Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 14:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe
-
Size
453KB
-
MD5
1feb7adf0928fe9be0bdb6cfc3cd56f7
-
SHA1
4dcc4316405af06879fec8f6447773862ab0c276
-
SHA256
215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612
-
SHA512
ad18daa185f67116eac2b4a53754c9921151883de6aff8fc7a59bd3169d85df46b53f1cb830098d2db8dcc081aa67a8bcd32c095ea77b3f34be73d0d50c7521d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/3068-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-114-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1804-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1384-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-150-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2972-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-202-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/832-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-318-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2128-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-523-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2608-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-575-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2516-602-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2756-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-652-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1632-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-684-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/864-699-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1952-708-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2228-792-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1580-807-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2376-863-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2904-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-975-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1540-1070-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/572-1091-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-1117-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2176 04668.exe 2616 086200.exe 2128 vjvvd.exe 2488 68448.exe 2868 jvdjj.exe 2764 o408620.exe 2260 lflrxxx.exe 2904 tthtbb.exe 2860 g6266.exe 2716 086246.exe 1204 rrxrfxf.exe 1624 tthntb.exe 1804 608402.exe 1992 bbhnhh.exe 1384 ttbnnt.exe 2972 ddvdp.exe 1524 pjdjd.exe 2680 vpjjv.exe 620 e00684.exe 2044 hbntnn.exe 448 rrlrflr.exe 832 xrllxrl.exe 948 8648442.exe 2424 lfrxffr.exe 484 44802.exe 1716 8202402.exe 1792 222862.exe 1940 pjvjd.exe 988 1rllxxl.exe 2156 i068046.exe 1000 u606402.exe 2580 3jpjp.exe 1280 3dddp.exe 2020 tnhnnt.exe 2288 hbhhnb.exe 2356 llrlrxr.exe 2916 hhhnth.exe 2128 vjppv.exe 2848 ppddd.exe 2852 hbtbnt.exe 2268 xxxlffl.exe 2772 20228.exe 2668 02000.exe 2928 0862408.exe 2636 bbbnbn.exe 2696 3pjpd.exe 2476 9bbbbt.exe 2384 nhtttn.exe 1036 nbttbb.exe 1640 ffflrxr.exe 1824 608466.exe 2012 0468062.exe 2980 a6402.exe 1988 nhhttb.exe 2972 nthnbh.exe 1524 i608006.exe 2276 dpjdp.exe 2680 rlffrxl.exe 2280 2000884.exe 1136 1djdd.exe 1140 bnhtnb.exe 1064 226468.exe 1820 9bhbtn.exe 3052 vpvvd.exe -
resource yara_rule behavioral1/memory/3068-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-501-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/896-508-0x00000000002C0000-0x00000000002EA000-memory.dmp upx