵
- Executes dropped EXE
PID:1768 -
\??\c:\48440.exec:\48440.exe28⤵
- Executes dropped EXE
PID:2196 -
\??\c:\bthhnh.exec:\bthhnh.exe29⤵
- Executes dropped EXE
PID:3044 -
\??\c:\tthnth.exec:\tthnth.exe30⤵
- Executes dropped EXE
PID:2500 -
\??\c:\8202846.exec:\8202846.exe31⤵
- Executes dropped EXE
PID:2088 -
\??\c:\bhnthn.exec:\bhnthn.exe32⤵
- Executes dropped EXE
PID:1632 -
\??\c:\048462.exec:\048462.exe33⤵
- Executes dropped EXE
PID:1244 -
\??\c:\480806.exec:\480806.exe34⤵
- Executes dropped EXE
PID:1704 -
\??\c:\7ppvd.exec:\7ppvd.exe35⤵
- Executes dropped EXE
PID:2152 -
\??\c:\k48828.exec:\k48828.exe36⤵
- Executes dropped EXE
PID:2384 -
\??\c:\424684.exec:\424684.exe37⤵
- Executes dropped EXE
PID:2412 -
\??\c:\jdpdp.exec:\jdpdp.exe38⤵
- Executes dropped EXE
PID:988 -
\??\c:\u084680.exec:\u084680.exe39⤵
- Executes dropped EXE
PID:2740 -
\??\c:\824406.exec:\824406.exe40⤵
- Executes dropped EXE
PID:2708 -
\??\c:\u240068.exec:\u240068.exe41⤵
- Executes dropped EXE
PID:2756 -
\??\c:\lfrxflr.exec:\lfrxflr.exe42⤵
- Executes dropped EXE
PID:2924 -
\??\c:\jdjdd.exec:\jdjdd.exe43⤵
- Executes dropped EXE
PID:2692 -
\??\c:\xxrrxxf.exec:\xxrrxxf.exe44⤵
- Executes dropped EXE
PID:2852 -
\??\c:\i600220.exec:\i600220.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
\??\c:\482844.exec:\482844.exe46⤵
- Executes dropped EXE
PID:3068 -
\??\c:\jdpdj.exec:\jdpdj.exe47⤵
- Executes dropped EXE
PID:2768 -
\??\c:\nnhhbh.exec:\nnhhbh.exe48⤵
- Executes dropped EXE
PID:2592 -
\??\c:\226284.exec:\226284.exe49⤵
- Executes dropped EXE
PID:2244 -
\??\c:\864622.exec:\864622.exe50⤵
- Executes dropped EXE
PID:2780 -
\??\c:\pjvdj.exec:\pjvdj.exe51⤵
- Executes dropped EXE
PID:2948 -
\??\c:\4840848.exec:\4840848.exe52⤵
- Executes dropped EXE
PID:1852 -
\??\c:\60622.exec:\60622.exe53⤵
- Executes dropped EXE
PID:2880 -
\??\c:\a4666.exec:\a4666.exe54⤵
- Executes dropped EXE
PID:2952 -
\??\c:\nnnthh.exec:\nnnthh.exe55⤵
- Executes dropped EXE
PID:2508 -
\??\c:\q08024.exec:\q08024.exe56⤵
- Executes dropped EXE
PID:1388 -
\??\c:\dvvdj.exec:\dvvdj.exe57⤵
- Executes dropped EXE
PID:1560 -
\??\c:\flxxffr.exec:\flxxffr.exe58⤵
- Executes dropped EXE
PID:2308 -
\??\c:\djdpj.exec:\djdpj.exe59⤵
- Executes dropped EXE
PID:2092 -
\??\c:\042822.exec:\042822.exe60⤵
- Executes dropped EXE
PID:1636 -
\??\c:\480600.exec:\480600.exe61⤵
- Executes dropped EXE
PID:2228 -
\??\c:\9llrfrf.exec:\9llrfrf.exe62⤵
- Executes dropped EXE
PID:2236 -
\??\c:\btbhth.exec:\btbhth.exe63⤵
- Executes dropped EXE
PID:992 -
\??\c:\hhhhtt.exec:\hhhhtt.exe64⤵
- Executes dropped EXE
PID:1608 -
\??\c:\e08028.exec:\e08028.exe65⤵
