Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 22:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4ee79618b9f2732350b2790a9e232bf1d8d97dab6abca7be2a03a3af0d303193.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4ee79618b9f2732350b2790a9e232bf1d8d97dab6abca7be2a03a3af0d303193.exe
-
Size
454KB
-
MD5
e61a6c2617ee83045b0032408266b0d7
-
SHA1
481f05aca114973d440ee369b52dd6230bb7e001
-
SHA256
4ee79618b9f2732350b2790a9e232bf1d8d97dab6abca7be2a03a3af0d303193
-
SHA512
be1cd7811c30d0d66e3bf426c7efcb8399b264abbe3e67ed3c12b6e1cf5d07a96e2be2dfffbde34e63d8ffd0e0b31ada31e00c20ec9af01ccda3e3475f0ff9a1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2320-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-91-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2848-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-109-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2716-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/936-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-147-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2528-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1400-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/296-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1288-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-455-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1976-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-882-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-1153-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2492-1161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-1196-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2608-1236-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2608-1237-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2608-1258-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2224-1269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1964 ddvdp.exe 2324 080644.exe 1616 btthtt.exe 2288 64200.exe 2424 xrfxfxf.exe 1644 hhtbnn.exe 2768 26846.exe 2436 g2626.exe 2848 1vvdd.exe 2904 9vvdp.exe 2816 m8062.exe 2716 lfrrffr.exe 2580 1jdpd.exe 2528 btbbnn.exe 2236 4648428.exe 1696 w68400.exe 2008 08066.exe 1444 k80026.exe 844 4688888.exe 2664 jdppd.exe 2928 ppvpv.exe 1124 2400440.exe 2792 4204606.exe 2504 6404004.exe 1236 bnbbnn.exe 2024 9flxfff.exe 1780 68406.exe 1800 rrfflfl.exe 2012 e24848.exe 2104 080644.exe 2448 424466.exe 768 6840262.exe 2244 w80664.exe 1856 9bnhnn.exe 2532 hbnntt.exe 2280 860000.exe 2252 64000.exe 2660 hnbttn.exe 2288 fxfrfxf.exe 936 86000.exe 1860 dvddj.exe 3012 86222.exe 2364 c200488.exe 2768 rlrrlll.exe 2852 q08804.exe 2840 864848.exe 2584 vpvpd.exe 2772 q46684.exe 2740 88402.exe 2612 8246662.exe 2576 htbtbb.exe 2632 04280.exe 1400 jpvjj.exe 1808 5jvpd.exe 296 m4666.exe 1748 844620.exe 1276 rlxrlxf.exe 1288 3xlfrrx.exe 2912 08620.exe 2896 nbhhhb.exe 1812 6804484.exe 1976 3nbttn.exe 3048 jvdjp.exe 1744 dpddd.exe -
resource yara_rule behavioral1/memory/2320-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-91-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2848-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-147-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/2528-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-882-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-889-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-1060-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-1086-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-1147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-1161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-1223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-1269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-1276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-1289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-1308-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q42422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 