Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 12:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d01aac0405276ba991db94415dfba2ee0604d1d3be6ac1c1710e6396198c3c70N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d01aac0405276ba991db94415dfba2ee0604d1d3be6ac1c1710e6396198c3c70N.exe
-
Size
453KB
-
MD5
87cdd088b81c43874698e72678abca70
-
SHA1
b7ed021a998fc07f3bf94ab077fa889cbc9cbb33
-
SHA256
d01aac0405276ba991db94415dfba2ee0604d1d3be6ac1c1710e6396198c3c70
-
SHA512
bfc9461d425e66d870114cdb991b5fbe5b0033c945d7bd65b92283d2a8514d38d5f08eace8a6885de423dada05cf17fcad140e015e5390f8acbd92165cd56650
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetp:q7Tc2NYHUrAwfMp3CDtp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2944-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-26-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2464-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/576-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/560-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-99-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2620-95-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2184-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-139-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/612-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-342-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1092-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-412-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3048-419-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1268-462-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1868-496-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1696-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-546-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1848-544-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/988-554-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2892-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-651-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2004-660-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2004-676-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2936-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-845-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2324 042806.exe 2852 3vddp.exe 2464 jvddj.exe 2692 hnthbt.exe 2768 4642866.exe 2620 42884.exe 560 68488.exe 576 424048.exe 2080 rxllfff.exe 2412 rlrxxxf.exe 1984 xrrxxxf.exe 2184 682666.exe 2016 648660.exe 3040 9djvp.exe 2876 9jddv.exe 2780 7jjjd.exe 1512 lxfxxrx.exe 2216 o066200.exe 1816 k44466.exe 2312 64002.exe 2668 024400.exe 956 2088822.exe 1948 64066.exe 1744 dpvpv.exe 2040 82226.exe 612 vpjdp.exe 1812 200404.exe 1764 5pjdv.exe 1924 tnnhnh.exe 1388 08884.exe 2660 80082.exe 2824 08000.exe 2324 vpddj.exe 1372 e64400.exe 2900 9hbbtt.exe 2688 xlfxxrx.exe 2764 fxxrfxf.exe 2012 1nntth.exe 776 rflffrr.exe 1092 424064.exe 2164 pvjdd.exe 1704 jvpdd.exe 836 vdddv.exe 2412 hbnnhn.exe 2356 m4082.exe 2156 802226.exe 2372 rflffff.exe 2184 o082200.exe 3048 u248866.exe 3040 k84004.exe 668 2082844.exe 1564 64444.exe 1268 68448.exe 1512 dpdjd.exe 2192 fxlxxxl.exe 2476 hbtbnn.exe 2056 hbhntt.exe 2652 e46282.exe 2668 6466040.exe 1676 0468008.exe 1868 pvdvv.exe 1696 tthhtt.exe 908 rfrlrlr.exe 2628 nhbhhn.exe -
