Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 22:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe
-
Size
455KB
-
MD5
05769cbd90436f8dcda4bf4da1d26de2
-
SHA1
a23a5d5353fc4eb3c069f29f4c48c6c57696370e
-
SHA256
4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5
-
SHA512
4526942b1dbec11ce75478047596c2caffff29349b782d20ed683cb21ac9f337514d7936469d7c53fefd376357130447aa8e49ecc078fbe16b8edd133ed63f71
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/1864-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/280-13-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/280-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-43-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2000-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-54-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2384-67-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/340-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1204-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1580-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-387-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2004-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-348-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2668-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-334-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2288-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-262-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1480-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-244-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/992-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-192-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2848-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/704-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-864-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-889-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-1219-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 280 jdjpv.exe 2940 xlrrrrr.exe 2436 3xllrxf.exe 2000 lxfxfxx.exe 2740 8622446.exe 2384 q40604.exe 2688 824062.exe 2832 7vpvj.exe 2308 hhtthh.exe 2592 5thhnb.exe 2572 rlfxllx.exe 340 60284.exe 1224 a0684.exe 1204 1thhtt.exe 1924 4204662.exe 1616 nbtbbb.exe 1580 i060262.exe 2848 jddvd.exe 2868 3lxxfxx.exe 1440 264640.exe 2708 s6060.exe 1632 26222.exe 2312 nhnhnh.exe 992 20884.exe 1652 nhnhth.exe 1480 k68800.exe 2168 vjpjj.exe 1504 044606.exe 1588 dvvpv.exe 2288 a8662.exe 1468 c084668.exe 1568 ttnbtb.exe 1976 264040.exe 2484 046240.exe 3004 fxrxflf.exe 2352 60426.exe 1456 o202846.exe 2668 1htntt.exe 1416 3bhntb.exe 2728 tbhbbt.exe 2408 xfxfxfl.exe 2792 48642.exe 2440 2622064.exe 2756 jdvdp.exe 2576 82064.exe 2456 dvjjp.exe 2004 bbthnt.exe 680 bbnbnt.exe 2984 048406.exe 1688 1jjjv.exe 316 7dppd.exe 1812 202244.exe 1788 bhtnbb.exe 1616 jjvdj.exe 2844 llfxfff.exe 2812 o884628.exe 2988 5fxfrfr.exe 2860 9tbtbb.exe 272 7flrffr.exe 1632 48064.exe 2312 xxlrlrr.exe 840 7pjvp.exe 1652 60880.exe 2380 fxxxxxl.exe -
resource yara_rule behavioral1/memory/1864-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/280-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-374-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2668-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-262-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1480-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/704-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-857-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-864-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-889-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-951-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-1128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-1134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-1319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-1344-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1864 