Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 18:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe
-
Size
454KB
-
MD5
e3a4dbcf27d4b64e126d834c63a21c62
-
SHA1
1ac94a8574337a2cc636ef31111370b04c1aa079
-
SHA256
949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7
-
SHA512
09d947e82a84631ebef6a25203eede57834941c86021bef933f47e448827eb8356bf9cbeedf99ab7818cdc89469f891c46540ead23bc44c9744971b9064ff4be
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2224-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/600-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-109-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1248-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/528-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1132-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-374-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2856-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-405-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2700-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-483-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1376-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-505-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/880-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-672-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-819-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-859-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2656-898-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2756-912-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2384 086282.exe 2916 822248.exe 2768 i462484.exe 2344 5nbnnh.exe 2352 vpdjj.exe 2628 rfxllff.exe 1956 i404644.exe 2476 frfrxxf.exe 2248 q80022.exe 600 nnnntb.exe 2900 424426.exe 1248 m2462.exe 528 1djjj.exe 2604 428462.exe 1904 480000.exe 2152 q24622.exe 2308 flxlrff.exe 1776 420028.exe 840 pvjjp.exe 1132 42402.exe 1636 3pdvd.exe 1608 5flllll.exe 916 g6846.exe 2236 8062000.exe 340 42068.exe 2036 tbntth.exe 2516 s6888.exe 2508 pdjjp.exe 2240 3nttnn.exe 1496 02624.exe 884 jjpdj.exe 324 0842488.exe 1596 xfflrxl.exe 2792 08062.exe 2840 thbbhh.exe 2976 88068.exe 2156 s2620.exe 2720 080688.exe 2800 5rffffl.exe 2632 7nbhbb.exe 2664 fxlrxxf.exe 2948 ttnbnt.exe 2464 0844006.exe 2068 lfrxffl.exe 1732 g6040.exe 2856 4822040.exe 2876 2200842.exe 640 3thhnn.exe 2700 k08444.exe 3036 4684444.exe 2284 86406.exe 1152 pvjjp.exe 900 48684.exe 1976 3pdjp.exe 2208 i028444.exe 2064 2062888.exe 2400 5hhtth.exe 960 c604044.exe 2924 jvjjv.exe 1148 2868440.exe 1376 024460.exe 1048 8626606.exe 548 0244440.exe 776 vjvvj.exe -
resource yara_rule behavioral1/memory/2224-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/528-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-483-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1376-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-838-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-844-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6406884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i660062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4866442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o088822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c648822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6608888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6684280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q26022.