Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe
-
Size
456KB
-
MD5
b7fefaf787ba7ac0a484e5f89c794725
-
SHA1
44f2812f6d337f5d3d7b78e9d687dbea15345eee
-
SHA256
e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5
-
SHA512
4fe56d7c9c227ca28451d82e8052a8efee78cf41e93dd82f938ee45b77387d0fa667140e1a2c2b15b5a667cc8c75bc8764407b3f6b7d499199c0cd82c024a4e5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRH:q7Tc2NYHUrAwfMp3CDRH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2696-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-53-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2328-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/556-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-175-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1588-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-302-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1820-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1580-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-373-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1844-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-427-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/780-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/396-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-605-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2860-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-699-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/836-751-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1924-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-786-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1532-784-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/784-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-838-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2900-874-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-890-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2676-923-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/440-1009-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/440-1011-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1516-1030-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-1188-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2536 86068.exe 2060 jpjjv.exe 2164 64624.exe 2896 rllllrl.exe 2768 66202.exe 2328 k46288.exe 2952 frfxfxx.exe 2668 08662.exe 2664 424000.exe 1784 08622.exe 556 1vdjp.exe 1256 hbnntn.exe 2840 820604.exe 1260 7tbtnh.exe 2000 282200.exe 1144 2002462.exe 2708 60444.exe 592 htnntt.exe 1588 ppjpd.exe 760 tnbhnt.exe 836 lfrlrlx.exe 2340 5vpdv.exe 1372 3ntttt.exe 2792 bnhnhh.exe 1296 1thbbh.exe 1596 hthnbt.exe 2484 9rfxllf.exe 2152 44208.exe 992 206626.exe 1032 5rxlxxx.exe 2584 20662.exe 2696 8688440.exe 2968 82440.exe 2704 608406.exe 1820 4204006.exe 1580 646666.exe 2900 462848.exe 2736 k64400.exe 2820 9jpjj.exe 2740 808806.exe 2844 640408.exe 2784 pppvd.exe 2616 7rfllfr.exe 2732 bthhht.exe 2664 82408.exe 1784 64602.exe 1844 2062828.exe 1084 nhnntt.exe 2824 frlxffr.exe 1792 a0226.exe 1280 thnbtn.exe 1980 s4662.exe 2212 6028666.exe 1144 hthbbb.exe 2852 80880.exe 780 rxfrlll.exe 996 c006288.exe 2240 246682.exe 2596 08006.exe 2376 4288828.exe 1392 rfrrrrx.exe 1852 42446.exe 396 jdvjp.exe 968 0800846.exe -
resource yara_rule behavioral1/memory/2696-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-302-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1820-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/396-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-846-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-918-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-977-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1792-984-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/3008-997-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-1074-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-1087-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-1100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-1161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-1181-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6444488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86682.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2536 2696 e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe 30 PID 2696 wrote to memory of 2536 2696 e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe 30 PID 2696 wrote to memory of 2536 2696 e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe 30 PID 2696 wrote to memory of 2536 2696 e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe 30 PID 2536 wrote to memory of 2060 2536 86068.exe 31 PID 2536 wrote to memory of 2060 2536 86068.exe 31 PID 2536 wrote to memory of 2060 2536 86068.exe 31 PID 2536 wrote to memory of 2060 2536 86068.exe 31 PID 2060 wrote to memory of 2164 2060 jpjjv.exe 32 PID 2060 wrote to memory of 2164 2060 jpjjv.exe 32 PID 2060 wrote to memory of 2164 2060 jpjjv.exe 32 PID 2060 wrote to memory of 2164 2060 jpjjv.exe 32 PID 2164 wrote to memory of 2896 2164 64624.exe 33 PID 2164 