resource yara_rule behavioral1/memory/2944-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/560-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-116-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2184-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-137-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3040-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/372-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-800-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2124-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-902-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w82428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8026266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4660484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i222880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2324 2944 d01aac0405276ba991db94415dfba2ee0604d1d3be6ac1c1710e6396198c3c70N.exe 30 PID 2944 wrote to memory of 2324 2944 d01aac0405276ba991db94415dfba2ee0604d1d3be6ac1c1710e6396198c3c70N.exe 30 PID 2944 wrote to memory of 2324 2944 d01aac0405276ba991db94415dfba2ee0604d1d3be6ac1c1710e6396198c3c70N.exe 30 PID 2944 wrote to memory of 2324 2944 d01aac0405276ba991db94415dfba2ee0604d1d3be6ac1c1710e6396198c3c70N.exe 30 PID 2324 wrote to memory of 2852 2324 042806.exe 31 PID 2324 wrote to memory of 2852 2324 042806.exe 31 PID 2324 wrote to memory of 2852 2324 042806.exe 31 PID 2324 wrote to memory of 2852 2324 042806.exe 31 PID 2852 wrote to memory of 2464 2852 3vddp.exe 32 PID 2852 wrote to memory of 2464 2852 3vddp.exe 32 PID 2852 wrote to memory of 2464 2852 3vddp.exe 32 PID 2852 wrote to memory of 2464 2852 3vddp.exe 32 PID 2464 wrote to memory of 2692 2464 jvddj.exe 33 PID 2464 wrote to memory of 2692 2464 jvddj.exe 33 PID 2464 wrote to memory of 2692 2464 jvddj.exe 33 PID 2464 wrote to memory of 2692 2464 jvddj.exe 33 PID 2692 wrote to memory of 2768 2692 hnthbt.exe 34 PID 2692 wrote to memory of 2768 2692 hnthbt.exe 34 PID 2692 wrote to memory of 2768 2692 hnthbt.exe 34 PID 2692 wrote to memory of 2768 2692 hnthbt.exe 34 PID 2768 wrote to memory of 2620 2768 4642866.exe 35 PID 2768 wrote to memory of 2620 2768 4642866.exe 35 PID 2768 wrote to memory of 2620 2768 4642866.exe 35 PID 2768 wrote to memory of 2620 2768 4642866.exe 35 PID 2620 wrote to memory of 560 2620 42884.exe 36 PID 2620 wrote to memory of 560 2620 42884.exe 36 PID 2620 wrote to memory of 560 2620 42884.exe 36 PID 2620 wrote to memory of 560 2620 42884.exe 36 PID 560 wrote to memory of 576 560 68488.exe 37 PID 560 wrote to memory of 576 560 68488.exe 37 PID 560 wrote to memory of 576 560 68488.exe 37 PID 560 wrote to memory of 576 560 68488.exe 37 PID 576 wrote to memory of 