behavioral1/memory/2532-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-575-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2296-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-709-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/676-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-792-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1580-807-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/684-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-877-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2904-927-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-940-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-972-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-1058-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-1072-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-1091-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-1092-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-1124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-1215-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6022464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u868842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4240088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4688044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222862.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2176 3068 215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe 31 PID 3068 wrote to memory of 2176 3068 215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe 31 PID 3068 wrote to memory of 2176 3068 215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe 31 PID 3068 wrote to memory of 2176 3068 215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe 31 PID 2176 wrote to memory of 2616 2176 04668.exe 32 PID 2176 wrote to memory of 2616 2176 04668.exe 32 PID 2176 wrote to memory of 2616 2176 04668.exe 32 PID 2176 wrote to memory of 2616 2176 04668.exe 32 PID 2616 wrote to memory of 2128 2616 086200.exe 33 PID 2616 wrote to memory of 2128 2616 086200.exe 33 PID 2616 wrote to memory of 2128 2616 086200.exe 33 PID 2616 wrote to memory of 2128 2616 086200.exe 33 PID 2128 wrote to memory of 2488 2128 vjvvd.exe 34 PID 2128 wrote to memory of 2488 2128 vjvvd.exe 34 PID 2128 wrote to memory of 2488 2128 vjvvd.exe 34 PID 2128 wrote to memory of 2488 2128 vjvvd.exe 34 PID 2488 wrote to memory of 2868 2488 68448.exe 35 PID 2488 wrote to memory of 2868 2488 68448.exe 35 PID 2488 wrote to memory of 2868 2488 68448.exe 35 PID 2488 wrote to memory of 2868 2488 68448.exe 35 PID 2868 wrote to memory of 2764 2868 jvdjj.exe 36 PID 2868 wrote to memory of 2764 2868 jvdjj.exe 36 PID 2868 wrote to memory of 2764 2868 jvdjj.exe 36 PID 2868 wrote to memory of 2764 2868 jvdjj.exe 36 PID 2764 wrote to memory of 2260 2764 o408620.exe 37 PID 2764 wrote to memory of 2260 2764 o408620.exe 37 PID 2764 wrote to memory of 2260 2764 o408620.exe 37 PID 2764 wrote to memory of 2260 2764 o408620.exe 37 PID 2260 wrote to memory of 2904 2260 lflrxxx.exe 38 PID 2260 wrote to memory of 2904 2260 lflrxxx.exe 38 PID 2260 wrote to memory of 2904 2260 lflrxxx.exe 38 PID 2260 wrote to memory of 2904 2260 lflrxxx.exe 38 PID 2904 wrote to memory of 2860 2904 tthtbb.exe 39 PID 2904 wrote to memory of 2860 2904 tthtbb.exe 39 PID 2904 wrote to memory of 2860 2904 tthtbb.exe 39 PID 2904 wrote to memory of 2860 2904 tthtbb.exe 39 PID 2860 wrote to memory of 2716 2860 g6266.exe 40 PID 2860 wrote to memory of 2716 2860 g6266.exe 40 PID 2860 wrote to memory of 2716 2860 g6266.exe 40 PID 2860 wrote to memory of 2716 2860 g6266.exe 40 PID 2716 wrote to memory of 1204 2716 086246.exe 41 PID 2716 wrote to memory of 1204 2716 086246.exe 41 PID 2716 wrote to memory of 1204 2716 086246.exe 41 PID 2716 wrote to memory of 1204 2716 086246.exe 41 PID 1204 wrote to memory of 1624 1204 rrxrfxf.exe 42 PID 1204 wrote to memory of 1624 1204 rrxrfxf.exe 42 PID 1204 wrote to memory of 1624 1204 rrxrfxf.exe 42 PID 1204 wrote to memory of 1624 1204 rrxrfxf.exe 42 PID 1624 wrote to memory of 1804 1624 tthntb.exe 43 PID 1624 wrote to memory of 1804 1624 tthntb.exe 43 PID 1624 wrote to memory of 1804 1624 tthntb.exe 43 PID 1624 wrote to memory of 1804 1624 tthntb.exe 43 PID 1804 wrote to memory of 1992 1804 608402.exe 44 PID 1804 wrote to memory of 1992 1804 608402.exe 44 PID 1804 wrote to memory of 1992 1804 608402.exe 44 PID 1804 wrote to memory of 1992 1804 608402.exe 44 PID 1992 wrote to memory of 1384 1992 bbhnhh.exe 45 PID 1992 wrote to memory of 1384 1992 bbhnhh.exe 45 PID 1992 wrote to memory of 1384 1992 bbhnhh.exe 45 PID 1992 wrote to memory of 1384 1992 bbhnhh.exe 45 PID 1384 wrote to memory of 2972 1384 ttbnnt.exe 46 PID 1384 wrote to memory of 2972 1384 ttbnnt.exe 46 PID 1384 wrote to memory of 2972 1384 ttbnnt.exe 46 PID 1384 wrote to memory of 2972 1384 ttbnnt.