Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 02:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1342a8e796257cb73c1e436fd34159ca818c518e6ab41d16770c91123dd5c44.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a1342a8e796257cb73c1e436fd34159ca818c518e6ab41d16770c91123dd5c44.exe
-
Size
456KB
-
MD5
7a41d834b51833c122ee0d96b20f92b1
-
SHA1
21a2242d0ce14ba0dc3cc4a95a79cb5ab9c49bee
-
SHA256
a1342a8e796257cb73c1e436fd34159ca818c518e6ab41d16770c91123dd5c44
-
SHA512
0f231d72bf0a306fcf900c1afd0d8a5eede5792164292f78a05d258d7315c61523bd683845cf6b13f187f29a9353d029169ddf6ccf0c55c366aa8311d427b525
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRX:q7Tc2NYHUrAwfMp3CDRX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/1740-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1136-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1108-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1472-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/376-805-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1156-695-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2724-659-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2480-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/748-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/352-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1288-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-864-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1504-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-917-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2756-944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-956-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/3012-958-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2660-1005-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2676-1012-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2664-1162-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1468-1165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-1164-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2652-1225-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1704-1244-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2264-1268-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1924 8082468.exe 2308 k42844.exe 2452 424066.exe 2480 pjvvd.exe 2904 6462646.exe 1288 pjvvp.exe 1260 4862002.exe 3040 9vjpd.exe 2068 206626.exe 2696 w42288.exe 2512 vpjpp.exe 336 jjddj.exe 1316 422244.exe 3004 lfxfrrl.exe 352 60802.exe 2332 4880020.exe 2984 s6620.exe 3020 7btntt.exe 1440 jdjpj.exe 2252 82626.exe 1780 60406.exe 1340 9pddp.exe 2184 ttntnn.exe 1872 bthnhh.exe 1496 lllrflx.exe 2960 268422.exe 748 ddppd.exe 2096 xxrrlfr.exe 1860 9vjjv.exe 2444 60468.exe 1652 fxxfxxl.exe 1648 rrlllrr.exe 2456 2008244.exe 2088 200820.exe 1200 a4468.exe 1596 a8284.exe 2952 86846.exe 2800 fxrlllr.exe 2924 g2242.exe 2812 5pvpv.exe 2928 tnhhnt.exe 2804 nhtbbb.exe 2936 08668.exe 2716 7bbnbh.exe 2908 m0448.exe 548 9tnhnn.exe 2412 rlxxllx.exe 2672 086688.exe 2996 xrlrlrf.exe 352 bhbnnn.exe 3016 g8028.exe 2984 1dvvv.exe 1136 jdppp.exe 2040 nhvdpd.exe 1248 3rxrrxx.exe 3056 dpjjv.exe 1340 08062.exe 2488 u802024.exe 2244 66406.exe 1108 tntntt.exe 2676 640666.exe 1532 jpddp.exe 1932 xrffrrx.exe 2056 lxlrfrx.exe -