2080 576 424048.exe 38 PID 576 wrote to memory of 2080 576 424048.exe 38 PID 576 wrote to memory of 2080 576 424048.exe 38 PID 576 wrote to memory of 2080 576 424048.exe 38 PID 2080 wrote to memory of 2412 2080 rxllfff.exe 39 PID 2080 wrote to memory of 2412 2080 rxllfff.exe 39 PID 2080 wrote to memory of 2412 2080 rxllfff.exe 39 PID 2080 wrote to memory of 2412 2080 rxllfff.exe 39 PID 2412 wrote to memory of 1984 2412 rlrxxxf.exe 40 PID 2412 wrote to memory of 1984 2412 rlrxxxf.exe 40 PID 2412 wrote to memory of 1984 2412 rlrxxxf.exe 40 PID 2412 wrote to memory of 1984 2412 rlrxxxf.exe 40 PID 1984 wrote to memory of 2184 1984 xrrxxxf.exe 41 PID 1984 wrote to memory of 2184 1984 xrrxxxf.exe 41 PID 1984 wrote to memory of 2184 1984 xrrxxxf.exe 41 PID 1984 wrote to memory of 2184 1984 xrrxxxf.exe 41 PID 2184 wrote to memory of 2016 2184 682666.exe 42 PID 2184 wrote to memory of 2016 2184 682666.exe 42 PID 2184 wrote to memory of 2016 2184 682666.exe 42 PID 2184 wrote to memory of 2016 2184 682666.exe 42 PID 2016 wrote to memory of 3040 2016 648660.exe 43 PID 2016 wrote to memory of 3040 2016 648660.exe 43 PID 2016 wrote to memory of 3040 2016 648660.exe 43 PID 2016 wrote to memory of 3040 2016 648660.exe 43 PID 3040 wrote to memory of 2876 3040 9djvp.exe 44 PID 3040 wrote to memory of 2876 3040 9djvp.exe 44 PID 3040 wrote to memory of 2876 3040 9djvp.exe 44 PID 3040 wrote to memory of 2876 3040 9djvp.exe 44 PID 2876 wrote to memory of 2780 2876 9jddv.exe 45 PID 2876 wrote to memory of 2780 2876 9jddv.exe 45 PID 2876 wrote to memory of 2780 2876 9jddv.exe 45 PID 2876 wrote to memory of 2780 2876 9jddv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d01aac0405276ba991db94415dfba2ee0604d1d3be6ac1c1710e6396198c3c70N.exe"C:\Users\Admin\AppData\Local\Temp\d01aac0405276ba991db94415dfba2ee0604d1d3be6ac1c1710e6396198c3c70N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\042806.exec:\042806.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\3vddp.exec:\3vddp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\jvddj.exec:\jvddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\hnthbt.exec:\hnthbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\4642866.exec:\4642866.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\42884.exec:\42884.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\68488.exec:\68488.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
\??\c:\424048.exec:\424048.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
\??\c:\rxllfff.exec:\rxllfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\rlrxxxf.exec:\rlrxxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\xrrxxxf.exec:\xrrxxxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\682666.exec:\682666.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\648660.exec:\648660.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\9djvp.exec:\9djvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\9jddv.exec:\9jddv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\7jjjd.exec:\7jjjd.exe17⤵
