Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 22:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40629eb9f967cbae5f004b74718a2661fcb59602324765894a80352cf6ff065e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
40629eb9f967cbae5f004b74718a2661fcb59602324765894a80352cf6ff065e.exe
-
Size
454KB
-
MD5
96530ff96d2ce7251bd65dbb87ab3b87
-
SHA1
3580642a560f5a2a3fb35b7fa980c5c8eb0da9d4
-
SHA256
40629eb9f967cbae5f004b74718a2661fcb59602324765894a80352cf6ff065e
-
SHA512
22ffda7494efe7d73c958a7fbf99aa078af0023d12a85c55dd2b51d1c87fd5d541d9c878e6e77f01e8e6fe7ca7f46e5b3b34a831ab6541088a9c93bfd46205f9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeth:q7Tc2NYHUrAwfMp3CDth
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/1824-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1448-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/624-203-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1116-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/904-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/924-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-721-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2416-739-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/624-773-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2368-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-1160-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1304-1263-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1704-1274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 584 4800624.exe 2900 rlfflrr.exe 2680 bthnhh.exe 2972 3btthn.exe 2932 048462.exe 2668 tbnnhb.exe 2064 1tbtnt.exe 2848 8484228.exe 328 262806.exe 2364 ddvdj.exe 1448 86824.exe 2284 4204002.exe 2040 6040280.exe 2996 6024006.exe 2576 pjvvd.exe 1488 42068.exe 2252 4662006.exe 2096 ddjpp.exe 2432 dvjdj.exe 548 w20244.exe 624 s0406.exe 1116 64028.exe 1204 s0824.exe 904 lfrxffr.exe 1772 k64626.exe 1664 e06622.exe 924 c244044.exe 1224 7hnbbt.exe 1592 xxrrrrx.exe 2352 86884.exe 1032 04224.exe 2768 pjvvj.exe 1072 3dppv.exe 584 8064406.exe 1548 m8662.exe 3048 ffrrflx.exe 2836 nhtthb.exe 2808 rfrllll.exe 2972 tbhbhb.exe 2676 1xffllr.exe 2704 5dvvv.exe 2732 3jppv.exe 2324 0800228.exe 888 468666.exe 1280 vjvvd.exe 528 420028.exe 2136 1pddv.exe 2076 0806280.exe 2028 vvjjj.exe 2764 hhbbhb.exe 1940 vpdjv.exe 1956 82062.exe 1704 vvvdp.exe 1420 420628.exe 1256 2028400.exe 2656 82446.exe 3064 hbtbbh.exe 2200 jdvvd.exe 2516 a0880.exe 2432 dpddd.exe 548 nhbntt.exe 2084 42424.exe 2460 3jvvv.exe 944 xlxrrxf.exe -
resource yara_rule behavioral1/memory/1824-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/924-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-951-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-958-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-1013-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-1062-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-1088-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-1113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-1175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-1248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-1274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-1287-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4828406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k04688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k02620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c400846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1824 wrote to memory of 584 1824 40629eb9f967cbae5f004b74718a2661fcb59602324765894a80352cf6ff065e.exe 