- Executes dropped EXE
PID:1360 -
\??\c:\1vjjv.exec:\1vjjv.exe66⤵PID:856
-
\??\c:\rxxrlrf.exec:\rxxrlrf.exe67⤵PID:1780
-
\??\c:\lllxllr.exec:\lllxllr.exe68⤵PID:2440
-
\??\c:\4442064.exec:\4442064.exe69⤵PID:2196
-
\??\c:\ddpvj.exec:\ddpvj.exe70⤵PID:1620
-
\??\c:\vpvvd.exec:\vpvvd.exe71⤵PID:700
-
\??\c:\a2620.exec:\a2620.exe72⤵PID:1504
-
\??\c:\o606884.exec:\o606884.exe73⤵PID:1796
-
\??\c:\q22428.exec:\q22428.exe74⤵PID:1732
-
\??\c:\088206.exec:\088206.exe75⤵PID:2524
-
\??\c:\7djvp.exec:\7djvp.exe76⤵PID:1576
-
\??\c:\264440.exec:\264440.exe77⤵PID:2540
-
\??\c:\202622.exec:\202622.exe78⤵PID:1448
-
\??\c:\40080.exec:\40080.exe79⤵PID:2836
-
\??\c:\3bnbhh.exec:\3bnbhh.exe80⤵PID:1968
-
\??\c:\26408.exec:\26408.exe81⤵PID:2832
-
\??\c:\0046802.exec:\0046802.exe82⤵PID:2912
-
\??\c:\8266664.exec:\8266664.exe83⤵PID:2996
-
\??\c:\0422606.exec:\0422606.exe84⤵PID:2640
-
\??\c:\vvpdp.exec:\vvpdp.exe85⤵PID:2716
-
\??\c:\s4840.exec:\s4840.exe86⤵PID:2908
-
\??\c:\jddjv.exec:\jddjv.exe87⤵PID:2608
-
\??\c:\26628.exec:\26628.exe88⤵PID:2620
-
\??\c:\3frfrxl.exec:\3frfrxl.exe89⤵PID:3068
-
\??\c:\vpjvj.exec:\vpjvj.exe90⤵PID:672
-
\??\c:\tnbhtb.exec:\tnbhtb.exe91⤵PID:2372
-
\??\c:\2262066.exec:\2262066.exe92⤵PID:2244
-
\??\c:\0428624.exec:\0428624.exe93⤵PID:1308
-
\??\c:\9btbhn.exec:\9btbhn.exe94⤵
- System Location Discovery: System Language Discovery
PID:1940 -
\??\c:\nbbnbh.exec:\nbbnbh.exe95⤵PID:2368
-
\??\c:\rlxxffr.exec:\rlxxffr.exe96⤵PID:2944
-
\??\c:\s6026.exec:\s6026.exe97⤵PID:1292
-
\??\c:\864062.exec:\864062.exe98⤵PID:1676
-
\??\c:\04844.exec:\04844.exe99⤵PID:1296
-
\??\c:\pppvv.exec:\pppvv.exe100⤵PID:1588
-
\??\c:\82602.exec:\82602.exe101⤵PID:2128
-
\??\c:\xfllflr.exec:\xfllflr.exe102⤵PID:2488
-
\??\c:\w62048.exec:\w62048.exe103⤵PID:2240
-
\??\c:\s2024.exec:\s2024.exe104⤵PID:844
-
\??\c:\664460.exec:\664460.exe105⤵PID:3020
-
\??\c:\4880846.exec:\4880846.exe106⤵PID:612
-
\??\c:\264460.exec:\264460.exe107⤵PID:2468
-
\??\c:\vpppd.exec:\vpppd.exe108⤵PID:2080
-
\??\c:\88680.exec:\88680.exe109⤵PID:1536
-
\??\c:\vpvvv.exec:\vpvvv.exe110⤵PID:888
-
\??\c:\2268068.exec:\2268068.exe111⤵PID:1780
-
\??\c:\2044628.exec:\2044628.exe112⤵PID:3036
-
\??\c:\48024.exec:\48024.exe113⤵PID:1952
-
\??\c:\flfrlrf.exec:\flfrlrf.exe114⤵PID:1924
-
\??\c:\482468.exec:\482468.exe115⤵PID:700
-
\??\c:\bbtbth.exec:\bbtbth.exe116⤵PID:1504
-
\??\c:\0884828.exec:\0884828.exe117⤵PID:1740
-
\??\c:\ddpjp.exec:\ddpjp.exe118⤵PID:1688
-
\??\c:\c422822.exec:\c422822.exe119⤵PID:1600
-
\??\c:\jjdjp.exec:\jjdjp.exe120⤵PID:2148
-
\??\c:\dvjjj.exec:\dvjjj.exe121⤵PID:1444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-