Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 05:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe
-
Size
454KB
-
MD5
bdfd1d1eadccf3785bf2659e796b9332
-
SHA1
a1fc9634b996bc23ffa3f3b10fa89fa34c9f16bd
-
SHA256
eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e
-
SHA512
8d4c97c4fa0e2a11478c95db74ff826c7ffc2b6ffadade3bc7fe3d10fdb77621efa2f65fffcf2535a1913dce30ec390c3f2190b34dddcf6708d4ed3e90701819
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 36 IoCs
resource yara_rule behavioral1/memory/2124-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1380-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/396-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1360-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1580-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-671-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2908-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-1015-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1964-1098-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2380 lfrrxxl.exe 2832 m0228.exe 1432 20844.exe 2752 jvjdd.exe 2880 260204.exe 1980 4866480.exe 2684 s4884.exe 396 xrlrflf.exe 2884 dvpjd.exe 2456 pjdjd.exe 2392 5dpjp.exe 2280 9nnhnt.exe 2860 486202.exe 3004 xxrxfll.exe 2020 nhnhhh.exe 1152 e62804.exe 1984 1dvvv.exe 2208 hbhntn.exe 1296 040688.exe 960 9dpvv.exe 1056 i866828.exe 784 dvjdp.exe 1852 86284.exe 2336 5dpjp.exe 2164 48624.exe 2204 lrlrxxr.exe 1712 60462.exe 2516 pvddd.exe 1632 868288.exe 1968 3tbbnn.exe 1380 20228.exe 884 3vddv.exe 292 dvppj.exe 308 c200206.exe 2548 vpddv.exe 2144 00402.exe 1432 ppvdv.exe 3068 7nhttn.exe 2792 428844.exe 2772 djdjp.exe 2844 rlrrxxx.exe 2804 bbhtbt.exe 332 pdpdj.exe 1732 48624.exe 2472 80222.exe 2648 9jdjj.exe 2688 0206202.exe 600 i200228.exe 2908 208844.exe 836 264848.exe 2020 dpvvd.exe 2904 lfllllr.exe 2616 4244040.exe 1716 862888.exe 2208 pdppv.exe 2216 pdvvd.exe 2596 820622.exe 316 jddvv.exe 1056 080628.exe 1680 7ddjp.exe 1608 k42466.exe 2308 ththhn.exe 2336 e86248.exe 1760 i884042.exe -
resource yara_rule behavioral1/memory/2124-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/396-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-858-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2824-870-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-1117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-1178-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6046408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o422828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2380 2124 eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe 31 PID 2124 wrote to memory of 2380 2124 eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe 31 PID 2124 wrote to memory of 2380 2124 eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe 31 PID 2124 wrote to memory of 2380 2124 eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe 31 PID 2380 wrote to memory of 2832 2380 lfrrxxl.exe 32 PID 2380 wrote to memory of 2832 2380 lfrrxxl.exe 32 PID 2380 wrote to memory of 2832 2380 lfrrxxl.exe 32 PID 2380 wrote to memory of 2832 2380 lfrrxxl.exe 32 PID 2832 wrote to memory of 1432 2832 m0228.exe 67 PID 2832 wrote to memory of 1432 2832 m0228.exe 67 PID 2832 wrote to memory of 1432 