682660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i246880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0466440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lllxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 1964 2320 4ee79618b9f2732350b2790a9e232bf1d8d97dab6abca7be2a03a3af0d303193.exe 28 PID 2320 wrote to memory of 1964 2320 4ee79618b9f2732350b2790a9e232bf1d8d97dab6abca7be2a03a3af0d303193.exe 28 PID 2320 wrote to memory of 1964 2320 4ee79618b9f2732350b2790a9e232bf1d8d97dab6abca7be2a03a3af0d303193.exe 28 PID 2320 wrote to memory of 1964 2320 4ee79618b9f2732350b2790a9e232bf1d8d97dab6abca7be2a03a3af0d303193.exe 28 PID 1964 wrote to memory of 2324 1964 ddvdp.exe 29 PID 1964 wrote to memory of 2324 1964 ddvdp.exe 29 PID 1964 wrote to memory of 2324 1964 ddvdp.exe 29 PID 1964 wrote to memory of 2324 1964 ddvdp.exe 29 PID 2324 wrote to memory of 1616 2324 080644.exe 30 PID 2324 wrote to memory of 1616 2324 080644.exe 30 PID 2324 wrote to memory of 1616 2324 080644.exe 30 PID 2324 wrote to memory of 1616 2324 080644.exe 30 PID 1616 wrote to memory of 2288 1616 btthtt.exe 31 PID 1616 wrote to memory of 2288 1616 btthtt.exe 31 PID 1616 wrote to memory of 2288 1616 btthtt.exe 31 PID 1616 wrote to memory of 2288 1616 btthtt.exe 31 PID 2288 wrote to memory of 2424 2288 64200.exe 32 PID 2288 wrote to memory of 2424 2288 64200.exe 32 PID 2288 wrote to memory of 2424 2288 64200.exe 32 PID 2288 wrote to memory of 2424 2288 64200.exe 32 PID 2424 wrote to memory of 1644 2424 xrfxfxf.exe 33 PID 2424 wrote to memory of 1644 2424 xrfxfxf.exe 33 PID 2424 wrote to memory of 1644 2424 xrfxfxf.exe 33 PID 2424 wrote to memory of 1644 2424 xrfxfxf.exe 33 PID 1644 wrote to memory of 2768 1644 hhtbnn.exe 34 PID 1644 wrote to memory of 2768 1644 hhtbnn.exe 34 PID 1644 wrote to memory of 2768 1644 hhtbnn.exe 34 PID 1644 wrote to memory of 2768 1644 hhtbnn.exe 34 PID 2768 wrote to memory of 2436 2768 26846.exe 35 PID 2768 wrote to memory of 2436 2768 26846.exe 35 PID 2768 wrote to memory of 2436 2768 26846.exe 35 PID 2768 wrote to memory of 2436 2768 26846.exe 35 PID 2436 wrote to memory of 2848 2436 g2626.exe 36 PID 2436 wrote to memory of 2848 2436 g2626.exe 36 PID 2436 wrote to memory of 2848 2436 g2626.exe 36 PID 2436 wrote to memory of 2848 2436 g2626.exe 36 PID 2848 wrote to memory of 2904 2848 1vvdd.exe 37 PID 2848 wrote to memory of 2904 2848 1vvdd.exe 37 PID 2848 wrote to memory of 2904 2848 1vvdd.exe 37 PID 2848 wrote to memory of 2904 2848 1vvdd.exe 37 PID 2904 wrote to memory of 2816 2904 9vvdp.exe 38 PID 2904 wrote to memory of 2816 2904 9vvdp.exe 38 PID 2904 wrote to memory of 2816 2904 9vvdp.exe 38 PID 2904 wrote to memory of 2816 2904 9vvdp.exe 38 PID 2816 wrote to memory of 2716 2816 m8062.exe 39 PID 2816 wrote to memory of 2716 2816 m8062.exe 39 PID 2816 wrote to memory of 2716 2816 m8062.exe 39 PID 2816 wrote to memory of 2716 2816 m8062.exe 39 PID 2716 wrote to memory of 2580 2716 lfrrffr.exe 40 PID 2716 wrote to memory of 2580 2716 lfrrffr.exe 40 PID 2716 wrote to memory of 2580 2716 lfrrffr.exe 40 PID 2716 wrote to memory of 2580 2716 lfrrffr.exe 40 PID 2580 wrote to memory of 2528 2580 1jdpd.exe 43 PID 2580 wrote to memory of 2528 2580 1jdpd.exe 43 PID 2580 wrote to memory of 2528 2580 1jdpd.exe 43 PID 2580 wrote to memory of 2528 2580 1jdpd.exe 43 PID 2528 wrote to memory of 2236 2528 btbbnn.exe 44 PID 2528 wrote to memory of 2236 2528 btbbnn.exe 44 PID 2528 wrote to memory of 2236 2528 btbbnn.exe 44 PID 2528 wrote to memory of 2236 2528 btbbnn.exe 44 PID 2236 wrote to memory of 1696 2236 4648428.exe 45 PID 2236 wrote to memory of 1696 2236 4648428.exe 45 PID 2236 wrote to memory of 1696 2236 4648428.exe 45 PID 2236 wrote to memory of 1696 2236 4648428.