- Executes dropped EXE
PID:2780 -
\??\c:\lxfxxrx.exec:\lxfxxrx.exe18⤵
- Executes dropped EXE
PID:1512 -
\??\c:\o066200.exec:\o066200.exe19⤵
- Executes dropped EXE
PID:2216 -
\??\c:\k44466.exec:\k44466.exe20⤵
- Executes dropped EXE
PID:1816 -
\??\c:\64002.exec:\64002.exe21⤵
- Executes dropped EXE
PID:2312 -
\??\c:\024400.exec:\024400.exe22⤵
- Executes dropped EXE
PID:2668 -
\??\c:\2088822.exec:\2088822.exe23⤵
- Executes dropped EXE
PID:956 -
\??\c:\64066.exec:\64066.exe24⤵
- Executes dropped EXE
PID:1948 -
\??\c:\dpvpv.exec:\dpvpv.exe25⤵
- Executes dropped EXE
PID:1744 -
\??\c:\82226.exec:\82226.exe26⤵
- Executes dropped EXE
PID:2040 -
\??\c:\vpjdp.exec:\vpjdp.exe27⤵
- Executes dropped EXE
PID:612 -
\??\c:\200404.exec:\200404.exe28⤵
- Executes dropped EXE
PID:1812 -
\??\c:\5pjdv.exec:\5pjdv.exe29⤵
- Executes dropped EXE
PID:1764 -
\??\c:\tnnhnh.exec:\tnnhnh.exe30⤵
- Executes dropped EXE
PID:1924 -
\??\c:\08884.exec:\08884.exe31⤵
- Executes dropped EXE
PID:1388 -
\??\c:\80082.exec:\80082.exe32⤵
- Executes dropped EXE
PID:2660 -
\??\c:\08000.exec:\08000.exe33⤵
- Executes dropped EXE
PID:2824 -
\??\c:\vpddj.exec:\vpddj.exe34⤵
- Executes dropped EXE
PID:2324 -
\??\c:\e64400.exec:\e64400.exe35⤵
- Executes dropped EXE
PID:1372 -
\??\c:\9hbbtt.exec:\9hbbtt.exe36⤵
- Executes dropped EXE
PID:2900 -
\??\c:\xlfxxrx.exec:\xlfxxrx.exe37⤵
- Executes dropped EXE
PID:2688 -
\??\c:\fxxrfxf.exec:\fxxrfxf.exe38⤵
- Executes dropped EXE
PID:2764 -
\??\c:\1nntth.exec:\1nntth.exe39⤵
- Executes dropped EXE
PID:2012 -
\??\c:\rflffrr.exec:\rflffrr.exe40⤵
- Executes dropped EXE
PID:776 -
\??\c:\424064.exec:\424064.exe41⤵
- Executes dropped EXE
PID:1092 -
\??\c:\pvjdd.exec:\pvjdd.exe42⤵
- Executes dropped EXE
PID:2164 -
\??\c:\jvpdd.exec:\jvpdd.exe43⤵
- Executes dropped EXE
PID:1704 -
\??\c:\vdddv.exec:\vdddv.exe44⤵
- Executes dropped EXE
PID:836 -
\??\c:\hbnnhn.exec:\hbnnhn.exe45⤵
- Executes dropped EXE
PID:2412 -
\??\c:\m4082.exec:\m4082.exe46⤵
- Executes dropped EXE
PID:2356 -
\??\c:\802226.exec:\802226.exe47⤵
- Executes dropped EXE
PID:2156 -
\??\c:\rflffff.exec:\rflffff.exe48⤵
- Executes dropped EXE
PID:2372 -
\??\c:\o082200.exec:\o082200.exe49⤵
- Executes dropped EXE
PID:2184 -
\??\c:\u248866.exec:\u248866.exe50⤵
- Executes dropped EXE
PID:3048 -
\??\c:\k84004.exec:\k84004.exe51⤵
- Executes dropped EXE
PID:3040 -
\??\c:\2082844.exec:\2082844.exe52⤵
- Executes dropped EXE
PID:668 -
\??\c:\64444.exec:\64444.exe53⤵
- Executes dropped EXE
PID:1564 -
\??\c:\68448.exec:\68448.exe54⤵
- Executes dropped EXE
PID:1268 -
\??\c:\dpdjd.exec:\dpdjd.exe55⤵
- Executes dropped EXE
PID:1512 -
\??\c:\fxlxxxl.exec:\fxlxxxl.exe56⤵
- Executes dropped EXE
PID:2192 -
\??\c:\hbtbnn.exec:\hbtbnn.exe57⤵
- Executes dropped EXE
PID:2476 -
\??\c:\hbhntt.exec:\hbhntt.exe58⤵
- Executes dropped EXE
PID:2056 -
\??\c:\e46282.exec:\e46282.exe59⤵
- Executes dropped EXE
PID:2652 -
\??\c:\6466040.exec:\6466040.exe60⤵
- Executes dropped EXE
PID:2668 -
\??\c:\0468008.exec:\0468008.exe61⤵