2832 m0228.exe 67 PID 2832 wrote to memory of 1432 2832 m0228.exe 67 PID 1432 wrote to memory of 2752 1432 20844.exe 34 PID 1432 wrote to memory of 2752 1432 20844.exe 34 PID 1432 wrote to memory of 2752 1432 20844.exe 34 PID 1432 wrote to memory of 2752 1432 20844.exe 34 PID 2752 wrote to memory of 2880 2752 jvjdd.exe 35 PID 2752 wrote to memory of 2880 2752 jvjdd.exe 35 PID 2752 wrote to memory of 2880 2752 jvjdd.exe 35 PID 2752 wrote to memory of 2880 2752 jvjdd.exe 35 PID 2880 wrote to memory of 1980 2880 260204.exe 36 PID 2880 wrote to memory of 1980 2880 260204.exe 36 PID 2880 wrote to memory of 1980 2880 260204.exe 36 PID 2880 wrote to memory of 1980 2880 260204.exe 36 PID 1980 wrote to memory of 2684 1980 4866480.exe 37 PID 1980 wrote to memory of 2684 1980 4866480.exe 37 PID 1980 wrote to memory of 2684 1980 4866480.exe 37 PID 1980 wrote to memory of 2684 1980 4866480.exe 37 PID 2684 wrote to memory of 396 2684 s4884.exe 38 PID 2684 wrote to memory of 396 2684 s4884.exe 38 PID 2684 wrote to memory of 396 2684 s4884.exe 38 PID 2684 wrote to memory of 396 2684 s4884.exe 38 PID 396 wrote to memory of 2884 396 xrlrflf.exe 39 PID 396 wrote to memory of 2884 396 xrlrflf.exe 39 PID 396 wrote to memory of 2884 396 xrlrflf.exe 39 PID 396 wrote to memory of 2884 396 xrlrflf.exe 39 PID 2884 wrote to memory of 2456 2884 dvpjd.exe 40 PID 2884 wrote to memory of 2456 2884 dvpjd.exe 40 PID 2884 wrote to memory of 2456 2884 dvpjd.exe 40 PID 2884 wrote to memory of 2456 2884 dvpjd.exe 40 PID 2456 wrote to memory of 2392 2456 pjdjd.exe 41 PID 2456 wrote to memory of 2392 2456 pjdjd.exe 41 PID 2456 wrote to memory of 2392 2456 pjdjd.exe 41 PID 2456 wrote to memory of 2392 2456 pjdjd.exe 41 PID 2392 wrote to memory of 2280 2392 5dpjp.exe 42 PID 2392 wrote to memory of 2280 2392 5dpjp.exe 42 PID 2392 wrote to memory of 2280 2392 5dpjp.exe 42 PID 2392 wrote to memory of 2280 2392 5dpjp.exe 42 PID 2280 wrote to memory of 2860 2280 9nnhnt.exe 43 PID 2280 wrote to memory of 2860 2280 9nnhnt.exe 43 PID 2280 wrote to memory of 2860 2280 9nnhnt.exe 43 PID 2280 wrote to memory of 2860 2280 9nnhnt.exe 43 PID 2860 wrote to memory of 3004 2860 486202.exe 44 PID 2860 wrote to memory of 3004 2860 486202.exe 44 PID 2860 wrote to memory of 3004 2860 486202.exe 44 PID 2860 wrote to memory of 3004 2860 486202.exe 44 PID 3004 wrote to memory of 2020 3004 xxrxfll.exe 45 PID 3004 wrote to memory of 2020 3004 xxrxfll.exe 45 PID 3004 wrote to memory of 2020 3004 xxrxfll.exe 45 PID 3004 wrote to memory of 2020 3004 xxrxfll.exe 45 PID 2020 wrote to memory of 1152 2020 nhnhhh.exe 46 PID 2020 wrote to memory of 1152 2020 nhnhhh.exe 46 PID 2020 wrote to memory of 1152 2020 nhnhhh.exe 46 PID 2020 wrote to memory of 1152 2020 nhnhhh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe"C:\Users\Admin\AppData\Local\Temp\eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\m0228.exec:\m0228.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\20844.exec:\20844.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\jvjdd.exec:\jvjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\260204.exec:\260204.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\4866480.exec:\4866480.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\s4884.exec:\s4884.