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2384 2224 949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe 31 PID 2224 wrote to memory of 2384 2224 949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe 31 PID 2224 wrote to memory of 2384 2224 949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe 31 PID 2224 wrote to memory of 2384 2224 949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe 31 PID 2384 wrote to memory of 2916 2384 086282.exe 32 PID 2384 wrote to memory of 2916 2384 086282.exe 32 PID 2384 wrote to memory of 2916 2384 086282.exe 32 PID 2384 wrote to memory of 2916 2384 086282.exe 32 PID 2916 wrote to memory of 2768 2916 822248.exe 33 PID 2916 wrote to memory of 2768 2916 822248.exe 33 PID 2916 wrote to memory of 2768 2916 822248.exe 33 PID 2916 wrote to memory of 2768 2916 822248.exe 33 PID 2768 wrote to memory of 2344 2768 i462484.exe 34 PID 2768 wrote to memory of 2344 2768 i462484.exe 34 PID 2768 wrote to memory of 2344 2768 i462484.exe 34 PID 2768 wrote to memory of 2344 2768 i462484.exe 34 PID 2344 wrote to memory of 2352 2344 5nbnnh.exe 35 PID 2344 wrote to memory of 2352 2344 5nbnnh.exe 35 PID 2344 wrote to memory of 2352 2344 5nbnnh.exe 35 PID 2344 wrote to memory of 2352 2344 5nbnnh.exe 35 PID 2352 wrote to memory of 2628 2352 vpdjj.exe 36 PID 2352 wrote to memory of 2628 2352 vpdjj.exe 36 PID 2352 wrote to memory of 2628 2352 vpdjj.exe 36 PID 2352 wrote to memory of 2628 2352 vpdjj.exe 36 PID 2628 wrote to memory of 1956 2628 rfxllff.exe 37 PID 2628 wrote to memory of 1956 2628 rfxllff.exe 37 PID 2628 wrote to memory of 1956 2628 rfxllff.exe 37 PID 2628 wrote to memory of 1956 2628 rfxllff.exe 37 PID 1956 wrote to memory of 2476 1956 i404644.exe 38 PID 1956 wrote to memory of 2476 1956 i404644.exe 38 PID 1956 wrote to memory of 2476 1956 i404644.exe 38 PID 1956 wrote to memory of 2476 1956 i404644.exe 38 PID 2476 wrote to memory of 2248 2476 frfrxxf.exe 39 PID 2476 wrote to memory of 2248 2476 frfrxxf.exe 39 PID 2476 wrote to memory of 2248 2476 frfrxxf.exe 39 PID 2476 wrote to memory of 2248 2476 frfrxxf.exe 39 PID 2248 wrote to memory of 600 2248 q80022.exe 40 PID 2248 wrote to memory of 600 2248 q80022.exe 40 PID 2248 wrote to memory of 600 2248 q80022.exe 40 PID 2248 wrote to memory of 600 2248 q80022.exe 40 PID 600 wrote to memory of 2900 600 nnnntb.exe 41 PID 600 wrote to memory of 2900 600 nnnntb.exe 41 PID 600 wrote to memory of 2900 600 nnnntb.exe 41 PID 600 wrote to memory of 2900 600 nnnntb.exe 41 PID 2900 wrote to memory of 1248 2900 424426.exe 42 PID 2900 wrote to memory of 1248 2900 424426.exe 42 PID 2900 wrote to memory of 1248 2900 424426.exe 42 PID 2900 wrote to memory of 1248 2900 424426.exe 42 PID 1248 wrote to memory of 528 1248 m2462.exe 43 PID 1248 wrote to memory of 528 1248 m2462.exe 43 PID 1248 wrote to memory of 528 1248 m2462.exe 43 PID 1248 wrote to memory of 528 1248 m2462.exe 43 PID 528 wrote to memory of 2604 528 1djjj.exe 44 PID 528 wrote to memory of 2604 528 1djjj.exe 44 PID 528 wrote to memory of 2604 528 1djjj.exe 44 PID 528 wrote to memory of 2604 528 1djjj.exe 44 PID 2604 wrote to memory of 1904 2604 428462.exe 45 PID 2604 wrote to memory of 1904 2604 428462.exe 45 PID 2604 wrote to memory of 1904 2604 428462.exe 45 PID 2604 wrote to memory of 1904 2604 428462.exe 45 PID 1904 wrote to memory of 2152 1904 480000.exe 46 PID 1904 wrote to memory of 2152 1904 480000.exe 46 PID 1904 wrote to memory of 2152 1904 480000.exe 46 PID 1904 wrote to memory of 2152 1904 480000.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe"C:\Users\Admin\AppData\Local\Temp\949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\086282.exec:\086282.