wrote to memory of 280 1864 4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe 30 PID 1864 wrote to memory of 280 1864 4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe 30 PID 1864 wrote to memory of 280 1864 4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe 30 PID 1864 wrote to memory of 280 1864 4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe 30 PID 280 wrote to memory of 2940 280 jdjpv.exe 31 PID 280 wrote to memory of 2940 280 jdjpv.exe 31 PID 280 wrote to memory of 2940 280 jdjpv.exe 31 PID 280 wrote to memory of 2940 280 jdjpv.exe 31 PID 2940 wrote to memory of 2436 2940 xlrrrrr.exe 32 PID 2940 wrote to memory of 2436 2940 xlrrrrr.exe 32 PID 2940 wrote to memory of 2436 2940 xlrrrrr.exe 32 PID 2940 wrote to memory of 2436 2940 xlrrrrr.exe 32 PID 2436 wrote to memory of 2000 2436 3xllrxf.exe 33 PID 2436 wrote to memory of 2000 2436 3xllrxf.exe 33 PID 2436 wrote to memory of 2000 2436 3xllrxf.exe 33 PID 2436 wrote to memory of 2000 2436 3xllrxf.exe 33 PID 2000 wrote to memory of 2740 2000 lxfxfxx.exe 34 PID 2000 wrote to memory of 2740 2000 lxfxfxx.exe 34 PID 2000 wrote to memory of 2740 2000 lxfxfxx.exe 34 PID 2000 wrote to memory of 2740 2000 lxfxfxx.exe 34 PID 2740 wrote to memory of 2384 2740 8622446.exe 35 PID 2740 wrote to memory of 2384 2740 8622446.exe 35 PID 2740 wrote to memory of 2384 2740 8622446.exe 35 PID 2740 wrote to memory of 2384 2740 8622446.exe 35 PID 2384 wrote to memory of 2688 2384 q40604.exe 36 PID 2384 wrote to memory of 2688 2384 q40604.exe 36 PID 2384 wrote to memory of 2688 2384 q40604.exe 36 PID 2384 wrote to memory of 2688 2384 q40604.exe 36 PID 2688 wrote to memory of 2832 2688 824062.exe 37 PID 2688 wrote to memory of 2832 2688 824062.exe 37 PID 2688 wrote to memory of 2832 2688 824062.exe 37 PID 2688 wrote to memory of 2832 2688 824062.exe 37 PID 2832 wrote to memory of 2308 2832 7vpvj.exe 38 PID 2832 wrote to memory of 2308 2832 7vpvj.exe 38 PID 2832 wrote to memory of 2308 2832 7vpvj.exe 38 PID 2832 wrote to memory of 2308 2832 7vpvj.exe 38 PID 2308 wrote to memory of 2592 2308 hhtthh.exe 39 PID 2308 wrote to memory of 2592 2308 hhtthh.exe 39 PID 2308 wrote to memory of 2592 2308 hhtthh.exe 39 PID 2308 wrote to memory of 2592 2308 hhtthh.exe 39 PID 2592 wrote to memory of 2572 2592 5thhnb.exe 40 PID 2592 wrote to memory of 2572 2592 5thhnb.exe 40 PID 2592 wrote to memory of 2572 2592 5thhnb.exe 40 PID 2592 wrote to memory of 2572 2592 5thhnb.exe 40 PID 2572 wrote to memory of 340 2572 rlfxllx.exe 41 PID 2572 wrote to memory of 340 2572 rlfxllx.exe 41 PID 2572 wrote to memory of 340 2572 rlfxllx.exe 41 PID 2572 wrote to memory of 340 2572 rlfxllx.exe 41 PID 340 wrote to memory of 1224 340 60284.exe 42 PID 340 wrote to memory of 1224 340 60284.exe 42 PID 340 wrote to memory of 1224 340 60284.exe 42 PID 340 wrote to memory of 1224 340 60284.exe 42 PID 1224 wrote to memory of 1204 1224 a0684.exe 43 PID 1224 wrote to memory of 1204 1224 a0684.exe 43 PID 1224 wrote to memory of 1204 1224 a0684.exe 43 PID 1224 wrote to memory of 1204 1224 a0684.exe 43 PID 1204 wrote to memory of 1924 1204 1thhtt.exe 44 PID 1204 wrote to memory of 1924 1204 1thhtt.exe 44 PID 1204 wrote to memory of 1924 1204 1thhtt.exe 44 PID 1204 wrote to memory of 1924 1204 1thhtt.exe 44 PID 1924 wrote to memory of 1616 1924 4204662.exe 45 PID 1924 wrote to memory of 1616 1924 4204662.exe 45 PID 1924 wrote to memory of 1616 1924 4204662.exe 45 PID 1924 wrote to memory of 1616 1924 4204662.