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\xrlrflf.exec:\xrlrflf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\dvpjd.exec:\dvpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\pjdjd.exec:\pjdjd.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\5dpjp.exec:\5dpjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\9nnhnt.exec:\9nnhnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\486202.exec:\486202.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\xxrxfll.exec:\xxrxfll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\nhnhhh.exec:\nhnhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\e62804.exec:\e62804.exe17⤵
- Executes dropped EXE
PID:1152 -
\??\c:\1dvvv.exec:\1dvvv.exe18⤵
- Executes dropped EXE
PID:1984 -
\??\c:\hbhntn.exec:\hbhntn.exe19⤵
- Executes dropped EXE
PID:2208 -
\??\c:\040688.exec:\040688.exe20⤵
- Executes dropped EXE
PID:1296 -
\??\c:\9dpvv.exec:\9dpvv.exe21⤵
- Executes dropped EXE
PID:960 -
\??\c:\i866828.exec:\i866828.exe22⤵
- Executes dropped EXE
PID:1056 -
\??\c:\dvjdp.exec:\dvjdp.exe23⤵
- Executes dropped EXE
PID:784 -
\??\c:\86284.exec:\86284.exe24⤵
- Executes dropped EXE
PID:1852 -
\??\c:\5dpjp.exec:\5dpjp.exe25⤵
- Executes dropped EXE
PID:2336 -
\??\c:\48624.exec:\48624.exe26⤵
- Executes dropped EXE
PID:2164 -
\??\c:\lrlrxxr.exec:\lrlrxxr.exe27⤵
- Executes dropped EXE
PID:2204 -
\??\c:\60462.exec:\60462.exe28⤵
- Executes dropped EXE
PID:1712 -
\??\c:\pvddd.exec:\pvddd.exe29⤵
- Executes dropped EXE
PID:2516 -
\??\c:\868288.exec:\868288.exe30⤵
- Executes dropped EXE
PID:1632 -
\??\c:\3tbbnn.exec:\3tbbnn.exe31⤵
- Executes dropped EXE
PID:1968 -
\??\c:\20228.exec:\20228.exe32⤵
- Executes dropped EXE
PID:1380 -
\??\c:\3vddv.exec:\3vddv.exe33⤵
- Executes dropped EXE
PID:884 -
\??\c:\dvppj.exec:\dvppj.exe34⤵
- Executes dropped EXE
PID:292 -
\??\c:\c200206.exec:\c200206.exe35⤵
- Executes dropped EXE
PID:308 -
\??\c:\vpddv.exec:\vpddv.exe36⤵
- Executes dropped EXE
PID:2548 -
\??\c:\00402.exec:\00402.exe37⤵
- Executes dropped EXE
PID:2144 -
\??\c:\ppvdv.exec:\ppvdv.exe38⤵
- Executes dropped EXE
PID:1432 -
\??\c:\7nhttn.exec:\7nhttn.exe39⤵
- Executes dropped EXE
PID:3068 -
\??\c:\428844.exec:\428844.exe40⤵
- Executes dropped EXE
PID:2792 -
\??\c:\djdjp.exec:\djdjp.exe41⤵
- Executes dropped EXE
PID:2772 -
\??\c:\rlrrxxx.exec:\rlrrxxx.exe42⤵
- Executes dropped EXE
PID:2844 -
\??\c:\bbhtbt.exec:\bbhtbt.exe43⤵
- Executes dropped EXE
PID:2804 -
\??\c:\pdpdj.exec:\pdpdj.exe44⤵
- Executes dropped EXE
PID:332 -
\??\c:\48624.exec:\48624.exe45⤵
- Executes dropped EXE
PID:1732 -
\??\c:\80222.exec:\80222.exe46⤵
- Executes dropped EXE
PID:2472 -
\??\c:\9jdjj.exec:\9jdjj.exe47⤵
- Executes dropped EXE
PID:2648 -
\??\c:\0206202.exec:\0206202.exe48⤵
- Executes dropped EXE
PID:2688 -
\??\c:\i200228.exec:\i200228.exe49⤵
- Executes dropped EXE
PID:600 -
\??\c:\208844.exec:\208844.exe50⤵
- Executes dropped EXE
PID:2908 -
\??\c:\264848.exec:\264848.exe51⤵
- Executes dropped EXE
PID:836 -
\??\c:\dpvvd.exec:\dpvvd.exe52⤵
- Executes dropped EXE
PID:2020 -
\??\c:\lfllllr.exec:\lfllllr.exe53⤵
- Executes dropped EXE
PID:2904 -
\??\c:\4244040.exec:\4244040.exe54⤵
- Executes dropped EXE
PID:2616 -
\??\c:\862888.exec:\862888.exe55⤵
- Executes dropped EXE
PID:1716 -
