Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 04:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2dda98ad11b654e8df102a4c5593365f511518c2aa083b6089e6a3c127055dc.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d2dda98ad11b654e8df102a4c5593365f511518c2aa083b6089e6a3c127055dc.exe
-
Size
453KB
-
MD5
911f89c030b7394afdb834ff214ed659
-
SHA1
7246c29de14af24944732cd9758714e7a9c0f49e
-
SHA256
d2dda98ad11b654e8df102a4c5593365f511518c2aa083b6089e6a3c127055dc
-
SHA512
036ba60b9bcee1154b33c79fd44333000a1c283c3f13c140dac187a5d1888b57e39c889456ece3a0ebfcdc2f6f9e75f4d9baf75cef4b0259645ae019dc76d932
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/1556-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-47-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2444-45-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2444-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-56-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2800-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-172-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1604-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-178-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2148-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-188-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2784-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-220-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2152-240-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/748-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-299-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1528-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1344-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1176-497-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1688-524-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2328-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-722-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2180-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1404-787-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1780-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-837-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1420-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-956-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1736-969-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1840-1019-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1272-1037-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1460-1046-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1516-1093-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/752-1122-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2280 dvppd.exe 1832 rrfllxf.exe 1668 rrxlfrx.exe 2444 pdddj.exe 2800 pdpjp.exe 3016 xlrlrrf.exe 2916 s0288.exe 2728 1tbttt.exe 2592 thtthn.exe 2668 lllrlxl.exe 2432 jddjv.exe 784 8204484.exe 1980 hbbhnt.exe 112 o822880.exe 2012 m6828.exe 1604 2406602.exe 1852 vjdjv.exe 2852 e80026.exe 2148 8628408.exe 2784 08482.exe 2152 86222.exe 2332 608466.exe 2568 08066.exe 1940 42064.exe 748 e46200.exe 2448 9pddp.exe 544 bththh.exe 2936 lxlfrlr.exe 564 xrfffrx.exe 880 k40004.exe 2556 hhtbhn.exe 2508 7pdvv.exe 904 3lfxrrx.exe 