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ee79618b9f2732350b2790a9e232bf1d8d97dab6abca7be2a03a3af0d303193.exe"C:\Users\Admin\AppData\Local\Temp\4ee79618b9f2732350b2790a9e232bf1d8d97dab6abca7be2a03a3af0d303193.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\ddvdp.exec:\ddvdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\080644.exec:\080644.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\btthtt.exec:\btthtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\64200.exec:\64200.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\xrfxfxf.exec:\xrfxfxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\hhtbnn.exec:\hhtbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\26846.exec:\26846.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\g2626.exec:\g2626.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\1vvdd.exec:\1vvdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\9vvdp.exec:\9vvdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\m8062.exec:\m8062.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\lfrrffr.exec:\lfrrffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\1jdpd.exec:\1jdpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\btbbnn.exec:\btbbnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\4648428.exec:\4648428.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\w68400.exec:\w68400.exe17⤵
- Executes dropped EXE
PID:1696 -
\??\c:\08066.exec:\08066.exe18⤵
- Executes dropped EXE
PID:2008 -
\??\c:\k80026.exec:\k80026.exe19⤵
- Executes dropped EXE
PID:1444 -
\??\c:\4688888.exec:\4688888.exe20⤵
- Executes dropped EXE
PID:844 -
\??\c:\jdppd.exec:\jdppd.exe21⤵
- Executes dropped EXE
PID:2664 -
\??\c:\ppvpv.exec:\ppvpv.exe22⤵
- Executes dropped EXE
PID:2928 -
\??\c:\2400440.exec:\2400440.exe23⤵
- Executes dropped EXE
PID:1124 -
\??\c:\4204606.exec:\4204606.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792 -
\??\c:\6404004.exec:\6404004.exe25⤵
- Executes dropped EXE
PID:2504 -
\??\c:\bnbbnn.exec:\bnbbnn.exe26⤵
- Executes dropped EXE
PID:1236 -
\??\c:\9flxfff.exec:\9flxfff.exe27⤵
- Executes dropped EXE
PID:2024 -
\??\c:\68406.exec:\68406.exe28⤵
- Executes dropped EXE
PID:1780 -
\??\c:\rrfflfl.exec:\rrfflfl.exe29⤵
- Executes dropped EXE
PID:1800 -
\??\c:\e24848.exec:\e24848.exe30⤵
- Executes dropped EXE
PID:2012 -
\??\c:\080644.exec:\080644.exe31⤵
- Executes dropped EXE
PID:2104 -
\??\c:\424466.exec:\424466.exe32⤵
- Executes dropped EXE
PID:2448 -
\??\c:\6840262.exec:\6840262.exe33⤵
- Executes dropped EXE
PID:768 -
\??\c:\w80664.exec:\w80664.exe34⤵
- Executes dropped EXE
PID:2244 -
\??\c:\9bnhnn.exec:\9bnhnn.exe35⤵
- Executes dropped EXE
PID:1856 -
\??\c:\hbnntt.exec:\hbnntt.exe36⤵
- Executes dropped EXE
PID:2532 -
\??\c:\860000.exec:\860000.exe37⤵
- Executes dropped EXE
PID:2280 -
\??\c:\64000.exec:\64000.exe38⤵
- Executes dropped EXE
PID:2252 -
\??\c:\hnbttn.exec:\hnbttn.exe39⤵
- Executes dropped EXE
PID:2660 -
\??\c:\fxfrfxf.exec:\fxfrfxf.exe40⤵
- Executes dropped EXE
PID:2288 -
\??\c:\86000.exec:\86000.exe41⤵
- Executes dropped EXE
PID:936 -
\??\c:\dvddj.exec:\dvddj.exe42⤵
- Executes dropped EXE
PID:1860 -
\??\c:\86222.exec:\86222.exe43⤵
- Executes dropped EXE
PID:3012 -
\??\c:\c200488.exec:\c200488.exe44⤵
- Executes dropped EXE
PID:2364 -
\??\c:\rlrrlll.exec:\rlrrlll.exe45⤵
- Executes dropped EXE
PID:2768 -
\??\c:\q08804.exec:\q08804.exe46⤵
- Executes dropped EXE
PID:2852 -
\??\c:\864848.exec:\864848.exe47⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vpvpd.exec:\vpvpd.exe48⤵