resource yara_rule behavioral1/memory/1740-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1108-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/748-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-857-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/1504-871-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-918-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-958-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/320-959-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-1005-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1604-1013-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-1051-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-1118-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2936-1137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-1150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-1165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-1196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-1204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-1343-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8602866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4868624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 1924 1740 a1342a8e796257cb73c1e436fd34159ca818c518e6ab41d16770c91123dd5c44.exe 30 PID 1740 wrote to memory of 1924 1740 a1342a8e796257cb73c1e436fd34159ca818c518e6ab41d16770c91123dd5c44.exe 30 PID 1740 wrote to memory of 1924 1740 a1342a8e796257cb73c1e436fd34159ca818c518e6ab41d16770c91123dd5c44.exe 30 PID 1740 wrote to memory of 1924 1740 a1342a8e796257cb73c1e436fd34159ca818c518e6ab41d16770c91123dd5c44.exe 30 PID 1924 wrote to memory of 2308 1924 8082468.exe 31 PID 1924 wrote to memory of 2308 1924 8082468.exe 31 PID 1924 wrote to memory of 2308 1924 8082468.exe 31 PID 1924 wrote to memory of 2308 1924 8082468.exe 31 PID 2308 wrote to memory of 2452 2308 k42844.exe 147 PID 2308 wrote to memory of 2452 2308 k42844.exe 147 PID 2308 wrote to memory of 2452 2308 k42844.exe 147 PID 2308 wrote to memory of 2452 2308 k42844.exe 147 PID 2452 wrote to memory of 2480 2452 424066.exe 106 PID 2452 wrote to memory of 2480 2452 424066.exe 106 PID 2452 wrote to memory of 2480 2452 424066.exe 106 PID 2452 wrote to memory of 2480 2452 424066.exe 106 PID 2480 wrote to memory of 2904 2480 pjvvd.exe 34 PID 2480 wrote to memory of 2904 2480 pjvvd.exe 34 PID 2480 wrote to memory of 2904 2480 pjvvd.exe 34 PID 2480 wrote to memory of 2904 2480 pjvvd.exe 34 PID 2904 wrote to memory of 1288 2904 6462646.exe 35 PID 2904 wrote to memory of 1288 2904 6462646.exe 35 PID 2904 wrote to memory of 1288 2904 6462646.exe 35 PID 2904 wrote to memory of 1288 2904 6462646.exe 35 PID 1288 wrote to memory of 1260 1288 pjvvp.exe 36 PID 1288 wrote to memory of 1260 1288 pjvvp.exe 36 PID 1288 wrote to memory of 1260 1288 pjvvp.exe 36 PID 1288 