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\822248.exec:\822248.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\i462484.exec:\i462484.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\5nbnnh.exec:\5nbnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\vpdjj.exec:\vpdjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\rfxllff.exec:\rfxllff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\i404644.exec:\i404644.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\frfrxxf.exec:\frfrxxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\q80022.exec:\q80022.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\nnnntb.exec:\nnnntb.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:600 -
\??\c:\424426.exec:\424426.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\m2462.exec:\m2462.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\1djjj.exec:\1djjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\428462.exec:\428462.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\480000.exec:\480000.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\q24622.exec:\q24622.exe17⤵
- Executes dropped EXE
PID:2152 -
\??\c:\flxlrff.exec:\flxlrff.exe18⤵
- Executes dropped EXE
PID:2308 -
\??\c:\420028.exec:\420028.exe19⤵
- Executes dropped EXE
PID:1776 -
\??\c:\pvjjp.exec:\pvjjp.exe20⤵
- Executes dropped EXE
PID:840 -
\??\c:\42402.exec:\42402.exe21⤵
- Executes dropped EXE
PID:1132 -
\??\c:\3pdvd.exec:\3pdvd.exe22⤵
- Executes dropped EXE
PID:1636 -
\??\c:\5flllll.exec:\5flllll.exe23⤵
- Executes dropped EXE
PID:1608 -
\??\c:\g6846.exec:\g6846.exe24⤵
- Executes dropped EXE
PID:916 -
\??\c:\8062000.exec:\8062000.exe25⤵
- Executes dropped EXE
PID:2236 -
\??\c:\42068.exec:\42068.exe26⤵
- Executes dropped EXE
PID:340 -
\??\c:\tbntth.exec:\tbntth.exe27⤵
- Executes dropped EXE
PID:2036 -
\??\c:\s6888.exec:\s6888.exe28⤵
- Executes dropped EXE
PID:2516 -
\??\c:\pdjjp.exec:\pdjjp.exe29⤵
- Executes dropped EXE
PID:2508 -
\??\c:\3nttnn.exec:\3nttnn.exe30⤵
- Executes dropped EXE
PID:2240 -
\??\c:\02624.exec:\02624.exe31⤵
- Executes dropped EXE
PID:1496 -
\??\c:\jjpdj.exec:\jjpdj.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:884 -
\??\c:\0842488.exec:\0842488.exe33⤵
- Executes dropped EXE
PID:324 -
\??\c:\xfflrxl.exec:\xfflrxl.exe34⤵
- Executes dropped EXE
PID:1596 -
\??\c:\08062.exec:\08062.exe35⤵
- Executes dropped EXE
PID:2792 -
\??\c:\thbbhh.exec:\thbbhh.exe36⤵
- Executes dropped EXE
PID:2840 -
\??\c:\88068.exec:\88068.exe37⤵
- Executes dropped EXE
PID:2976 -
\??\c:\s2620.exec:\s2620.exe38⤵
- Executes dropped EXE
PID:2156 -
\??\c:\080688.exec:\080688.exe39⤵
- Executes dropped EXE
PID:2720 -
\??\c:\5rffffl.exec:\5rffffl.exe40⤵
- Executes dropped EXE
PID:2800 -
\??\c:\7nbhbb.exec:\7nbhbb.exe41⤵
- Executes dropped EXE
PID:2632 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe42⤵
- Executes dropped EXE
PID:2664 -
\??\c:\ttnbnt.exec:\ttnbnt.exe43⤵
- Executes dropped EXE
PID:2948 -
\??\c:\0844006.exec:\0844006.exe44⤵
- Executes dropped EXE
PID:2464 -
\??\c:\lfrxffl.exec:\lfrxffl.exe45⤵
- Executes dropped EXE
PID:2068 -
\??\c:\g6040.exec:\g6040.exe46⤵
- Executes dropped EXE
PID:1732 -
\??\c:\4822040.exec:\4822040.exe47⤵
- Executes dropped EXE
PID:2856 -
\??\c:\2200842.exec:\2200842.exe48⤵
- Executes dropped EXE
PID:2876 -
\??\c:\3thhnn.exec:\3thhnn.exe49⤵
- Executes dropped EXE
PID:640 -
\??\c:\k08444.exec:\k08444.exe50⤵
- Executes dropped EXE
PID:2700 -
\??\c:\4684444.exec:\4684444.exe51⤵
- Executes dropped EXE
PID:3036 -