- Executes dropped EXE
PID:2584 -
\??\c:\q46684.exec:\q46684.exe49⤵
- Executes dropped EXE
PID:2772 -
\??\c:\88402.exec:\88402.exe50⤵
- Executes dropped EXE
PID:2740 -
\??\c:\8246662.exec:\8246662.exe51⤵
- Executes dropped EXE
PID:2612 -
\??\c:\htbtbb.exec:\htbtbb.exe52⤵
- Executes dropped EXE
PID:2576 -
\??\c:\04280.exec:\04280.exe53⤵
- Executes dropped EXE
PID:2632 -
\??\c:\jpvjj.exec:\jpvjj.exe54⤵
- Executes dropped EXE
PID:1400 -
\??\c:\5jvpd.exec:\5jvpd.exe55⤵
- Executes dropped EXE
PID:1808 -
\??\c:\m4666.exec:\m4666.exe56⤵
- Executes dropped EXE
PID:296 -
\??\c:\844620.exec:\844620.exe57⤵
- Executes dropped EXE
PID:1748 -
\??\c:\rlxrlxf.exec:\rlxrlxf.exe58⤵
- Executes dropped EXE
PID:1276 -
\??\c:\3xlfrrx.exec:\3xlfrrx.exe59⤵
- Executes dropped EXE
PID:1288 -
\??\c:\08620.exec:\08620.exe60⤵
- Executes dropped EXE
PID:2912 -
\??\c:\nbhhhb.exec:\nbhhhb.exe61⤵
- Executes dropped EXE
PID:2896 -
\??\c:\6804484.exec:\6804484.exe62⤵
- Executes dropped EXE
PID:1812 -
\??\c:\3nbttn.exec:\3nbttn.exe63⤵
- Executes dropped EXE
PID:1976 -
\??\c:\jvdjp.exec:\jvdjp.exe64⤵
- Executes dropped EXE
PID:3048 -
\??\c:\dpddd.exec:\dpddd.exe65⤵
- Executes dropped EXE
PID:1744 -
\??\c:\jdvpv.exec:\jdvpv.exe66⤵PID:1780
-
\??\c:\480682.exec:\480682.exe67⤵PID:2760
-
\??\c:\a2620.exec:\a2620.exe68⤵PID:1632
-
\??\c:\e08028.exec:\e08028.exe69⤵PID:2484
-
\??\c:\602808.exec:\602808.exe70⤵PID:1100
-
\??\c:\dddjv.exec:\dddjv.exe71⤵PID:3032
-
\??\c:\w60062.exec:\w60062.exe72⤵PID:536
-
\??\c:\62024.exec:\62024.exe73⤵PID:484
-
\??\c:\xrxfllx.exec:\xrxfllx.exe74⤵PID:556
-
\??\c:\jdvdp.exec:\jdvdp.exe75⤵PID:1572
-
\??\c:\82646.exec:\82646.exe76⤵PID:1580
-
\??\c:\frffllx.exec:\frffllx.exe77⤵PID:3060
-
\??\c:\42406.exec:\42406.exe78⤵PID:3016
-
\??\c:\e20688.exec:\e20688.exe79⤵PID:2288
-
\??\c:\hbtbnn.exec:\hbtbnn.exe80⤵PID:2060
-
\??\c:\e24640.exec:\e24640.exe81⤵PID:1496
-
\??\c:\3flxrxf.exec:\3flxrxf.exe82⤵PID:2488
-
\??\c:\86062.exec:\86062.exe83⤵PID:2392
-
\??\c:\4262002.exec:\4262002.exe84⤵PID:1532
-
\??\c:\086200.exec:\086200.exe85⤵PID:1940
-
\??\c:\424462.exec:\424462.exe86⤵PID:540
-
\??\c:\482284.exec:\482284.exe87⤵PID:2436
-
\??\c:\1xxrfxf.exec:\1xxrfxf.exe88⤵PID:2844
-
\??\c:\080026.exec:\080026.exe89⤵PID:2772
-
\??\c:\1tbbtt.exec:\1tbbtt.exe90⤵PID:3020
-
\??\c:\tntbhn.exec:\tntbhn.exe91⤵PID:2740
-
\??\c:\0400606.exec:\0400606.exe92⤵PID:2816
-
\??\c:\46480.exec:\46480.exe93⤵PID:2260
-
\??\c:\frxrflx.exec:\frxrflx.exe94⤵PID:2072
-
\??\c:\thbhnb.exec:\thbhnb.exe95⤵PID:2692
-
\??\c:\8248822.exec:\8248822.exe96⤵PID:2580
-
\??\c:\86006.exec:\86006.exe97⤵PID:2628
-
\??\c:\s0062.exec:\s0062.exe98⤵PID:1488
-
\??\c:\2642284.exec:\2642284.exe99⤵PID:2028
-
\??\c:\0462840.exec:\0462840.exe100⤵PID:1696
-
\??\c:\6040284.exec:\6040284.exe101⤵PID:1016
-
\??\c:\3hnntb.exec:\3hnntb.exe102⤵PID:1048
-
\??\c:\ppvdp.exec:\ppvdp.exe103⤵PID:340
-
\??\c:\208808.exec:\208808.exe104⤵PID:2960
-
\??\c:\6002664.exec:\6002664.exe105⤵PID:2956
-
\??\c:\bntntn.exec:\bntntn.exe106⤵PID:2232
-
\??\c:\20406.exec:\20406.exe107⤵PID:1864
-
\??\c:\646282.exec:\646282.exe108⤵PID:1924
-
\??\c:\086840.exec:\086840.exe109⤵PID:892
-
\??\c:\tthtbt.exec:\tthtbt.exe110⤵PID:1744
-
\??\c:\9xxllxf.exec:\9xxllxf.exe111⤵PID:612
-
\??\c:\20628.exec:\20628.exe112⤵PID:1516
-
\??\c:\xffrrlf.exec:\xffrrlf.exe113⤵PID:832
-
\??\c:\86884.exec:\86884.exe114⤵PID:1240
-
\??\c:\bhnhhn.exec:\bhnhhn.exe115⤵PID:1992
-
\??\c:\464844.exec:\464844.exe116⤵PID:3044
-
\??\c:\pddvd.exec:\pddvd.exe117⤵PID:876
-
\??\c:\w42282.exec:\w42282.exe118⤵PID:2396
-
\??\c:\080066.exec:\080066.exe119⤵PID:2916
-
\??\c:\9xffxxl.exec:\9xffxxl.exe120⤵PID:556
-
\??\c:\m6402.exec:\m6402.exe121⤵PID:2268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-