wrote to memory of 1260 1288 pjvvp.exe 36 PID 1260 wrote to memory of 3040 1260 4862002.exe 37 PID 1260 wrote to memory of 3040 1260 4862002.exe 37 PID 1260 wrote to memory of 3040 1260 4862002.exe 37 PID 1260 wrote to memory of 3040 1260 4862002.exe 37 PID 3040 wrote to memory of 2068 3040 9vjpd.exe 38 PID 3040 wrote to memory of 2068 3040 9vjpd.exe 38 PID 3040 wrote to memory of 2068 3040 9vjpd.exe 38 PID 3040 wrote to memory of 2068 3040 9vjpd.exe 38 PID 2068 wrote to memory of 2696 2068 206626.exe 39 PID 2068 wrote to memory of 2696 2068 206626.exe 39 PID 2068 wrote to memory of 2696 2068 206626.exe 39 PID 2068 wrote to memory of 2696 2068 206626.exe 39 PID 2696 wrote to memory of 2512 2696 w42288.exe 40 PID 2696 wrote to memory of 2512 2696 w42288.exe 40 PID 2696 wrote to memory of 2512 2696 w42288.exe 40 PID 2696 wrote to memory of 2512 2696 w42288.exe 40 PID 2512 wrote to memory of 336 2512 vpjpp.exe 41 PID 2512 wrote to memory of 336 2512 vpjpp.exe 41 PID 2512 wrote to memory of 336 2512 vpjpp.exe 41 PID 2512 wrote to memory of 336 2512 vpjpp.exe 41 PID 336 wrote to memory of 1316 336 jjddj.exe 42 PID 336 wrote to memory of 1316 336 jjddj.exe 42 PID 336 wrote to memory of 1316 336 jjddj.exe 42 PID 336 wrote to memory of 1316 336 jjddj.exe 42 PID 1316 wrote to memory of 3004 1316 422244.exe 43 PID 1316 wrote to memory of 3004 1316 422244.exe 43 PID 1316 wrote to memory of 3004 1316 422244.exe 43 PID 1316 wrote to memory of 3004 1316 422244.exe 43 PID 3004 wrote to memory of 352 3004 lfxfrrl.exe 44 PID 3004 wrote to memory of 352 3004 lfxfrrl.exe 44 PID 3004 wrote to memory of 352 3004 lfxfrrl.exe 44 PID 3004 wrote to memory of 352 3004 lfxfrrl.exe 44 PID 352 wrote to memory of 2332 352 60802.exe 45 PID 352 wrote to memory of 2332 352 60802.exe 45 PID 352 wrote to memory of 2332 352 60802.exe 45 PID 352 wrote to memory of 2332 352 60802.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1342a8e796257cb73c1e436fd34159ca818c518e6ab41d16770c91123dd5c44.exe"C:\Users\Admin\AppData\Local\Temp\a1342a8e796257cb73c1e436fd34159ca818c518e6ab41d16770c91123dd5c44.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\8082468.exec:\8082468.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\k42844.exec:\k42844.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\424066.exec:\424066.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\pjvvd.exec:\pjvvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\6462646.exec:\6462646.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\pjvvp.exec:\pjvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\4862002.exec:\4862002.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\9vjpd.exec:\9vjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\206626.exec:\206626.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\w42288.exec:\w42288.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\vpjpp.exec:\vpjpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\jjddj.exec:\jjddj.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\422244.exec:\422244.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\lfxfrrl.exec:\lfxfrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\60802.exec:\60802.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:352 -