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe"C:\Users\Admin\AppData\Local\Temp\4dfba41697d6af299ba437a9f33e292be59c105a9f0898d764dd67e0a3d3fac5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\jdjpv.exec:\jdjpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:280 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\3xllrxf.exec:\3xllrxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\lxfxfxx.exec:\lxfxfxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\8622446.exec:\8622446.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\q40604.exec:\q40604.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\824062.exec:\824062.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\7vpvj.exec:\7vpvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\hhtthh.exec:\hhtthh.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\5thhnb.exec:\5thhnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\rlfxllx.exec:\rlfxllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\60284.exec:\60284.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:340 -
\??\c:\a0684.exec:\a0684.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\1thhtt.exec:\1thhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\4204662.exec:\4204662.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\nbtbbb.exec:\nbtbbb.exe17⤵
- Executes dropped EXE
PID:1616 -
\??\c:\i060262.exec:\i060262.exe18⤵
- Executes dropped EXE
PID:1580 -
\??\c:\jddvd.exec:\jddvd.exe19⤵
- Executes dropped EXE
PID:2848 -
\??\c:\3lxxfxx.exec:\3lxxfxx.exe20⤵
- Executes dropped EXE
PID:2868 -
\??\c:\264640.exec:\264640.exe21⤵
- Executes dropped EXE
PID:1440 -
\??\c:\s6060.exec:\s6060.exe22⤵
- Executes dropped EXE
PID:2708 -
\??\c:\26222.exec:\26222.exe23⤵
- Executes dropped EXE
PID:1632 -
\??\c:\nhnhnh.exec:\nhnhnh.exe24⤵
- Executes dropped EXE
PID:2312 -
\??\c:\20884.exec:\20884.exe25⤵
- Executes dropped EXE
PID:992 -
\??\c:\nhnhth.exec:\nhnhth.exe26⤵
- Executes dropped EXE
PID:1652 -
\??\c:\k68800.exec:\k68800.exe27⤵
- Executes dropped EXE
PID:1480 -
\??\c:\vjpjj.exec:\vjpjj.exe28⤵
- Executes dropped EXE
PID:2168 -
\??\c:\044606.exec:\044606.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504 -
\??\c:\dvvpv.exec:\dvvpv.exe30⤵
- Executes dropped EXE
PID:1588 -
\??\c:\a8662.exec:\a8662.exe31⤵
- Executes dropped EXE
PID:2288 -
\??\c:\c084668.exec:\c084668.exe32⤵
- Executes dropped EXE
PID:1468 -
\??\c:\ttnbtb.exec:\ttnbtb.exe33⤵
- Executes dropped EXE
PID:1568 -
\??\c:\264040.exec:\264040.exe34⤵
- Executes dropped EXE
PID:1976 -
\??\c:\046240.exec:\046240.exe35⤵
- Executes dropped EXE
PID:2484 -
\??\c:\fxrxflf.exec:\fxrxflf.exe36⤵
- Executes dropped EXE
PID:3004 -
\??\c:\60426.exec:\60426.exe37⤵
- Executes dropped EXE
PID:2352 -
\??\c:\o202846.exec:\o202846.exe38⤵
- Executes dropped EXE
PID:1456 -
\??\c:\1htntt.exec:\1htntt.exe39⤵
- Executes dropped EXE
PID:2668 -
\??\c:\3bhntb.exec:\3bhntb.exe40⤵
- Executes dropped EXE
PID:1416 -
\??\c:\tbhbbt.exec:\tbhbbt.exe41⤵
- Executes dropped EXE
PID:2728 -
\??\c:\xfxfxfl.exec:\xfxfxfl.exe42⤵
- Executes dropped EXE
PID:2408 -
\??\c:\48642.exec:\48642.exe43⤵
- Executes dropped EXE
PID:2792 -
\??\c:\2622064.exec:\2622064.exe44⤵
- Executes dropped EXE
PID:2440 -
\??\c:\jdvdp.exec:\jdvdp.exe45⤵
- Executes dropped EXE
PID:2756 -
\??\c:\82064.exec:\82064.exe46⤵
- Executes dropped EXE
PID:2576 -
\??\c:\dvjjp.exec:\dvjjp.exe47⤵
- Executes dropped EXE
PID:2456 -
\??\c:\bbthnt.exec:\bbthnt.exe48⤵
- Executes dropped EXE
PID:2004 -
\??\c:\bbnbnt.exec:\bbnbnt.exe49⤵
- Executes dropped EXE
PID:680 -
\??\c:\048406.exec:\048406.exe50⤵
- Executes dropped EXE
PID:2984 -