1528 28864.exe 2232 28422.exe 2700 nbbhtb.exe 2788 1pvpv.exe 2796 jdppp.exe 2904 xfxrrrr.exe 2724 3pvvj.exe 2756 lflrflx.exe 2616 flfrrxf.exe 2728 ddjjp.exe 1596 60488.exe 2184 pdppp.exe 2640 c028040.exe 2432 c422828.exe 1996 rrxxxxl.exe 1716 jpdpv.exe 2644 jdpdv.exe 112 4662402.exe 1344 860206.exe 1200 0488484.exe 1700 5jddj.exe 2864 804428.exe 2852 04082.exe 2172 pjvdj.exe 1124 6684668.exe 3036 jdddp.exe 3044 0204446.exe 1176 486284.exe 1416 66686.exe 1928 e46222.exe 892 g0840.exe -
resource yara_rule behavioral1/memory/1556-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-45-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2444-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/748-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-507-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2328-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-710-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2180-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-787-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1780-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-837-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/752-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-882-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-956-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1736-969-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1840-1019-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1460-1039-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-1071-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-1093-0x00000000001B0000-0x00000000001DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k62282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e46222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0026824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0488686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w68840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0866228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1556 wrote to memory of 2280 1556 d2dda98ad11b654e8df102a4c5593365f511518c2aa083b6089e6a3c127055dc.exe 30 PID 1556 wrote to memory of 2280 1556 d2dda98ad11b654e8df102a4c5593365f511518c2aa083b6089e6a3c127055dc.exe 30 PID 1556 wrote to memory of 2280 1556 d2dda98ad11b654e8df102a4c5593365f511518c2aa083b6089e6a3c127055dc.exe 30 PID 1556 wrote to memory of 2280 1556 d2dda98ad11b654e8df102a4c5593365f511518c2aa083b6089e6a3c127055dc.exe 30 PID 2280 wrote to memory of 1832 2280 dvppd.exe 31 PID 2280 wrote to memory of 1832 2280 dvppd.exe 31 PID 2280 wrote to memory of 1832 2280 dvppd.exe 31 PID 2280 wrote to memory of 1832 2280 dvppd.exe 31 PID 1832 wrote to memory of 1668 1832 rrfllxf.exe 32 PID 1832 wrote to memory of 1668 1832 rrfllxf.exe 32 PID 1832 wrote to memory of 1668 1832 rrfllxf.exe 32 PID 1832 wrote to memory of 1668 1832 rrfllxf.exe 32 PID 1668 wrote to memory of 2444 1668 rrxlfrx.exe 33 PID 1668 wrote to memory of 2444 1668 rrxlfrx.exe 33 PID 1668 wrote to memory of 2444 1668 rrxlfrx.exe 33 PID 1668 wrote to memory of 2444 1668 rrxlfrx.exe 33 PID 2444 wrote to memory of 2800 2444 pdddj.exe 34 PID 2444 wrote to memory of 2800 2444 