- Executes dropped EXE
PID:1676 -
\??\c:\pvdvv.exec:\pvdvv.exe62⤵
- Executes dropped EXE
PID:1868 -
\??\c:\tthhtt.exec:\tthhtt.exe63⤵
- Executes dropped EXE
PID:1696 -
\??\c:\rfrlrlr.exec:\rfrlrlr.exe64⤵
- Executes dropped EXE
PID:908 -
\??\c:\nhbhhn.exec:\nhbhhn.exe65⤵
- Executes dropped EXE
PID:2628 -
\??\c:\9rrrlfl.exec:\9rrrlfl.exe66⤵PID:2612
-
\??\c:\tnhntb.exec:\tnhntb.exe67⤵PID:1992
-
\??\c:\jvppv.exec:\jvppv.exe68⤵PID:1576
-
\??\c:\nbnhtn.exec:\nbnhtn.exe69⤵PID:1848
-
\??\c:\jvjjp.exec:\jvjjp.exe70⤵PID:988
-
\??\c:\2640840.exec:\2640840.exe71⤵PID:2064
-
\??\c:\048806.exec:\048806.exe72⤵PID:2116
-
\??\c:\nhtnnn.exec:\nhtnnn.exe73⤵PID:2980
-
\??\c:\w02626.exec:\w02626.exe74⤵PID:1588
-
\??\c:\64266.exec:\64266.exe75⤵PID:2892
-
\??\c:\frfrxfr.exec:\frfrxfr.exe76⤵PID:2864
-
\??\c:\rxlfllx.exec:\rxlfllx.exe77⤵PID:2708
-
\??\c:\5ddpv.exec:\5ddpv.exe78⤵
- System Location Discovery: System Language Discovery
PID:2688 -
\??\c:\nbnttb.exec:\nbnttb.exe79⤵PID:2552
-
\??\c:\u644440.exec:\u644440.exe80⤵PID:264
-
\??\c:\246400.exec:\246400.exe81⤵PID:592
-
\??\c:\pjdvd.exec:\pjdvd.exe82⤵PID:1856
-
\??\c:\u602844.exec:\u602844.exe83⤵PID:1652
-
\??\c:\868406.exec:\868406.exe84⤵PID:936
-
\??\c:\tthbnh.exec:\tthbnh.exe85⤵PID:1832
-
\??\c:\nthntn.exec:\nthntn.exe86⤵PID:2004
-
\??\c:\26484.exec:\26484.exe87⤵PID:2092
-
\??\c:\rfrfxrr.exec:\rfrfxrr.exe88⤵PID:1808
-
\??\c:\9fxllrf.exec:\9fxllrf.exe89⤵PID:2304
-
\??\c:\5rrfrxr.exec:\5rrfrxr.exe90⤵PID:2544
-
\??\c:\208800.exec:\208800.exe91⤵PID:2936
-
\??\c:\086660.exec:\086660.exe92⤵PID:2104
-
\??\c:\nhbhtt.exec:\nhbhtt.exe93⤵PID:1956
-
\??\c:\dpvjp.exec:\dpvjp.exe94⤵PID:1044
-
\??\c:\6400602.exec:\6400602.exe95⤵PID:2128
-
\??\c:\3hbttt.exec:\3hbttt.exe96⤵PID:2268
-
\??\c:\482800.exec:\482800.exe97⤵PID:2212
-
\??\c:\6460044.exec:\6460044.exe98⤵PID:2504
-
\??\c:\djdpd.exec:\djdpd.exe99⤵PID:2476
-
\??\c:\thbthh.exec:\thbthh.exe100⤵PID:2056
-
\??\c:\0828040.exec:\0828040.exe101⤵PID:1656
-
\??\c:\64600.exec:\64600.exe102⤵
- System Location Discovery: System Language Discovery
PID:1340 -
\??\c:\vjdvd.exec:\vjdvd.exe103⤵PID:1676
-
\??\c:\24228.exec:\24228.exe104⤵PID:1868
-
\??\c:\vjdvv.exec:\vjdvv.exe105⤵PID:372
-
\??\c:\c488446.exec:\c488446.exe106⤵PID:1036
-
\??\c:\vpjpd.exec:\vpjpd.exe107⤵PID:564
-
\??\c:\9lxrrlx.exec:\9lxrrlx.exe108⤵PID:1692
-
\??\c:\u088444.exec:\u088444.exe109⤵PID:2532
-
\??\c:\8206824.exec:\8206824.exe110⤵PID:2776
-
\??\c:\nnbhnn.exec:\nnbhnn.exe111⤵PID:1056
-
\??\c:\lxllrrf.exec:\lxllrrf.exe112⤵PID:2644
-
\??\c:\dvjjp.exec:\dvjjp.exe113⤵PID:2124
-
\??\c:\20266.exec:\20266.exe114⤵PID:1820
-
\??\c:\6804006.exec:\6804006.exe115⤵PID:2824
-
\??\c:\044066.exec:\044066.exe116⤵PID:3000
-
\??\c:\9flrrrr.exec:\9flrrrr.exe117⤵PID:1580
-
\??\c:\o684666.exec:\o684666.exe118⤵PID:3016
-
\??\c:\5nbbnn.exec:\5nbbnn.exe119⤵
- System Location Discovery: System Language Discovery
PID:2716 -
\??\c:\bthntb.exec:\bthntb.exe120⤵PID:1920
-
\??\c:\64600.exec:\64600.exe121⤵PID:2756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-