Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 18:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe
-
Size
456KB
-
MD5
797ccb05a37c20b190b39708b77b904b
-
SHA1
c94e55e875df32b7f3a82e3668fb8967cecba7ad
-
SHA256
e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46
-
SHA512
2e14e14dfc1674080f9cdbfe8b5cd2f96801e0598d1fd34d26486d1bd808ad4317559c8cf991e5cbb93a69e90f0e341b0123e25eb04ee431a86486b44512fa21
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRT:q7Tc2NYHUrAwfMp3CDRT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2320-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/108-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-99-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2924-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-704-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2412-856-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/340-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1176-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1116-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/752-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-90-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2912-1000-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/768-1088-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2268-1095-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2268-1096-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1664-1103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-1141-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/892-1323-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1964 dddjp.exe 2284 5vpdv.exe 108 u480280.exe 2292 hbnthh.exe 2064 046462.exe 2868 pjjpd.exe 1860 xxrrrlx.exe 2336 642424.exe 2728 xfxflxx.exe 2732 080266.exe 2584 648082.exe 2924 btbhnh.exe 2748 jddpd.exe 2596 e64404.exe 2860 60280.exe 1952 86406.exe 316 a6480.exe 752 22068.exe 1820 668422.exe 2780 9ppvj.exe 2996 264680.exe 2184 208862.exe 2784 868860.exe 1592 3thnbn.exe 976 08080.exe 1116 m0842.exe 1780 s0068.exe 2212 04848.exe 1300 866200.exe 2104 3pppv.exe 1368 pvpvj.exe 2396 648462.exe 2240 20284.exe 3060 hhbhnn.exe 1688 dvjvj.exe 328 04686.exe 1996 rfxfrfx.exe 1176 ttnthn.exe 2272 jddvd.exe 1304 xxrfrrf.exe 3012 vjjvp.exe 540 080404.exe 2836 dvjpv.exe 2404 m4280.exe 2136 88284.exe 2696 486244.exe 2584 08606.exe 2768 lfxrffx.exe 3036 vvpvp.exe 2748 5frxffr.exe 2216 u862840.exe 1028 bnnttt.exe 2572 rrxfxfr.exe 2588 2608402.exe 844 448422.exe 780 26008.exe 2644 7hbbnt.exe 2948 82024.exe 1820 082804.exe 2892 42680.exe 2020 djdjv.exe 2184 5rfflll.exe 1500 jdjvj.exe 2504 642462.exe -
resource yara_rule behavioral1/memory/2320-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-856-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-907-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1176-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-1013-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-1032-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-1046-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-1054-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-1061-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-1076-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/1664-1103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-1190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-1216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/816-1298-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8606624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 