30 PID 1824 wrote to memory of 584 1824 40629eb9f967cbae5f004b74718a2661fcb59602324765894a80352cf6ff065e.exe 30 PID 1824 wrote to memory of 584 1824 40629eb9f967cbae5f004b74718a2661fcb59602324765894a80352cf6ff065e.exe 30 PID 1824 wrote to memory of 584 1824 40629eb9f967cbae5f004b74718a2661fcb59602324765894a80352cf6ff065e.exe 30 PID 584 wrote to memory of 2900 584 4800624.exe 31 PID 584 wrote to memory of 2900 584 4800624.exe 31 PID 584 wrote to memory of 2900 584 4800624.exe 31 PID 584 wrote to memory of 2900 584 4800624.exe 31 PID 2900 wrote to memory of 2680 2900 rlfflrr.exe 32 PID 2900 wrote to memory of 2680 2900 rlfflrr.exe 32 PID 2900 wrote to memory of 2680 2900 rlfflrr.exe 32 PID 2900 wrote to memory of 2680 2900 rlfflrr.exe 32 PID 2680 wrote to memory of 2972 2680 bthnhh.exe 33 PID 2680 wrote to memory of 2972 2680 bthnhh.exe 33 PID 2680 wrote to memory of 2972 2680 bthnhh.exe 33 PID 2680 wrote to memory of 2972 2680 bthnhh.exe 33 PID 2972 wrote to memory of 2932 2972 3btthn.exe 34 PID 2972 wrote to memory of 2932 2972 3btthn.exe 34 PID 2972 wrote to memory of 2932 2972 3btthn.exe 34 PID 2972 wrote to memory of 2932 2972 3btthn.exe 34 PID 2932 wrote to memory of 2668 2932 048462.exe 35 PID 2932 wrote to memory of 2668 2932 048462.exe 35 PID 2932 wrote to memory of 2668 2932 048462.exe 35 PID 2932 wrote to memory of 2668 2932 048462.exe 35 PID 2668 wrote to memory of 2064 2668 tbnnhb.exe 36 PID 2668 wrote to memory of 2064 2668 tbnnhb.exe 36 PID 2668 wrote to memory of 2064 2668 tbnnhb.exe 36 PID 2668 wrote to memory of 2064 2668 tbnnhb.exe 36 PID 2064 wrote to memory of 2848 2064 1tbtnt.exe 37 PID 2064 wrote to memory of 2848 2064 1tbtnt.exe 37 PID 2064 wrote to memory of 2848 2064 1tbtnt.exe 37 PID 2064 wrote to memory of 2848 2064 1tbtnt.exe 37 PID 2848 wrote to memory of 328 2848 8484228.exe 38 PID 2848 wrote to memory of 328 2848 8484228.exe 38 PID 2848 wrote to memory of 328 2848 8484228.exe 38 PID 2848 wrote to memory of 328 2848 8484228.exe 38 PID 328 wrote to memory of 2364 328 262806.exe 39 PID 328 wrote to memory of 2364 328 262806.exe 39 PID 328 wrote to memory of 2364 328 262806.exe 39 PID 328 wrote to memory of 2364 328 262806.exe 39 PID 2364 wrote to memory of 1448 2364 ddvdj.exe 40 PID 2364 wrote to memory of 1448 2364 ddvdj.exe 40 PID 2364 wrote to memory of 1448 2364 ddvdj.exe 40 PID 2364 wrote to memory of 1448 2364 ddvdj.exe 40 PID 1448 wrote to memory of 2284 1448 86824.exe 41 PID 1448 wrote to memory of 2284 1448 86824.exe 41 PID 1448 wrote to memory of 2284 1448 86824.exe 41 PID 1448 wrote to memory of 2284 1448 86824.exe 41 PID 2284 wrote to memory of 2040 2284 4204002.exe 42 PID 2284 wrote to memory of 2040 2284 4204002.exe 42 PID 2284 wrote to memory of 2040 2284 4204002.exe 42 PID 2284 wrote to memory of 2040 2284 4204002.exe 42 PID 2040 wrote to memory of 2996 2040 6040280.exe 43 PID 2040 wrote to memory of 2996 2040 6040280.exe 43 PID 2040 wrote to memory of 2996 2040 6040280.exe 43 PID 2040 wrote to memory of 2996 2040 6040280.exe 43 PID 2996 wrote to memory of 2576 2996 6024006.exe 44 PID 2996 wrote to memory of 2576 2996 6024006.exe 44 PID 2996 wrote to memory of 2576 2996 6024006.exe 44 PID 2996 wrote to memory of 2576 2996 6024006.exe 44 PID 2576 wrote to memory of 1488 2576 pjvvd.exe 45 PID 2576 wrote to memory of 1488 2576 pjvvd.exe 45 PID 2576 wrote to memory of 1488 2576 pjvvd.exe 45 PID 2576 wrote to memory of 1488 2576 pjvvd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\40629eb9f967cbae5f004b74718a2661fcb59602324765894a80352cf6ff065e.exe"C:\Users\Admin\AppData\Local\Temp\40629eb9f967cbae5f004b74718a2661fcb59602324765894a80352cf6ff065e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\4800624.exec:\4800624.