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe"C:\Users\Admin\AppData\Local\Temp\215888dd3dc74d59afe9e16844c57306fa41e7bd0fe3f8b1f8a8231932901612.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\04668.exec:\04668.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\086200.exec:\086200.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\vjvvd.exec:\vjvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\68448.exec:\68448.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\jvdjj.exec:\jvdjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\o408620.exec:\o408620.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\lflrxxx.exec:\lflrxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\tthtbb.exec:\tthtbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\g6266.exec:\g6266.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\086246.exec:\086246.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\rrxrfxf.exec:\rrxrfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\tthntb.exec:\tthntb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\608402.exec:\608402.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\bbhnhh.exec:\bbhnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\ttbnnt.exec:\ttbnnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\ddvdp.exec:\ddvdp.exe17⤵
- Executes dropped EXE
PID:2972 -
\??\c:\pjdjd.exec:\pjdjd.exe18⤵
- Executes dropped EXE
PID:1524 -
\??\c:\vpjjv.exec:\vpjjv.exe19⤵
- Executes dropped EXE
PID:2680 -
\??\c:\e00684.exec:\e00684.exe20⤵
- Executes dropped EXE
PID:620 -
\??\c:\hbntnn.exec:\hbntnn.exe21⤵
- Executes dropped EXE
PID:2044 -
\??\c:\rrlrflr.exec:\rrlrflr.exe22⤵
- Executes dropped EXE
PID:448 -
\??\c:\xrllxrl.exec:\xrllxrl.exe23⤵
- Executes dropped EXE
PID:832 -
\??\c:\8648442.exec:\8648442.exe24⤵
- Executes dropped EXE
PID:948 -
\??\c:\lfrxffr.exec:\lfrxffr.exe25⤵
- Executes dropped EXE
PID:2424 -
\??\c:\44802.exec:\44802.exe26⤵
- Executes dropped EXE
PID:484 -
\??\c:\8202402.exec:\8202402.exe27⤵
- Executes dropped EXE
PID:1716 -
\??\c:\222862.exec:\222862.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792 -
\??\c:\pjvjd.exec:\pjvjd.exe29⤵
- Executes dropped EXE
PID:1940 -
\??\c:\1rllxxl.exec:\1rllxxl.exe30⤵
- Executes dropped EXE
PID:988 -
\??\c:\i068046.exec:\i068046.exe31⤵
- Executes dropped EXE
PID:2156 -
\??\c:\u606402.exec:\u606402.exe32⤵
- Executes dropped EXE
PID:1000 -
\??\c:\3jpjp.exec:\3jpjp.exe33⤵
- Executes dropped EXE
PID:2580 -
\??\c:\3dddp.exec:\3dddp.exe34⤵
- Executes dropped EXE
PID:1280 -
\??\c:\tnhnnt.exec:\tnhnnt.exe35⤵
- Executes dropped EXE
PID:2020 -
\??\c:\hbhhnb.exec:\hbhhnb.exe36⤵
- Executes dropped EXE
PID:2288 -
\??\c:\llrlrxr.exec:\llrlrxr.exe37⤵
- Executes dropped EXE
PID:2356 -
\??\c:\hhhnth.exec:\hhhnth.exe38⤵
- Executes dropped EXE
PID:2916 -
\??\c:\vjppv.exec:\vjppv.exe39⤵
- Executes dropped EXE
PID:2128 -
\??\c:\ppddd.exec:\ppddd.exe40⤵
- Executes dropped EXE
PID:2848 -
\??\c:\hbtbnt.exec:\hbtbnt.exe41⤵
- Executes dropped EXE
PID:2852 -
\??\c:\xxxlffl.exec:\xxxlffl.exe42⤵
- Executes dropped EXE
PID:2268 -
\??\c:\20228.exec:\20228.exe43⤵
- Executes dropped EXE
PID:2772 -
\??\c:\02000.exec:\02000.exe44⤵
- Executes dropped EXE
PID:2668 -
\??\c:\0862408.exec:\0862408.exe45⤵
- Executes dropped EXE
PID:2928 -
\??\c:\bbbnbn.exec:\bbbnbn.exe46⤵
- Executes dropped EXE
PID:2636 -