1964 2320 e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe 146 PID 2320 wrote to memory of 1964 2320 e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe 146 PID 2320 wrote to memory of 1964 2320 e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe 146 PID 2320 wrote to memory of 1964 2320 e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe 146 PID 1964 wrote to memory of 2284 1964 dddjp.exe 29 PID 1964 wrote to memory of 2284 1964 dddjp.exe 29 PID 1964 wrote to memory of 2284 1964 dddjp.exe 29 PID 1964 wrote to memory of 2284 1964 dddjp.exe 29 PID 2284 wrote to memory of 108 2284 5vpdv.exe 30 PID 2284 wrote to memory of 108 2284 5vpdv.exe 30 PID 2284 wrote to memory of 108 2284 5vpdv.exe 30 PID 2284 wrote to memory of 108 2284 5vpdv.exe 30 PID 108 wrote to memory of 2292 108 u480280.exe 31 PID 108 wrote to memory of 2292 108 u480280.exe 31 PID 108 wrote to memory of 2292 108 u480280.exe 31 PID 108 wrote to memory of 2292 108 u480280.exe 31 PID 2292 wrote to memory of 2064 2292 hbnthh.exe 32 PID 2292 wrote to memory of 2064 2292 hbnthh.exe 32 PID 2292 wrote to memory of 2064 2292 hbnthh.exe 32 PID 2292 wrote to memory of 2064 2292 hbnthh.exe 32 PID 2064 wrote to memory of 2868 2064 046462.exe 33 PID 2064 wrote to memory of 2868 2064 046462.exe 33 PID 2064 wrote to memory of 2868 2064 046462.exe 33 PID 2064 wrote to memory of 2868 2064 046462.exe 33 PID 2868 wrote to memory of 1860 2868 pjjpd.exe 34 PID 2868 wrote to memory of 1860 2868 pjjpd.exe 34 PID 2868 wrote to memory of 1860 2868 pjjpd.exe 34 PID 2868 wrote to memory of 1860 2868 pjjpd.exe 34 PID 1860 wrote to memory of 2336 1860 xxrrrlx.exe 35 PID 1860 wrote to memory of 2336 1860 xxrrrlx.exe 35 PID 1860 wrote to memory of 2336 1860 xxrrrlx.exe 35 PID 1860 wrote to memory of 2336 1860 xxrrrlx.exe 35 PID 2336 wrote to memory of 2728 2336 642424.exe 36 PID 2336 wrote to memory of 2728 2336 642424.exe 36 PID 2336 wrote to memory of 2728 2336 642424.exe 36 PID 2336 wrote to memory of 2728 2336 642424.exe 36 PID 2728 wrote to memory of 2732 2728 xfxflxx.exe 37 PID 2728 wrote to memory of 2732 2728 xfxflxx.exe 37 PID 2728 wrote to memory of 2732 2728 xfxflxx.exe 37 PID 2728 wrote to memory of 2732 2728 xfxflxx.exe 37 PID 2732 wrote to memory of 2584 2732 080266.exe 38 PID 2732 wrote to memory of 2584 2732 080266.exe 38 PID 2732 wrote to memory of 2584 2732 080266.exe 38 PID 2732 wrote to memory of 2584 2732 080266.exe 38 PID 2584 wrote to memory of 2924 2584 648082.exe 39 PID 2584 wrote to memory of 2924 2584 648082.exe 39 PID 2584 wrote to memory of 2924 2584 648082.exe 39 PID 2584 wrote to memory of 2924 2584 648082.exe 39 PID 2924 wrote to memory of 2748 2924 btbhnh.exe 40 PID 2924 wrote to memory of 2748 2924 btbhnh.exe 40 PID 2924 wrote to memory of 2748 2924 btbhnh.exe 40 PID 2924 wrote to memory of 2748 2924 btbhnh.exe 40 PID 2748 wrote to memory of 2596 2748 jddpd.exe 41 PID 2748 wrote to memory of 2596 2748 jddpd.exe 41 PID 2748 wrote to memory of 2596 2748 jddpd.exe 41 PID 2748 wrote to memory of 2596 2748 jddpd.exe 41 PID 2596 wrote to memory of 2860 2596 e64404.exe 167 PID 2596 wrote to memory of 2860 2596 e64404.exe 167 PID 2596 wrote to memory of 2860 2596 e64404.exe 167 PID 2596 wrote to memory of 2860 2596 e64404.exe 167 PID 2860 wrote to memory of 1952 2860 60280.exe 44 PID 2860 wrote to memory of 1952 2860 60280.exe 44 PID 2860 wrote to memory of 1952 2860 60280.exe 44 PID 2860 wrote to memory of 1952 2860 60280.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe"C:\Users\Admin\AppData\Local\Temp\e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\dddjp.exec:\dddjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\5vpdv.exec:\5vpdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\u480280.exec:\u480280.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:108 -