pdddj.exe 34 PID 2444 wrote to memory of 2800 2444 pdddj.exe 34 PID 2444 wrote to memory of 2800 2444 pdddj.exe 34 PID 2800 wrote to memory of 3016 2800 pdpjp.exe 35 PID 2800 wrote to memory of 3016 2800 pdpjp.exe 35 PID 2800 wrote to memory of 3016 2800 pdpjp.exe 35 PID 2800 wrote to memory of 3016 2800 pdpjp.exe 35 PID 3016 wrote to memory of 2916 3016 xlrlrrf.exe 36 PID 3016 wrote to memory of 2916 3016 xlrlrrf.exe 36 PID 3016 wrote to memory of 2916 3016 xlrlrrf.exe 36 PID 3016 wrote to memory of 2916 3016 xlrlrrf.exe 36 PID 2916 wrote to memory of 2728 2916 s0288.exe 37 PID 2916 wrote to memory of 2728 2916 s0288.exe 37 PID 2916 wrote to memory of 2728 2916 s0288.exe 37 PID 2916 wrote to memory of 2728 2916 s0288.exe 37 PID 2728 wrote to memory of 2592 2728 1tbttt.exe 38 PID 2728 wrote to memory of 2592 2728 1tbttt.exe 38 PID 2728 wrote to memory of 2592 2728 1tbttt.exe 38 PID 2728 wrote to memory of 2592 2728 1tbttt.exe 38 PID 2592 wrote to memory of 2668 2592 thtthn.exe 39 PID 2592 wrote to memory of 2668 2592 thtthn.exe 39 PID 2592 wrote to memory of 2668 2592 thtthn.exe 39 PID 2592 wrote to memory of 2668 2592 thtthn.exe 39 PID 2668 wrote to memory of 2432 2668 lllrlxl.exe 40 PID 2668 wrote to memory of 2432 2668 lllrlxl.exe 40 PID 2668 wrote to memory of 2432 2668 lllrlxl.exe 40 PID 2668 wrote to memory of 2432 2668 lllrlxl.exe 40 PID 2432 wrote to memory of 784 2432 jddjv.exe 41 PID 2432 wrote to memory of 784 2432 jddjv.exe 41 PID 2432 wrote to memory of 784 2432 jddjv.exe 41 PID 2432 wrote to memory of 784 2432 jddjv.exe 41 PID 784 wrote to memory of 1980 784 8204484.exe 42 PID 784 wrote to memory of 1980 784 8204484.exe 42 PID 784 wrote to memory of 1980 784 8204484.exe 42 PID 784 wrote to memory of 1980 784 8204484.exe 42 PID 1980 wrote to memory of 112 1980 hbbhnt.exe 80 PID 1980 wrote to memory of 112 1980 hbbhnt.exe 80 PID 1980 wrote to memory of 112 1980 hbbhnt.exe 80 PID 1980 wrote to memory of 112 1980 hbbhnt.exe 80 PID 112 wrote to memory of 2012 112 o822880.exe 44 PID 112 wrote to memory of 2012 112 o822880.exe 44 PID 112 wrote to memory of 2012 112 o822880.exe 44 PID 112 wrote to memory of 2012 112 o822880.exe 44 PID 2012 wrote to memory of 1604 2012 m6828.exe 45 PID 2012 wrote to memory of 1604 2012 m6828.exe 45 PID 2012 wrote to memory of 1604 2012 m6828.exe 45 PID 2012 wrote to memory of 1604 2012 m6828.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2dda98ad11b654e8df102a4c5593365f511518c2aa083b6089e6a3c127055dc.exe"C:\Users\Admin\AppData\Local\Temp\d2dda98ad11b654e8df102a4c5593365f511518c2aa083b6089e6a3c127055dc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\dvppd.exec:\dvppd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\rrfllxf.exec:\rrfllxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\rrxlfrx.exec:\rrxlfrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\pdddj.exec:\pdddj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\pdpjp.exec:\pdpjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\xlrlrrf.exec:\xlrlrrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\s0288.exec:\s0288.