\??\c:\pdppv.exec:\pdppv.exe56⤵
- Executes dropped EXE
PID:2208 -
\??\c:\pdvvd.exec:\pdvvd.exe57⤵
- Executes dropped EXE
PID:2216 -
\??\c:\820622.exec:\820622.exe58⤵
- Executes dropped EXE
PID:2596 -
\??\c:\jddvv.exec:\jddvv.exe59⤵
- Executes dropped EXE
PID:316 -
\??\c:\080628.exec:\080628.exe60⤵
- Executes dropped EXE
PID:1056 -
\??\c:\7ddjp.exec:\7ddjp.exe61⤵
- Executes dropped EXE
PID:1680 -
\??\c:\k42466.exec:\k42466.exe62⤵
- Executes dropped EXE
PID:1608 -
\??\c:\ththhn.exec:\ththhn.exe63⤵
- Executes dropped EXE
PID:2308 -
\??\c:\e86248.exec:\e86248.exe64⤵
- Executes dropped EXE
PID:2336 -
\??\c:\i884042.exec:\i884042.exe65⤵
- Executes dropped EXE
PID:1760 -
\??\c:\bthhtt.exec:\bthhtt.exe66⤵PID:1532
-
\??\c:\686622.exec:\686622.exe67⤵PID:1712
-
\??\c:\lxlfrrf.exec:\lxlfrrf.exe68⤵
- System Location Discovery: System Language Discovery
PID:1940 -
\??\c:\868262.exec:\868262.exe69⤵PID:1360
-
\??\c:\vvvdj.exec:\vvvdj.exe70⤵PID:1632
-
\??\c:\8646224.exec:\8646224.exe71⤵PID:1640
-
\??\c:\llxlrfr.exec:\llxlrfr.exe72⤵PID:1804
-
\??\c:\9jdjj.exec:\9jdjj.exe73⤵PID:1660
-
\??\c:\frllrxl.exec:\frllrxl.exe74⤵PID:1612
-
\??\c:\jdppv.exec:\jdppv.exe75⤵PID:2112
-
\??\c:\3rrrxxx.exec:\3rrrxxx.exe76⤵PID:2744
-
\??\c:\q84462.exec:\q84462.exe77⤵PID:1580
-
\??\c:\6042886.exec:\6042886.exe78⤵PID:2760
-
\??\c:\k46244.exec:\k46244.exe79⤵PID:2976
-
\??\c:\5nbhhh.exec:\5nbhhh.exe80⤵PID:2796
-
\??\c:\vjjpv.exec:\vjjpv.exe81⤵PID:2720
-
\??\c:\424688.exec:\424688.exe82⤵PID:2592
-
\??\c:\7fllrxf.exec:\7fllrxf.exe83⤵PID:2636
-
\??\c:\rrxrffl.exec:\rrxrffl.exe84⤵PID:2684
-
\??\c:\rrlrxfr.exec:\rrlrxfr.exe85⤵PID:2476
-
\??\c:\vvpdv.exec:\vvpdv.exe86⤵PID:2248
-
\??\c:\3rlrrxl.exec:\3rlrrxl.exe87⤵PID:2940
-
\??\c:\tbnhtt.exec:\tbnhtt.exe88⤵PID:2468
-
\??\c:\60468.exec:\60468.exe89⤵PID:1088
-
\??\c:\04280.exec:\04280.exe90⤵PID:2888
-
\??\c:\vvvjp.exec:\vvvjp.exe91⤵PID:2892
-
\??\c:\k88084.exec:\k88084.exe92⤵PID:1484
-
\??\c:\djdpd.exec:\djdpd.exe93⤵PID:2908
-
\??\c:\hhbbhn.exec:\hhbbhn.exe94⤵PID:528
-
\??\c:\822428.exec:\822428.exe95⤵PID:2020
-
\??\c:\420244.exec:\420244.exe96⤵PID:2856
-
\??\c:\w26802.exec:\w26802.exe97⤵PID:2896
-
\??\c:\bttthh.exec:\bttthh.exe98⤵PID:756
-
\??\c:\vpjvv.exec:\vpjvv.exe99⤵PID:2700
-
\??\c:\xxlfrrr.exec:\xxlfrrr.exe100⤵PID:2192
-
\??\c:\5ppvj.exec:\5ppvj.exe101⤵PID:448
-
\??\c:\a6068.exec:\a6068.exe102⤵PID:2088
-
\??\c:\200628.exec:\200628.exe103⤵PID:1852
-
\??\c:\e04628.exec:\e04628.exe104⤵PID:1776
-
\??\c:\480228.exec:\480228.exe105⤵PID:1500
-
\??\c:\9hhthn.exec:\9hhthn.exe106⤵PID:2336
-
\??\c:\9btnbh.exec:\9btnbh.exe107⤵PID:340
-
\??\c:\xxxxffl.exec:\xxxxffl.exe108⤵PID:1532
-
\??\c:\e20646.exec:\e20646.exe109⤵PID:1284
-
\??\c:\482804.exec:\482804.exe110⤵PID:2000
-
\??\c:\bbbhbh.exec:\bbbhbh.exe111⤵PID:548
-
\??\c:\7dddp.exec:\7dddp.exe112⤵PID:1632
-
\??\c:\8084684.exec:\8084684.exe113⤵PID:1844
-
\??\c:\q08028.exec:\q08028.exe114⤵PID:904
-
\??\c:\660000.exec:\660000.exe115⤵PID:584
-
\??\c:\7bnbhh.exec:\7bnbhh.exe116⤵PID:1612
-
\??\c:\482466.exec:\482466.exe117⤵PID:2424
-
\??\c:\xlrlllx.exec:\xlrlllx.exe118⤵PID:1832
-
\??\c:\hbbbbn.exec:\hbbbbn.exe119⤵PID:2832
-
\??\c:\lflrlff.exec:\lflrlff.exe120⤵PID:2776
-
\??\c:\0424066.exec:\0424066.exe121⤵PID:1496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-