\??\c:\hbnthh.exec:\hbnthh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\046462.exec:\046462.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\pjjpd.exec:\pjjpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\xxrrrlx.exec:\xxrrrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\642424.exec:\642424.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\xfxflxx.exec:\xfxflxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\080266.exec:\080266.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\648082.exec:\648082.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\btbhnh.exec:\btbhnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\jddpd.exec:\jddpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\e64404.exec:\e64404.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\60280.exec:\60280.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\86406.exec:\86406.exe17⤵
- Executes dropped EXE
PID:1952 -
\??\c:\a6480.exec:\a6480.exe18⤵
- Executes dropped EXE
PID:316 -
\??\c:\22068.exec:\22068.exe19⤵
- Executes dropped EXE
PID:752 -
\??\c:\668422.exec:\668422.exe20⤵
- Executes dropped EXE
PID:1820 -
\??\c:\9ppvj.exec:\9ppvj.exe21⤵
- Executes dropped EXE
PID:2780 -
\??\c:\264680.exec:\264680.exe22⤵
- Executes dropped EXE
PID:2996 -
\??\c:\208862.exec:\208862.exe23⤵
- Executes dropped EXE
PID:2184 -
\??\c:\868860.exec:\868860.exe24⤵
- Executes dropped EXE
PID:2784 -
\??\c:\3thnbn.exec:\3thnbn.exe25⤵
- Executes dropped EXE
PID:1592 -
\??\c:\08080.exec:\08080.exe26⤵
- Executes dropped EXE
PID:976 -
\??\c:\m0842.exec:\m0842.exe27⤵
- Executes dropped EXE
PID:1116 -
\??\c:\s0068.exec:\s0068.exe28⤵
- Executes dropped EXE
PID:1780 -
\??\c:\04848.exec:\04848.exe29⤵
- Executes dropped EXE
PID:2212 -
\??\c:\866200.exec:\866200.exe30⤵
- Executes dropped EXE
PID:1300 -
\??\c:\3pppv.exec:\3pppv.exe31⤵
- Executes dropped EXE
PID:2104 -
\??\c:\pvpvj.exec:\pvpvj.exe32⤵
- Executes dropped EXE
PID:1368 -
\??\c:\648462.exec:\648462.exe33⤵
- Executes dropped EXE
PID:2396 -
\??\c:\20284.exec:\20284.exe34⤵
- Executes dropped EXE
PID:2240 -
\??\c:\hhbhnn.exec:\hhbhnn.exe35⤵
- Executes dropped EXE
PID:3060 -
\??\c:\dvjvj.exec:\dvjvj.exe36⤵
- Executes dropped EXE
PID:1688 -
\??\c:\04686.exec:\04686.exe37⤵
- Executes dropped EXE
PID:328 -
\??\c:\rfxfrfx.exec:\rfxfrfx.exe38⤵
- Executes dropped EXE
PID:1996 -
\??\c:\ttnthn.exec:\ttnthn.exe39⤵
- Executes dropped EXE
PID:1176 -
\??\c:\jddvd.exec:\jddvd.exe40⤵
- Executes dropped EXE
PID:2272 -
\??\c:\xxrfrrf.exec:\xxrfrrf.exe41⤵
- Executes dropped EXE
PID:1304 -
\??\c:\vjjvp.exec:\vjjvp.exe42⤵
- Executes dropped EXE
PID:3012 -
\??\c:\080404.exec:\080404.exe43⤵
- Executes dropped EXE
PID:540 -
\??\c:\dvjpv.exec:\dvjpv.exe44⤵
- Executes dropped EXE
PID:2836 -
\??\c:\m4280.exec:\m4280.exe45⤵
- Executes dropped EXE
PID:2404 -
\??\c:\88284.exec:\88284.exe46⤵
- Executes dropped EXE
PID:2136 -
\??\c:\486244.exec:\486244.exe47⤵
- Executes dropped EXE
PID:2696 -
\??\c:\08606.exec:\08606.exe48⤵
- Executes dropped EXE
PID:2584 -
\??\c:\lfxrffx.exec:\lfxrffx.exe49⤵
- Executes dropped EXE
PID:2768 -
\??\c:\vvpvp.exec:\vvpvp.exe50⤵
- Executes dropped EXE
PID:3036 -
\??\c:\5frxffr.exec:\5frxffr.exe51⤵
- Executes dropped EXE
PID:2748 -