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\rlfflrr.exec:\rlfflrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\bthnhh.exec:\bthnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\3btthn.exec:\3btthn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\048462.exec:\048462.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\tbnnhb.exec:\tbnnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\1tbtnt.exec:\1tbtnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\8484228.exec:\8484228.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\262806.exec:\262806.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:328 -
\??\c:\ddvdj.exec:\ddvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\86824.exec:\86824.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\4204002.exec:\4204002.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\6040280.exec:\6040280.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\6024006.exec:\6024006.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\pjvvd.exec:\pjvvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\42068.exec:\42068.exe17⤵
- Executes dropped EXE
PID:1488 -
\??\c:\4662006.exec:\4662006.exe18⤵
- Executes dropped EXE
PID:2252 -
\??\c:\ddjpp.exec:\ddjpp.exe19⤵
- Executes dropped EXE
PID:2096 -
\??\c:\dvjdj.exec:\dvjdj.exe20⤵
- Executes dropped EXE
PID:2432 -
\??\c:\w20244.exec:\w20244.exe21⤵
- Executes dropped EXE
PID:548 -
\??\c:\s0406.exec:\s0406.exe22⤵
- Executes dropped EXE
PID:624 -
\??\c:\64028.exec:\64028.exe23⤵
- Executes dropped EXE
PID:1116 -
\??\c:\s0824.exec:\s0824.exe24⤵
- Executes dropped EXE
PID:1204 -
\??\c:\lfrxffr.exec:\lfrxffr.exe25⤵
- Executes dropped EXE
PID:904 -
\??\c:\k64626.exec:\k64626.exe26⤵
- Executes dropped EXE
PID:1772 -
\??\c:\e06622.exec:\e06622.exe27⤵
- Executes dropped EXE
PID:1664 -
\??\c:\c244044.exec:\c244044.exe28⤵
- Executes dropped EXE
PID:924 -
\??\c:\7hnbbt.exec:\7hnbbt.exe29⤵
- Executes dropped EXE
PID:1224 -
\??\c:\xxrrrrx.exec:\xxrrrrx.exe30⤵
- Executes dropped EXE
PID:1592 -
\??\c:\86884.exec:\86884.exe31⤵
- Executes dropped EXE
PID:2352 -
\??\c:\04224.exec:\04224.exe32⤵
- Executes dropped EXE
PID:1032 -
\??\c:\pjvvj.exec:\pjvvj.exe33⤵
- Executes dropped EXE
PID:2768 -
\??\c:\3dppv.exec:\3dppv.exe34⤵
- Executes dropped EXE
PID:1072 -
\??\c:\8064406.exec:\8064406.exe35⤵
- Executes dropped EXE
PID:584 -
\??\c:\m8662.exec:\m8662.exe36⤵
- Executes dropped EXE
PID:1548 -
\??\c:\ffrrflx.exec:\ffrrflx.exe37⤵
- Executes dropped EXE
PID:3048 -
\??\c:\nhtthb.exec:\nhtthb.exe38⤵
- Executes dropped EXE
PID:2836 -
\??\c:\rfrllll.exec:\rfrllll.exe39⤵
- Executes dropped EXE
PID:2808 -
\??\c:\tbhbhb.exec:\tbhbhb.exe40⤵
- Executes dropped EXE
PID:2972 -
\??\c:\1xffllr.exec:\1xffllr.exe41⤵
- Executes dropped EXE
PID:2676 -
\??\c:\5dvvv.exec:\5dvvv.exe42⤵
- Executes dropped EXE
PID:2704 -
\??\c:\3jppv.exec:\3jppv.exe43⤵
- Executes dropped EXE
PID:2732 -
\??\c:\0800228.exec:\0800228.exe44⤵
- Executes dropped EXE
PID:2324 -
\??\c:\468666.exec:\468666.exe45⤵
- Executes dropped EXE
PID:888 -
\??\c:\vjvvd.exec:\vjvvd.exe46⤵
- Executes dropped EXE
PID:1280 -
\??\c:\420028.exec:\420028.exe47⤵
- Executes dropped EXE
PID:528 -
\??\c:\1pddv.exec:\1pddv.exe48⤵
- Executes dropped EXE
PID:2136 -
\??\c:\0806280.exec:\0806280.exe49⤵
- Executes dropped EXE
PID:2076 -
\??\c:\vvjjj.exec:\vvjjj.exe50⤵
- Executes dropped EXE
PID:2028 -
\??\c:\hhbbhb.exec:\hhbbhb.exe51⤵