\??\c:\86406.exec:\86406.exe52⤵
- Executes dropped EXE
PID:2284 -
\??\c:\pvjjp.exec:\pvjjp.exe53⤵
- Executes dropped EXE
PID:1152 -
\??\c:\48684.exec:\48684.exe54⤵
- Executes dropped EXE
PID:900 -
\??\c:\3pdjp.exec:\3pdjp.exe55⤵
- Executes dropped EXE
PID:1976 -
\??\c:\i028444.exec:\i028444.exe56⤵
- Executes dropped EXE
PID:2208 -
\??\c:\2062888.exec:\2062888.exe57⤵
- Executes dropped EXE
PID:2064 -
\??\c:\5hhtth.exec:\5hhtth.exe58⤵
- Executes dropped EXE
PID:2400 -
\??\c:\c604044.exec:\c604044.exe59⤵
- Executes dropped EXE
PID:960 -
\??\c:\jvjjv.exec:\jvjjv.exe60⤵
- Executes dropped EXE
PID:2924 -
\??\c:\2868440.exec:\2868440.exe61⤵
- Executes dropped EXE
PID:1148 -
\??\c:\024460.exec:\024460.exe62⤵
- Executes dropped EXE
PID:1376 -
\??\c:\8626606.exec:\8626606.exe63⤵
- Executes dropped EXE
PID:1048 -
\??\c:\0244440.exec:\0244440.exe64⤵
- Executes dropped EXE
PID:548 -
\??\c:\vjvvj.exec:\vjvvj.exe65⤵
- Executes dropped EXE
PID:776 -
\??\c:\6684280.exec:\6684280.exe66⤵
- System Location Discovery: System Language Discovery
PID:664 -
\??\c:\8688828.exec:\8688828.exe67⤵PID:340
-
\??\c:\bhtnbh.exec:\bhtnbh.exe68⤵PID:2564
-
\??\c:\lxrrxxl.exec:\lxrrxxl.exe69⤵PID:2000
-
\??\c:\428884.exec:\428884.exe70⤵PID:1028
-
\??\c:\0428046.exec:\0428046.exe71⤵PID:996
-
\??\c:\644060.exec:\644060.exe72⤵PID:2524
-
\??\c:\frffrrx.exec:\frffrrx.exe73⤵PID:1708
-
\??\c:\tnbhnh.exec:\tnbhnh.exe74⤵PID:880
-
\??\c:\pdpvv.exec:\pdpvv.exe75⤵PID:2380
-
\??\c:\nbbbtt.exec:\nbbbtt.exe76⤵PID:2776
-
\??\c:\g0844.exec:\g0844.exe77⤵PID:1592
-
\??\c:\0244484.exec:\0244484.exe78⤵PID:2920
-
\??\c:\e08404.exec:\e08404.exe79⤵PID:2784
-
\??\c:\q08404.exec:\q08404.exe80⤵PID:2976
-
\??\c:\46844.exec:\46844.exe81⤵PID:2668
-
\??\c:\xlllrxf.exec:\xlllrxf.exe82⤵PID:2940
-
\??\c:\lfrrxrr.exec:\lfrrxrr.exe83⤵PID:2352
-
\??\c:\246468.exec:\246468.exe84⤵PID:2628
-
\??\c:\hbnnnn.exec:\hbnnnn.exe85⤵PID:2708
-
\??\c:\nhtntt.exec:\nhtntt.exe86⤵PID:2484
-
\??\c:\64004.exec:\64004.exe87⤵PID:2472
-
\??\c:\g2046.exec:\g2046.exe88⤵PID:1088
-
\??\c:\7lxfxxr.exec:\7lxfxxr.exe89⤵PID:2044
-
\??\c:\bnthnn.exec:\bnthnn.exe90⤵PID:2856
-
\??\c:\c282882.exec:\c282882.exe91⤵PID:2968
-
\??\c:\02840.exec:\02840.exe92⤵PID:2908
-
\??\c:\2086844.exec:\2086844.exe93⤵PID:2988
-
\??\c:\86224.exec:\86224.exe94⤵PID:2264
-
\??\c:\pjpdj.exec:\pjpdj.exe95⤵PID:1444
-
\??\c:\xrxxfff.exec:\xrxxfff.exe96⤵PID:1624
-
\??\c:\4248840.exec:\4248840.exe97⤵PID:2304
-
\??\c:\7nbbbb.exec:\7nbbbb.exe98⤵PID:1600
-
\??\c:\5hbtbh.exec:\5hbtbh.exe99⤵PID:2216
-
\??\c:\pdppv.exec:\pdppv.exe100⤵PID:2192
-
\??\c:\i060608.exec:\i060608.exe101⤵PID:2596
-
\??\c:\nnbhtn.exec:\nnbhtn.exe102⤵PID:1132
-
\??\c:\9ffxrlr.exec:\9ffxrlr.exe103⤵PID:2300
-
\??\c:\604426.exec:\604426.exe104⤵PID:1608
-
\??\c:\thtntn.exec:\thtntn.exe105⤵PID:920
-
\??\c:\024060.exec:\024060.exe106⤵PID:2412
-
\??\c:\bbnntt.exec:\bbnntt.exe107⤵PID:2236
-
\??\c:\hthbbt.exec:\hthbbt.exe108⤵PID:1720
-
\??\c:\vvjdd.exec:\vvjdd.exe109⤵PID:1724
-
\??\c:\tnbtbt.exec:\tnbtbt.exe110⤵PID:1240
-
\??\c:\m0884.exec:\m0884.exe111⤵PID:2564
-
\??\c:\pjdjv.exec:\pjdjv.exe112⤵PID:2508
-
\??\c:\3hbtnn.exec:\3hbtnn.exe113⤵PID:1028
-
\??\c:\864404.exec:\864404.exe114⤵PID:1568
-
\??\c:\0844448.exec:\0844448.exe115⤵PID:2524
-
\??\c:\llxfrll.exec:\llxfrll.exe116⤵PID:2292
-
\??\c:\jvdvd.exec:\jvdvd.exe117⤵PID:324
-
\??\c:\flxrxxx.exec:\flxrxxx.exe118⤵PID:2780
-
\??\c:\lfrxfxl.exec:\lfrxfxl.exe119⤵PID:2832
-
\??\c:\608860.exec:\608860.exe120⤵PID:1596
-
\??\c:\bnnnnh.exec:\bnnnnh.exe121⤵PID:2920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-