\??\c:\u862840.exec:\u862840.exe52⤵
- Executes dropped EXE
PID:2216 -
\??\c:\bnnttt.exec:\bnnttt.exe53⤵
- Executes dropped EXE
PID:1028 -
\??\c:\rrxfxfr.exec:\rrxfxfr.exe54⤵
- Executes dropped EXE
PID:2572 -
\??\c:\2608402.exec:\2608402.exe55⤵
- Executes dropped EXE
PID:2588 -
\??\c:\448422.exec:\448422.exe56⤵
- Executes dropped EXE
PID:844 -
\??\c:\26008.exec:\26008.exe57⤵
- Executes dropped EXE
PID:780 -
\??\c:\7hbbnt.exec:\7hbbnt.exe58⤵
- Executes dropped EXE
PID:2644 -
\??\c:\82024.exec:\82024.exe59⤵
- Executes dropped EXE
PID:2948 -
\??\c:\082804.exec:\082804.exe60⤵
- Executes dropped EXE
PID:1820 -
\??\c:\42680.exec:\42680.exe61⤵
- Executes dropped EXE
PID:2892 -
\??\c:\djdjv.exec:\djdjv.exe62⤵
- Executes dropped EXE
PID:2020 -
\??\c:\5rfflll.exec:\5rfflll.exe63⤵
- Executes dropped EXE
PID:2184 -
\??\c:\jdjvj.exec:\jdjvj.exe64⤵
- Executes dropped EXE
PID:1500 -
\??\c:\642462.exec:\642462.exe65⤵
- Executes dropped EXE
PID:2504 -
\??\c:\9vjjd.exec:\9vjjd.exe66⤵PID:1944
-
\??\c:\4862008.exec:\4862008.exe67⤵PID:1516
-
\??\c:\xlrxflr.exec:\xlrxflr.exe68⤵PID:2204
-
\??\c:\lfrrxfl.exec:\lfrrxfl.exe69⤵PID:468
-
\??\c:\k48806.exec:\k48806.exe70⤵PID:1100
-
\??\c:\2084602.exec:\2084602.exe71⤵PID:1468
-
\??\c:\lfllrrx.exec:\lfllrrx.exe72⤵PID:1348
-
\??\c:\8640628.exec:\8640628.exe73⤵PID:2192
-
\??\c:\s8842.exec:\s8842.exe74⤵PID:940
-
\??\c:\7djdj.exec:\7djdj.exe75⤵PID:672
-
\??\c:\48884.exec:\48884.exe76⤵PID:1496
-
\??\c:\thnhhb.exec:\thnhhb.exe77⤵PID:3060
-
\??\c:\064688.exec:\064688.exe78⤵PID:1688
-
\??\c:\rfflxlf.exec:\rfflxlf.exe79⤵PID:1596
-
\??\c:\ffrxrfl.exec:\ffrxrfl.exe80⤵PID:2280
-
\??\c:\26402.exec:\26402.exe81⤵PID:1744
-
\??\c:\bntbhh.exec:\bntbhh.exe82⤵PID:572
-
\??\c:\0802044.exec:\0802044.exe83⤵PID:2660
-
\??\c:\48286.exec:\48286.exe84⤵PID:2408
-
\??\c:\5fxxlrf.exec:\5fxxlrf.exe85⤵PID:3012
-
\??\c:\48246.exec:\48246.exe86⤵PID:2336
-
\??\c:\rfxxffl.exec:\rfxxffl.exe87⤵PID:2824
-
\??\c:\rxxxrrf.exec:\rxxxrrf.exe88⤵PID:2812
-
\??\c:\i262442.exec:\i262442.exe89⤵PID:2460
-
\??\c:\3lrrffr.exec:\3lrrffr.exe90⤵PID:1644
-
\??\c:\8684224.exec:\8684224.exe91⤵PID:2500
-
\??\c:\3jvdj.exec:\3jvdj.exe92⤵PID:2856
-
\??\c:\42066.exec:\42066.exe93⤵PID:2244
-
\??\c:\086284.exec:\086284.exe94⤵PID:3036
-
\??\c:\264466.exec:\264466.exe95⤵PID:2072
-
\??\c:\jdddp.exec:\jdddp.exe96⤵PID:2216
-
\??\c:\1vjpd.exec:\1vjpd.exe97⤵PID:2196
-
\??\c:\w26684.exec:\w26684.exe98⤵PID:1700
-
\??\c:\rxrrxfx.exec:\rxrrxfx.exe99⤵PID:1788
-
\??\c:\820442.exec:\820442.exe100⤵PID:2580
-
\??\c:\486266.exec:\486266.exe101⤵PID:2776
-
\??\c:\pddjv.exec:\pddjv.exe102⤵PID:2884
-
\??\c:\lrlrfrl.exec:\lrlrfrl.exe103⤵PID:2960
-
\??\c:\llflrrf.exec:\llflrrf.exe104⤵
- System Location Discovery: System Language Discovery
PID:2896 -
\??\c:\7thhhh.exec:\7thhhh.exe105⤵PID:408
-
\??\c:\m4280.exec:\m4280.exe106⤵PID:340
-
\??\c:\8688440.exec:\8688440.exe107⤵PID:448
-
\??\c:\862460.exec:\862460.exe108⤵PID:2184
-
\??\c:\86482.exec:\86482.exe109⤵PID:3000
-
\??\c:\608884.exec:\608884.exe110⤵PID:612
-
\??\c:\xrfrxrx.exec:\xrfrxrx.exe111⤵PID:1372
-
\??\c:\6406662.exec:\6406662.exe112⤵PID:832
-
\??\c:\fxxxrrx.exec:\fxxxrrx.exe113⤵PID:2516
-
\??\c:\8284046.exec:\8284046.exe114⤵PID:3044
-
\??\c:\nbbbbt.exec:\nbbbbt.exe115⤵PID:1736
-
\??\c:\w24060.exec:\w24060.exe116⤵PID:2940
-
\??\c:\nhnttb.exec:\nhnttb.exe117⤵PID:2452
-
\??\c:\s2408.exec:\s2408.exe118⤵PID:1964
-
\??\c:\7jjjv.exec:\7jjjv.exe119⤵PID:692
-
\??\c:\bhhnnn.exec:\bhhnnn.exe120⤵PID:672
-
\??\c:\9flllrx.exec:\9flllrx.exe121⤵PID:1496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-