\??\c:\1jjjv.exec:\1jjjv.exe51⤵
- Executes dropped EXE
PID:1688 -
\??\c:\7dppd.exec:\7dppd.exe52⤵
- Executes dropped EXE
PID:316 -
\??\c:\202244.exec:\202244.exe53⤵
- Executes dropped EXE
PID:1812 -
\??\c:\bhtnbb.exec:\bhtnbb.exe54⤵
- Executes dropped EXE
PID:1788 -
\??\c:\jjvdj.exec:\jjvdj.exe55⤵
- Executes dropped EXE
PID:1616 -
\??\c:\llfxfff.exec:\llfxfff.exe56⤵
- Executes dropped EXE
PID:2844 -
\??\c:\o884628.exec:\o884628.exe57⤵
- Executes dropped EXE
PID:2812 -
\??\c:\5fxfrfr.exec:\5fxfrfr.exe58⤵
- Executes dropped EXE
PID:2988 -
\??\c:\9tbtbb.exec:\9tbtbb.exe59⤵
- Executes dropped EXE
PID:2860 -
\??\c:\7flrffr.exec:\7flrffr.exe60⤵
- Executes dropped EXE
PID:272 -
\??\c:\48064.exec:\48064.exe61⤵
- Executes dropped EXE
PID:1632 -
\??\c:\xxlrlrr.exec:\xxlrlrr.exe62⤵
- Executes dropped EXE
PID:2312 -
\??\c:\7pjvp.exec:\7pjvp.exe63⤵
- Executes dropped EXE
PID:840 -
\??\c:\60880.exec:\60880.exe64⤵
- Executes dropped EXE
PID:1652 -
\??\c:\fxxxxxl.exec:\fxxxxxl.exe65⤵
- Executes dropped EXE
PID:2380 -
\??\c:\ppjpd.exec:\ppjpd.exe66⤵
- System Location Discovery: System Language Discovery
PID:1612 -
\??\c:\hbbbnt.exec:\hbbbnt.exe67⤵PID:1644
-
\??\c:\8206828.exec:\8206828.exe68⤵PID:1588
-
\??\c:\fxxfrrf.exec:\fxxfrrf.exe69⤵PID:568
-
\??\c:\rlxfrrx.exec:\rlxfrrx.exe70⤵PID:896
-
\??\c:\xllllff.exec:\xllllff.exe71⤵PID:704
-
\??\c:\nhnhnn.exec:\nhnhnn.exe72⤵PID:1568
-
\??\c:\68444.exec:\68444.exe73⤵PID:1540
-
\??\c:\8644602.exec:\8644602.exe74⤵PID:2488
-
\??\c:\20624.exec:\20624.exe75⤵PID:2940
-
\??\c:\62028.exec:\62028.exe76⤵PID:280
-
\??\c:\686622.exec:\686622.exe77⤵PID:2188
-
\??\c:\jvjdj.exec:\jvjdj.exe78⤵PID:2140
-
\??\c:\420666.exec:\420666.exe79⤵PID:2804
-
\??\c:\thtnhb.exec:\thtnhb.exe80⤵PID:580
-
\??\c:\0800228.exec:\0800228.exe81⤵PID:2732
-
\??\c:\826622.exec:\826622.exe82⤵PID:2780
-
\??\c:\0248888.exec:\0248888.exe83⤵PID:2440
-
\??\c:\9rfflll.exec:\9rfflll.exe84⤵PID:3056
-
\??\c:\6022480.exec:\6022480.exe85⤵PID:696
-
\??\c:\26024.exec:\26024.exe86⤵PID:2816
-
\??\c:\3hnhnh.exec:\3hnhnh.exe87⤵PID:2532
-
\??\c:\hbhbhb.exec:\hbhbhb.exe88⤵PID:2696
-
\??\c:\24040.exec:\24040.exe89⤵PID:2600
-
\??\c:\k04442.exec:\k04442.exe90⤵PID:1500
-
\??\c:\868404.exec:\868404.exe91⤵PID:2252
-
\??\c:\vpjpd.exec:\vpjpd.exe92⤵PID:1576
-
\??\c:\8060066.exec:\8060066.exe93⤵PID:1224
-
\??\c:\djpdv.exec:\djpdv.exe94⤵PID:1388
-
\??\c:\080422.exec:\080422.exe95⤵PID:1860
-
\??\c:\6428628.exec:\6428628.exe96⤵PID:1656
-
\??\c:\08624.exec:\08624.exe97⤵PID:1564
-
\??\c:\60404.exec:\60404.exe98⤵PID:1640
-
\??\c:\26802.exec:\26802.exe99⤵PID:2480
-
\??\c:\2642846.exec:\2642846.exe100⤵PID:1764
-
\??\c:\nnhnbt.exec:\nnhnbt.exe101⤵PID:1452
-
\??\c:\2668608.exec:\2668608.exe102⤵PID:1064
-
\??\c:\xrxxflr.exec:\xrxxflr.exe103⤵PID:2712
-
\??\c:\42068.exec:\42068.exe104⤵PID:1524
-
\??\c:\vpddp.exec:\vpddp.exe105⤵PID:2496
-
\??\c:\vpdvd.exec:\vpdvd.exe106⤵PID:992
-
\??\c:\rfxflrx.exec:\rfxflrx.exe107⤵PID:2356
-
\??\c:\fxxrlrx.exec:\fxxrlrx.exe108⤵PID:1160
-
\??\c:\jvjpv.exec:\jvjpv.exe109⤵PID:2244
-
\??\c:\xxllxxf.exec:\xxllxxf.exe110⤵PID:1904
-
\??\c:\llffrxl.exec:\llffrxl.exe111⤵
- System Location Discovery: System Language Discovery
PID:1644 -
\??\c:\jdvdp.exec:\jdvdp.exe112⤵PID:1264
-
\??\c:\86028.exec:\86028.exe113⤵PID:2500
-
\??\c:\c640624.exec:\c640624.exe114⤵PID:2156
-
\??\c:\hhbhnn.exec:\hhbhnn.exe115⤵PID:1112
-
\??\c:\k48064.exec:\k48064.exe116⤵PID:772
-
\??\c:\xrlrflf.exec:\xrlrflf.exe117⤵PID:804
-
\??\c:\1frrxfl.exec:\1frrxfl.exe118⤵PID:2040
-
\??\c:\lfrxllr.exec:\lfrxllr.exe119⤵PID:2948
-
\??\c:\u480808.exec:\u480808.exe120⤵PID:3048
-
\??\c:\26408.exec:\26408.exe121⤵PID:3068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-