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\1tbttt.exec:\1tbttt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\thtthn.exec:\thtthn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\lllrlxl.exec:\lllrlxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\jddjv.exec:\jddjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\8204484.exec:\8204484.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\hbbhnt.exec:\hbbhnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\o822880.exec:\o822880.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\m6828.exec:\m6828.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\2406602.exec:\2406602.exe17⤵
- Executes dropped EXE
PID:1604 -
\??\c:\vjdjv.exec:\vjdjv.exe18⤵
- Executes dropped EXE
PID:1852 -
\??\c:\e80026.exec:\e80026.exe19⤵
- Executes dropped EXE
PID:2852 -
\??\c:\8628408.exec:\8628408.exe20⤵
- Executes dropped EXE
PID:2148 -
\??\c:\08482.exec:\08482.exe21⤵
- Executes dropped EXE
PID:2784 -
\??\c:\86222.exec:\86222.exe22⤵
- Executes dropped EXE
PID:2152 -
\??\c:\608466.exec:\608466.exe23⤵
- Executes dropped EXE
PID:2332 -
\??\c:\08066.exec:\08066.exe24⤵
- Executes dropped EXE
PID:2568 -
\??\c:\42064.exec:\42064.exe25⤵
- Executes dropped EXE
PID:1940 -
\??\c:\e46200.exec:\e46200.exe26⤵
- Executes dropped EXE
PID:748 -
\??\c:\9pddp.exec:\9pddp.exe27⤵
- Executes dropped EXE
PID:2448 -
\??\c:\bththh.exec:\bththh.exe28⤵
- Executes dropped EXE
PID:544 -
\??\c:\lxlfrlr.exec:\lxlfrlr.exe29⤵
- Executes dropped EXE
PID:2936 -
\??\c:\xrfffrx.exec:\xrfffrx.exe30⤵
- Executes dropped EXE
PID:564 -
\??\c:\k40004.exec:\k40004.exe31⤵
- Executes dropped EXE
PID:880 -
\??\c:\hhtbhn.exec:\hhtbhn.exe32⤵
- Executes dropped EXE
PID:2556 -
\??\c:\7pdvv.exec:\7pdvv.exe33⤵
- Executes dropped EXE
PID:2508 -
\??\c:\3lfxrrx.exec:\3lfxrrx.exe34⤵
- Executes dropped EXE
PID:904 -
\??\c:\28864.exec:\28864.exe35⤵
- Executes dropped EXE
PID:1528 -
\??\c:\28422.exec:\28422.exe36⤵
- Executes dropped EXE
PID:2232 -
\??\c:\nbbhtb.exec:\nbbhtb.exe37⤵
- Executes dropped EXE
PID:2700 -
\??\c:\1pvpv.exec:\1pvpv.exe38⤵
- Executes dropped EXE
PID:2788 -
\??\c:\jdppp.exec:\jdppp.exe39⤵
- Executes dropped EXE
PID:2796 -
\??\c:\xfxrrrr.exec:\xfxrrrr.exe40⤵
- Executes dropped EXE
PID:2904 -
\??\c:\3pvvj.exec:\3pvvj.exe41⤵
- Executes dropped EXE
PID:2724 -
\??\c:\lflrflx.exec:\lflrflx.exe42⤵
- Executes dropped EXE
PID:2756 -
\??\c:\flfrrxf.exec:\flfrrxf.exe43⤵
- Executes dropped EXE
PID:2616 -
\??\c:\ddjjp.exec:\ddjjp.exe44⤵
- Executes dropped EXE
PID:2728 -
\??\c:\60488.exec:\60488.exe45⤵
- Executes dropped EXE
PID:1596 -
\??\c:\pdppp.exec:\pdppp.exe46⤵
- Executes dropped EXE
PID:2184 -
\??\c:\c028040.exec:\c028040.exe47⤵
- Executes dropped EXE
PID:2640 -
\??\c:\c422828.exec:\c422828.exe48⤵
- Executes dropped EXE
PID:2432 -
\??\c:\rrxxxxl.exec:\rrxxxxl.exe49⤵
- Executes dropped EXE
PID:1996 -
\??\c:\jpdpv.exec:\jpdpv.exe50⤵
- Executes dropped EXE
PID:1716 -
\??\c:\jdpdv.exec:\jdpdv.exe51⤵
- Executes dropped EXE
PID:2644 -
\??\c:\4662402.exec:\4662402.exe52⤵
- Executes dropped EXE
PID:112 -
\??\c:\860206.exec:\860206.exe53⤵
- Executes dropped EXE
PID:1344 -
\??\c:\0488484.exec:\0488484.exe54⤵
- Executes dropped EXE
PID:1200 -
\??\c:\5jddj.exec:\5jddj.exe55⤵
- Executes dropped EXE
PID:1700 -
\??\c:\804428.exec:\804428.exe56⤵