\??\c:\3pjpd.exec:\3pjpd.exe47⤵
- Executes dropped EXE
PID:2696 -
\??\c:\9bbbbt.exec:\9bbbbt.exe48⤵
- Executes dropped EXE
PID:2476 -
\??\c:\nhtttn.exec:\nhtttn.exe49⤵
- Executes dropped EXE
PID:2384 -
\??\c:\nbttbb.exec:\nbttbb.exe50⤵
- Executes dropped EXE
PID:1036 -
\??\c:\ffflrxr.exec:\ffflrxr.exe51⤵
- Executes dropped EXE
PID:1640 -
\??\c:\608466.exec:\608466.exe52⤵
- Executes dropped EXE
PID:1824 -
\??\c:\0468062.exec:\0468062.exe53⤵
- Executes dropped EXE
PID:2012 -
\??\c:\a6402.exec:\a6402.exe54⤵
- Executes dropped EXE
PID:2980 -
\??\c:\nhhttb.exec:\nhhttb.exe55⤵
- Executes dropped EXE
PID:1988 -
\??\c:\nthnbh.exec:\nthnbh.exe56⤵
- Executes dropped EXE
PID:2972 -
\??\c:\i608006.exec:\i608006.exe57⤵
- Executes dropped EXE
PID:1524 -
\??\c:\dpjdp.exec:\dpjdp.exe58⤵
- Executes dropped EXE
PID:2276 -
\??\c:\rlffrxl.exec:\rlffrxl.exe59⤵
- Executes dropped EXE
PID:2680 -
\??\c:\2000884.exec:\2000884.exe60⤵
- Executes dropped EXE
PID:2280 -
\??\c:\1djdd.exec:\1djdd.exe61⤵
- Executes dropped EXE
PID:1136 -
\??\c:\bnhtnb.exec:\bnhtnb.exe62⤵
- Executes dropped EXE
PID:1140 -
\??\c:\226468.exec:\226468.exe63⤵
- Executes dropped EXE
PID:1064 -
\??\c:\9bhbtn.exec:\9bhbtn.exe64⤵
- Executes dropped EXE
PID:1820 -
\??\c:\vpvvd.exec:\vpvvd.exe65⤵
- Executes dropped EXE
PID:3052 -
\??\c:\022626.exec:\022626.exe66⤵PID:896
-
\??\c:\lfllrlx.exec:\lfllrlx.exe67⤵PID:2532
-
\??\c:\k04460.exec:\k04460.exe68⤵PID:1656
-
\??\c:\640060.exec:\640060.exe69⤵PID:880
-
\??\c:\7rlflfl.exec:\7rlflfl.exe70⤵PID:1812
-
\??\c:\i088480.exec:\i088480.exe71⤵PID:2608
-
\??\c:\vvjdd.exec:\vvjdd.exe72⤵PID:988
-
\??\c:\btbtbb.exec:\btbtbb.exe73⤵PID:1152
-
\??\c:\i806262.exec:\i806262.exe74⤵PID:2468
-
\??\c:\080060.exec:\080060.exe75⤵PID:2200
-
\??\c:\pdjjp.exec:\pdjjp.exe76⤵PID:1948
-
\??\c:\rfllrfl.exec:\rfllrfl.exe77⤵PID:1604
-
\??\c:\828660.exec:\828660.exe78⤵PID:2296
-
\??\c:\rflllff.exec:\rflllff.exe79⤵PID:2616
-
\??\c:\828400.exec:\828400.exe80⤵PID:2516
-
\??\c:\xlfflfr.exec:\xlfflfr.exe81⤵PID:2784
-
\??\c:\646248.exec:\646248.exe82⤵PID:2888
-
\??\c:\frxrrlr.exec:\frxrrlr.exe83⤵PID:2648
-
\??\c:\nhnnnh.exec:\nhnnnh.exe84⤵PID:2852
-
\??\c:\hthhnn.exec:\hthhnn.exe85⤵PID:2756
-
\??\c:\022666.exec:\022666.exe86⤵PID:2804
-
\??\c:\htnnnh.exec:\htnnnh.exe87⤵PID:2492
-
\??\c:\86822.exec:\86822.exe88⤵PID:2712
-
\??\c:\6404666.exec:\6404666.exe89⤵PID:704
-
\??\c:\tthtbh.exec:\tthtbh.exe90⤵PID:2716
-
\??\c:\2066600.exec:\2066600.exe91⤵PID:1632
-
\??\c:\a0846.exec:\a0846.exe92⤵PID:1624
-
\??\c:\c462884.exec:\c462884.exe93⤵PID:2628
-
\??\c:\flfrrlf.exec:\flfrrlf.exe94⤵PID:1880
-
\??\c:\ffrxffr.exec:\ffrxffr.exe95⤵PID:864
-
\??\c:\0806288.exec:\0806288.exe96⤵PID:1952
-
\??\c:\bnbbnn.exec:\bnbbnn.exe97⤵PID:2132
-
\??\c:\1lfxxxx.exec:\1lfxxxx.exe98⤵PID:2972
-
\??\c:\xxrfrrf.exec:\xxrfrrf.exe99⤵PID:3000
-
\??\c:\c024488.exec:\c024488.exe100⤵PID:2276
-
\??\c:\nbbhhn.exec:\nbbhhn.exe101⤵PID:1892
-
\??\c:\ddvpv.exec:\ddvpv.exe102⤵PID:2148
-
\??\c:\hbthtb.exec:\hbthtb.exe103⤵PID:2456
-
\??\c:\820066.exec:\820066.exe104⤵PID:1248
-
\??\c:\m4488.exec:\m4488.exe105⤵PID:760
-
\??\c:\6602428.exec:\6602428.exe106⤵PID:1684
-
\??\c:\202240.exec:\202240.exe107⤵PID:1308
-
\??\c:\vvjdp.exec:\vvjdp.exe108⤵PID:676
-
\??\c:\08000.exec:\08000.exe109⤵PID:2228
-
\??\c:\2682880.exec:\2682880.exe110⤵PID:1536
-
\??\c:\2606802.exec:\2606802.exe111⤵PID:1656
-
\??\c:\68622.exec:\68622.exe112⤵PID:1580
-
\??\c:\20284.exec:\20284.exe113⤵PID:1812
-
\??\c:\20228.exec:\20228.exe114⤵PID:2608
-
\??\c:\4648228.exec:\4648228.exe115⤵PID:2156
-
\??\c:\26468.exec:\26468.exe116⤵PID:1760
-
\??\c:\8206224.exec:\8206224.exe117⤵PID:2468
-
\??\c:\rllflll.exec:\rllflll.exe118⤵PID:684
-
\??\c:\868422.exec:\868422.exe119⤵PID:1708
-
\??\c:\242628.exec:\242628.exe120⤵PID:2376
-
\??\c:\xlxrrrx.exec:\xlxrrrx.exe121⤵PID:1440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-