- Executes dropped EXE
PID:2764 -
\??\c:\vpdjv.exec:\vpdjv.exe52⤵
- Executes dropped EXE
PID:1940 -
\??\c:\82062.exec:\82062.exe53⤵
- Executes dropped EXE
PID:1956 -
\??\c:\vvvdp.exec:\vvvdp.exe54⤵
- Executes dropped EXE
PID:1704 -
\??\c:\420628.exec:\420628.exe55⤵
- Executes dropped EXE
PID:1420 -
\??\c:\2028400.exec:\2028400.exe56⤵
- Executes dropped EXE
PID:1256 -
\??\c:\82446.exec:\82446.exe57⤵
- Executes dropped EXE
PID:2656 -
\??\c:\hbtbbh.exec:\hbtbbh.exe58⤵
- Executes dropped EXE
PID:3064 -
\??\c:\jdvvd.exec:\jdvvd.exe59⤵
- Executes dropped EXE
PID:2200 -
\??\c:\a0880.exec:\a0880.exe60⤵
- Executes dropped EXE
PID:2516 -
\??\c:\dpddd.exec:\dpddd.exe61⤵
- Executes dropped EXE
PID:2432 -
\??\c:\nhbntt.exec:\nhbntt.exe62⤵
- Executes dropped EXE
PID:548 -
\??\c:\42424.exec:\42424.exe63⤵
- Executes dropped EXE
PID:2084 -
\??\c:\3jvvv.exec:\3jvvv.exe64⤵
- Executes dropped EXE
PID:2460 -
\??\c:\xlxrrxf.exec:\xlxrrxf.exe65⤵
- Executes dropped EXE
PID:944 -
\??\c:\6088406.exec:\6088406.exe66⤵PID:1204
-
\??\c:\7htbnt.exec:\7htbnt.exe67⤵PID:268
-
\??\c:\m4228.exec:\m4228.exe68⤵PID:2756
-
\??\c:\7tbhtt.exec:\7tbhtt.exe69⤵PID:288
-
\??\c:\hbnntt.exec:\hbnntt.exe70⤵PID:2172
-
\??\c:\fxllllx.exec:\fxllllx.exe71⤵PID:1516
-
\??\c:\8240662.exec:\8240662.exe72⤵PID:1952
-
\??\c:\ppjpv.exec:\ppjpv.exe73⤵PID:1708
-
\??\c:\jjvvj.exec:\jjvvj.exe74⤵PID:1788
-
\??\c:\ddvpj.exec:\ddvpj.exe75⤵PID:2352
-
\??\c:\5vpvp.exec:\5vpvp.exe76⤵PID:872
-
\??\c:\8862840.exec:\8862840.exe77⤵PID:1600
-
\??\c:\48284.exec:\48284.exe78⤵PID:1604
-
\??\c:\1btbbb.exec:\1btbbb.exe79⤵PID:2896
-
\??\c:\ppjpd.exec:\ppjpd.exe80⤵PID:2892
-
\??\c:\m6824.exec:\m6824.exe81⤵PID:2900
-
\??\c:\7tnnbh.exec:\7tnnbh.exe82⤵PID:2680
-
\??\c:\rrlxffr.exec:\rrlxffr.exe83⤵PID:2776
-
\??\c:\o040224.exec:\o040224.exe84⤵PID:2812
-
\??\c:\608022.exec:\608022.exe85⤵PID:2972
-
\??\c:\206282.exec:\206282.exe86⤵PID:2720
-
\??\c:\xrflxfl.exec:\xrflxfl.exe87⤵PID:2728
-
\??\c:\600462.exec:\600462.exe88⤵PID:2748
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe89⤵PID:2844
-
\??\c:\jdvdd.exec:\jdvdd.exe90⤵PID:888
-
\??\c:\hhttbh.exec:\hhttbh.exe91⤵PID:2228
-
\??\c:\0486802.exec:\0486802.exe92⤵PID:328
-
\??\c:\1xrrlrx.exec:\1xrrlrx.exe93⤵PID:2580
-
\??\c:\5tnnbb.exec:\5tnnbb.exe94⤵PID:1796
-
\??\c:\u606402.exec:\u606402.exe95⤵PID:2744
-
\??\c:\fxllrrx.exec:\fxllrrx.exe96⤵PID:2948
-
\??\c:\8666266.exec:\8666266.exe97⤵PID:1040
-
\??\c:\4828406.exec:\4828406.exe98⤵
- System Location Discovery: System Language Discovery
PID:1956 -
\??\c:\q20004.exec:\q20004.exe99⤵PID:1744
-
\??\c:\82068.exec:\82068.exe100⤵PID:1420
-
\??\c:\4626800.exec:\4626800.exe101⤵PID:1256
-
\??\c:\60468.exec:\60468.exe102⤵PID:2416
-
\??\c:\626428.exec:\626428.exe103⤵PID:3064
-
\??\c:\8240062.exec:\8240062.exe104⤵PID:2552
-
\??\c:\jdpjp.exec:\jdpjp.exe105⤵PID:2632
-
\??\c:\tnbthn.exec:\tnbthn.exe106⤵PID:880
-
\??\c:\3htnnh.exec:\3htnnh.exe107⤵PID:624
-
\??\c:\vjppv.exec:\vjppv.exe108⤵PID:1116
-
\??\c:\vdjvp.exec:\vdjvp.exe109⤵PID:1976
-
\??\c:\u864864.exec:\u864864.exe110⤵PID:1768
-
\??\c:\5xllxfl.exec:\5xllxfl.exe111⤵PID:1520
-
\??\c:\vjvpv.exec:\vjvpv.exe112⤵PID:1772
-
\??\c:\04624.exec:\04624.exe113⤵PID:2188
-
\??\c:\9frxfff.exec:\9frxfff.exe114⤵PID:756
-
\??\c:\0860224.exec:\0860224.exe115⤵PID:2368
-
\??\c:\w08406.exec:\w08406.exe116⤵PID:2584
-
\??\c:\g6884.exec:\g6884.exe117⤵PID:2596
-
\??\c:\8622884.exec:\8622884.exe118⤵PID:1732
-
\??\c:\2484066.exec:\2484066.exe119⤵PID:2340
-
\??\c:\k68400.exec:\k68400.exe120⤵PID:1720
-
\??\c:\k26284.exec:\k26284.exe121⤵PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-