- Executes dropped EXE
PID:2864 -
\??\c:\04082.exec:\04082.exe57⤵
- Executes dropped EXE
PID:2852 -
\??\c:\pjvdj.exec:\pjvdj.exe58⤵
- Executes dropped EXE
PID:2172 -
\??\c:\6684668.exec:\6684668.exe59⤵
- Executes dropped EXE
PID:1124 -
\??\c:\jdddp.exec:\jdddp.exe60⤵
- Executes dropped EXE
PID:3036 -
\??\c:\0204446.exec:\0204446.exe61⤵
- Executes dropped EXE
PID:3044 -
\??\c:\486284.exec:\486284.exe62⤵
- Executes dropped EXE
PID:1176 -
\??\c:\66686.exec:\66686.exe63⤵
- Executes dropped EXE
PID:1416 -
\??\c:\e46222.exec:\e46222.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928 -
\??\c:\g0840.exec:\g0840.exe65⤵
- Executes dropped EXE
PID:892 -
\??\c:\5httht.exec:\5httht.exe66⤵PID:1688
-
\??\c:\26808.exec:\26808.exe67⤵PID:488
-
\??\c:\fxxxxrx.exec:\fxxxxrx.exe68⤵PID:3068
-
\??\c:\6428668.exec:\6428668.exe69⤵PID:980
-
\??\c:\1xlllll.exec:\1xlllll.exe70⤵PID:272
-
\??\c:\fxllrxf.exec:\fxllrxf.exe71⤵PID:2528
-
\??\c:\nhbhtb.exec:\nhbhtb.exe72⤵PID:2356
-
\??\c:\i460666.exec:\i460666.exe73⤵PID:1532
-
\??\c:\664080.exec:\664080.exe74⤵PID:2060
-
\??\c:\dpjpd.exec:\dpjpd.exe75⤵PID:1708
-
\??\c:\08046.exec:\08046.exe76⤵PID:2260
-
\??\c:\688660.exec:\688660.exe77⤵PID:2328
-
\??\c:\48280.exec:\48280.exe78⤵PID:1528
-
\??\c:\tnbbbb.exec:\tnbbbb.exe79⤵PID:2232
-
\??\c:\868406.exec:\868406.exe80⤵PID:1232
-
\??\c:\llrlrrx.exec:\llrlrrx.exe81⤵PID:2804
-
\??\c:\462664.exec:\462664.exe82⤵PID:2220
-
\??\c:\80886.exec:\80886.exe83⤵PID:2960
-
\??\c:\084028.exec:\084028.exe84⤵PID:840
-
\??\c:\8244006.exec:\8244006.exe85⤵PID:2892
-
\??\c:\xllllrx.exec:\xllllrx.exe86⤵PID:1096
-
\??\c:\nnbnbh.exec:\nnbnbh.exe87⤵PID:2612
-
\??\c:\824406.exec:\824406.exe88⤵PID:2728
-
\??\c:\7djpj.exec:\7djpj.exe89⤵PID:2596
-
\??\c:\664804.exec:\664804.exe90⤵PID:2268
-
\??\c:\1nhbbb.exec:\1nhbbb.exe91⤵PID:1552
-
\??\c:\424060.exec:\424060.exe92⤵PID:1964
-
\??\c:\htbbtt.exec:\htbbtt.exe93⤵PID:1972
-
\??\c:\dpvvd.exec:\dpvvd.exe94⤵PID:1716
-
\??\c:\bntbbb.exec:\bntbbb.exe95⤵PID:1428
-
\??\c:\7vjjv.exec:\7vjjv.exe96⤵PID:2768
-
\??\c:\hbhhtt.exec:\hbhhtt.exe97⤵PID:1344
-
\??\c:\rfrlxrx.exec:\rfrlxrx.exe98⤵PID:1852
-
\??\c:\9jvpv.exec:\9jvpv.exe99⤵PID:2844
-
\??\c:\pjvpp.exec:\pjvpp.exe100⤵PID:2860
-
\??\c:\nbnthh.exec:\nbnthh.exe101⤵PID:2820
-
\??\c:\00442.exec:\00442.exe102⤵PID:2940
-
\??\c:\vjvvv.exec:\vjvvv.exe103⤵PID:2180
-
\??\c:\vpddj.exec:\vpddj.exe104⤵PID:2144
-
\??\c:\jvjdd.exec:\jvjdd.exe105⤵PID:1252
-
\??\c:\hbnbnt.exec:\hbnbnt.exe106⤵PID:864
-
\??\c:\vpdvj.exec:\vpdvj.exe107⤵PID:1416
-
\??\c:\8244006.exec:\8244006.exe108⤵PID:1404
-
\??\c:\lfxxffr.exec:\lfxxffr.exe109⤵PID:1780
-
\??\c:\9tbbnb.exec:\9tbbnb.exe110⤵PID:2076
-
\??\c:\btbhth.exec:\btbhth.exe111⤵PID:1396
-
\??\c:\9nhbnh.exec:\9nhbnh.exe112⤵PID:1136
-
\??\c:\xlxxrxx.exec:\xlxxrxx.exe113⤵PID:1684
-
\??\c:\a0846.exec:\a0846.exe114⤵PID:2140
-
\??\c:\jdpjp.exec:\jdpjp.exe115⤵PID:1412
-
\??\c:\nhhhnn.exec:\nhhhnn.exe116⤵PID:3060
-
\??\c:\o262480.exec:\o262480.exe117⤵PID:860
-
\??\c:\68242.exec:\68242.exe118⤵PID:752
-
\??\c:\frfrffl.exec:\frfrffl.exe119⤵PID:2912
-
\??\c:\7nbhtt.exec:\7nbhtt.exe120⤵PID:1884
-
\??\c:\i606280.exec:\i606280.exe121⤵PID:1420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-