\??\c:\4880020.exec:\4880020.exe17⤵
- Executes dropped EXE
PID:2332 -
\??\c:\s6620.exec:\s6620.exe18⤵
- Executes dropped EXE
PID:2984 -
\??\c:\7btntt.exec:\7btntt.exe19⤵
- Executes dropped EXE
PID:3020 -
\??\c:\jdjpj.exec:\jdjpj.exe20⤵
- Executes dropped EXE
PID:1440 -
\??\c:\82626.exec:\82626.exe21⤵
- Executes dropped EXE
PID:2252 -
\??\c:\60406.exec:\60406.exe22⤵
- Executes dropped EXE
PID:1780 -
\??\c:\9pddp.exec:\9pddp.exe23⤵
- Executes dropped EXE
PID:1340 -
\??\c:\ttntnn.exec:\ttntnn.exe24⤵
- Executes dropped EXE
PID:2184 -
\??\c:\bthnhh.exec:\bthnhh.exe25⤵
- Executes dropped EXE
PID:1872 -
\??\c:\lllrflx.exec:\lllrflx.exe26⤵
- Executes dropped EXE
PID:1496 -
\??\c:\268422.exec:\268422.exe27⤵
- Executes dropped EXE
PID:2960 -
\??\c:\ddppd.exec:\ddppd.exe28⤵
- Executes dropped EXE
PID:748 -
\??\c:\xxrrlfr.exec:\xxrrlfr.exe29⤵
- Executes dropped EXE
PID:2096 -
\??\c:\9vjjv.exec:\9vjjv.exe30⤵
- Executes dropped EXE
PID:1860 -
\??\c:\60468.exec:\60468.exe31⤵
- Executes dropped EXE
PID:2444 -
\??\c:\fxxfxxl.exec:\fxxfxxl.exe32⤵
- Executes dropped EXE
PID:1652 -
\??\c:\rrlllrr.exec:\rrlllrr.exe33⤵
- Executes dropped EXE
PID:1648 -
\??\c:\2008244.exec:\2008244.exe34⤵
- Executes dropped EXE
PID:2456 -
\??\c:\200820.exec:\200820.exe35⤵
- Executes dropped EXE
PID:2088 -
\??\c:\a4468.exec:\a4468.exe36⤵
- Executes dropped EXE
PID:1200 -
\??\c:\a8284.exec:\a8284.exe37⤵
- Executes dropped EXE
PID:1596 -
\??\c:\86846.exec:\86846.exe38⤵
- Executes dropped EXE
PID:2952 -
\??\c:\fxrlllr.exec:\fxrlllr.exe39⤵
- Executes dropped EXE
PID:2800 -
\??\c:\g2242.exec:\g2242.exe40⤵
- Executes dropped EXE
PID:2924 -
\??\c:\5pvpv.exec:\5pvpv.exe41⤵
- Executes dropped EXE
PID:2812 -
\??\c:\tnhhnt.exec:\tnhhnt.exe42⤵
- Executes dropped EXE
PID:2928 -
\??\c:\nhtbbb.exec:\nhtbbb.exe43⤵
- Executes dropped EXE
PID:2804 -
\??\c:\08668.exec:\08668.exe44⤵
- Executes dropped EXE
PID:2936 -
\??\c:\7bbnbh.exec:\7bbnbh.exe45⤵
- Executes dropped EXE
PID:2716 -
\??\c:\m0448.exec:\m0448.exe46⤵
- Executes dropped EXE
PID:2908 -
\??\c:\9tnhnn.exec:\9tnhnn.exe47⤵
- Executes dropped EXE
PID:548 -
\??\c:\rlxxllx.exec:\rlxxllx.exe48⤵
- Executes dropped EXE
PID:2412 -
\??\c:\086688.exec:\086688.exe49⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xrlrlrf.exec:\xrlrlrf.exe50⤵
- Executes dropped EXE
PID:2996 -
\??\c:\bhbnnn.exec:\bhbnnn.exe51⤵
- Executes dropped EXE
PID:352 -
\??\c:\g8028.exec:\g8028.exe52⤵
- Executes dropped EXE
PID:3016 -
\??\c:\1dvvv.exec:\1dvvv.exe53⤵
- Executes dropped EXE
PID:2984 -
\??\c:\jdppp.exec:\jdppp.exe54⤵
- Executes dropped EXE
PID:1136 -
\??\c:\nhvdpd.exec:\nhvdpd.exe55⤵
- Executes dropped EXE
PID:2040 -
\??\c:\3rxrrxx.exec:\3rxrrxx.exe56⤵
- Executes dropped EXE
PID:1248 -
\??\c:\dpjjv.exec:\dpjjv.exe57⤵
- Executes dropped EXE
PID:3056 -
\??\c:\08062.exec:\08062.exe58⤵
- Executes dropped EXE
PID:1340 -
\??\c:\u802024.exec:\u802024.exe59⤵
- Executes dropped EXE
PID:2488 -
\??\c:\66406.exec:\66406.exe60⤵
- Executes dropped EXE
PID:2244 -
\??\c:\tntntt.exec:\tntntt.exe61⤵
- Executes dropped EXE
PID:1108 -
\??\c:\640666.exec:\640666.exe62⤵
- Executes dropped EXE
PID:2676 -
\??\c:\jpddp.exec:\jpddp.exe63⤵
- Executes dropped EXE
PID:1532 -
\??\c:\xrffrrx.exec:\xrffrrx.exe64⤵
- Executes dropped EXE
PID:1932 -
\??\c:\lxlrfrx.exec:\lxlrfrx.exe65⤵
- Executes dropped EXE
PID:2056 -
\??\c:\5lffxxf.exec:\5lffxxf.exe66⤵PID:732
-
\??\c:\hbhhht.exec:\hbhhht.exe67⤵PID:2408
-
\??\c:\420066.exec:\420066.exe68⤵PID:1472
-
\??\c:\rxxrrfx.exec:\rxxrrfx.exe69⤵PID:1476
-
\??\c:\thbthh.exec:\thbthh.exe70⤵PID:2840
-
\??\c:\48242.exec:\48242.exe71⤵PID:1736
-
\??\c:\864426.exec:\864426.exe72⤵PID:1900
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe73⤵PID:2312
-
\??\c:\60446.exec:\60446.exe74⤵PID:1724
-
\??\c:\rllxrxf.exec:\rllxrxf.exe75⤵PID:1588
-
\??\c:\s4808.exec:\s4808.exe76⤵PID:2104
-
\??\c:\646800.exec:\646800.exe77⤵PID:2792
-
\??\c:\608462.exec:\608462.exe78⤵PID:2480
-
\??\c:\4240284.exec:\4240284.exe79⤵PID:2900
-
\??\c:\266800.exec:\266800.exe80⤵PID:1792
-
\??\c:\7vpjj.exec:\7vpjj.exe81⤵PID:2860
-
\??\c:\bbnnht.exec:\bbnnht.exe82⤵PID:308
-
\??\c:\jdvdj.exec:\jdvdj.exe83⤵PID:2688
-
\??\c:\u422284.exec:\u422284.exe84⤵PID:2340
-
\??\c:\vpppd.exec:\vpppd.exe85⤵PID:2740
-
\??\c:\xfxlflx.exec:\xfxlflx.exe86⤵PID:2712
-
\??\c:\jdvvj.exec:\jdvvj.exe87⤵PID:2508
-
\??\c:\82686.exec:\82686.exe88⤵PID:2380
-
\??\c:\dpdvd.exec:\dpdvd.exe89⤵PID:2496
-
\??\c:\jvjjv.exec:\jvjjv.exe90⤵PID:2412
-
\??\c:\080026.exec:\080026.exe91⤵PID:576
-
\??\c:\s4006.exec:\s4006.exe92⤵PID:1572
-
\??\c:\vvjjv.exec:\vvjjv.exe93⤵PID:2724
-
\??\c:\s0886.exec:\s0886.exe94⤵PID:536
-
\??\c:\w68288.exec:\w68288.exe95⤵PID:3020
-
\??\c:\nbtbtn.exec:\nbtbtn.exe96⤵PID:1808
-
\??\c:\9pdjp.exec:\9pdjp.exe97⤵PID:1440
-
\??\c:\042244.exec:\042244.exe98⤵PID:1156
-
\??\c:\s2440.exec:\s2440.exe99⤵PID:484
-
\??\c:\pdppv.exec:\pdppv.exe100⤵PID:1780
-
\??\c:\1thnbh.exec:\1thnbh.exe101⤵
- System Location Discovery: System Language Discovery
PID:2344 -
\??\c:\3hbtth.exec:\3hbtth.exe102⤵PID:1296
-
\??\c:\868246.exec:\868246.exe103⤵PID:1140
-
\??\c:\04884.exec:\04884.exe104⤵PID:2700
-
\??\c:\jdvvp.exec:\jdvvp.exe105⤵PID:1896
-
\??\c:\886868.exec:\886868.exe106⤵PID:1040
-
\??\c:\046244.exec:\046244.exe107⤵PID:1084
-
\??\c:\64822.exec:\64822.exe108⤵PID:792
-
\??\c:\tnhbnn.exec:\tnhbnn.exe109⤵PID:2468
-
\??\c:\tntttt.exec:\tntttt.exe110⤵PID:1936
-
\??\c:\dvjvj.exec:\dvjvj.exe111⤵PID:1880
-
\??\c:\4828002.exec:\4828002.exe112⤵PID:1840
-
\??\c:\dvddp.exec:\dvddp.exe113⤵PID:2156
-
\??\c:\3vddv.exec:\3vddv.exe114⤵PID:2088
-
\??\c:\80440.exec:\80440.exe115⤵PID:376
-
\??\c:\rlxxxrr.exec:\rlxxxrr.exe116⤵PID:3024
-
\??\c:\6424064.exec:\6424064.exe117⤵PID:1976
-
\??\c:\0642028.exec:\0642028.exe118⤵PID:1708
-
\??\c:\e24424.exec:\e24424.exe119⤵PID:2452
-
\??\c:\82406.exec:\82406.exe120⤵PID:2552
-
\??\c:\rlfxllr.exec:\rlfxllr.exe121⤵PID:2764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-