wrote to memory of 2896 2164 64624.exe 33 PID 2164 wrote to memory of 2896 2164 64624.exe 33 PID 2164 wrote to memory of 2896 2164 64624.exe 33 PID 2896 wrote to memory of 2768 2896 rllllrl.exe 34 PID 2896 wrote to memory of 2768 2896 rllllrl.exe 34 PID 2896 wrote to memory of 2768 2896 rllllrl.exe 34 PID 2896 wrote to memory of 2768 2896 rllllrl.exe 34 PID 2768 wrote to memory of 2328 2768 66202.exe 35 PID 2768 wrote to memory of 2328 2768 66202.exe 35 PID 2768 wrote to memory of 2328 2768 66202.exe 35 PID 2768 wrote to memory of 2328 2768 66202.exe 35 PID 2328 wrote to memory of 2952 2328 k46288.exe 36 PID 2328 wrote to memory of 2952 2328 k46288.exe 36 PID 2328 wrote to memory of 2952 2328 k46288.exe 36 PID 2328 wrote to memory of 2952 2328 k46288.exe 36 PID 2952 wrote to memory of 2668 2952 frfxfxx.exe 37 PID 2952 wrote to memory of 2668 2952 frfxfxx.exe 37 PID 2952 wrote to memory of 2668 2952 frfxfxx.exe 37 PID 2952 wrote to memory of 2668 2952 frfxfxx.exe 37 PID 2668 wrote to memory of 2664 2668 08662.exe 38 PID 2668 wrote to memory of 2664 2668 08662.exe 38 PID 2668 wrote to memory of 2664 2668 08662.exe 38 PID 2668 wrote to memory of 2664 2668 08662.exe 38 PID 2664 wrote to memory of 1784 2664 424000.exe 39 PID 2664 wrote to memory of 1784 2664 424000.exe 39 PID 2664 wrote to memory of 1784 2664 424000.exe 39 PID 2664 wrote to memory of 1784 2664 424000.exe 39 PID 1784 wrote to memory of 556 1784 08622.exe 40 PID 1784 wrote to memory of 556 1784 08622.exe 40 PID 1784 wrote to memory of 556 1784 08622.exe 40 PID 1784 wrote to memory of 556 1784 08622.exe 40 PID 556 wrote to memory of 1256 556 1vdjp.exe 41 PID 556 wrote to memory of 1256 556 1vdjp.exe 41 PID 556 wrote to memory of 1256 556 1vdjp.exe 41 PID 556 wrote to memory of 1256 556 1vdjp.exe 41 PID 1256 wrote to memory of 2840 1256 hbnntn.exe 42 PID 1256 wrote to memory of 2840 1256 hbnntn.exe 42 PID 1256 wrote to memory of 2840 1256 hbnntn.exe 42 PID 1256 wrote to memory of 2840 1256 hbnntn.exe 42 PID 2840 wrote to memory of 1260 2840 820604.exe 43 PID 2840 wrote to memory of 1260 2840 820604.exe 43 PID 2840 wrote to memory of 1260 2840 820604.exe 43 PID 2840 wrote to memory of 1260 2840 820604.exe 43 PID 1260 wrote to memory of 2000 1260 7tbtnh.exe 44 PID 1260 wrote to memory of 2000 1260 7tbtnh.exe 44 PID 1260 wrote to memory of 2000 1260 7tbtnh.exe 44 PID 1260 wrote to memory of 2000 1260 7tbtnh.exe 44 PID 2000 wrote to memory of 1144 2000 282200.exe 45 PID 2000 wrote to memory of 1144 2000 282200.exe 45 PID 2000 wrote to memory of 1144 2000 282200.exe 45 PID 2000 wrote to memory of 1144 2000 282200.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe"C:\Users\Admin\AppData\Local\Temp\e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\86068.exec:\86068.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\jpjjv.exec:\jpjjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\64624.exec:\64624.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\rllllrl.exec:\rllllrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\66202.exec:\66202.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\k46288.exec:\k46288.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\frfxfxx.exec:\frfxfxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\08662.exec:\08662.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\424000.exec:\424000.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\08622.exec:\08622.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\1vdjp.exec:\1vdjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\hbnntn.exec:\hbnntn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\820604.exec:\820604.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\7tbtnh.exec:\7tbtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\282200.exec:\282200.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\2002462.exec:\2002462.exe17⤵
- Executes dropped EXE
PID:1144 -
\??\c:\60444.exec:\60444.exe18⤵
- Executes dropped EXE
PID:2708 -
\??\c:\htnntt.exec:\htnntt.exe19⤵
- Executes dropped EXE
PID:592 -
\??\c:\ppjpd.exec:\ppjpd.exe20⤵
- Executes dropped EXE
PID:1588 -
\??\c:\tnbhnt.exec:\tnbhnt.exe21⤵
- Executes dropped EXE
PID:760 -
\??\c:\lfrlrlx.exec:\lfrlrlx.exe22⤵
- Executes dropped EXE
PID:836 -
\??\c:\5vpdv.exec:\5vpdv.exe23⤵
- Executes dropped EXE
PID:2340 -
\??\c:\3ntttt.exec:\3ntttt.exe24⤵
- Executes dropped EXE
PID:1372 -
\??\c:\bnhnhh.exec:\bnhnhh.exe25⤵
- Executes dropped EXE
PID:2792 -
\??\c:\1thbbh.exec:\1thbbh.exe26⤵
- Executes dropped EXE
PID:1296 -
\??\c:\hthnbt.exec:\hthnbt.exe27⤵
- Executes dropped EXE
PID:1596 -
\??\c:\9rfxllf.exec:\9rfxllf.exe28⤵
- Executes dropped EXE
PID:2484 -
\??\c:\44208.exec:\44208.exe29⤵
- Executes dropped EXE
PID:2152 -
\??\c:\206626.exec:\206626.exe30⤵
- Executes dropped EXE
PID:992 -
\??\c:\5rxlxxx.exec:\5rxlxxx.exe31⤵
- Executes dropped EXE
PID:1032 -
\??\c:\20662.exec:\20662.exe32⤵
- Executes dropped EXE
PID:2584 -
\??\c:\8688440.exec:\8688440.exe33⤵
- Executes dropped EXE
PID:2696 -
\??\c:\82440.exec:\82440.exe34⤵
- Executes dropped EXE
PID:2968 -
\??\c:\608406.exec:\608406.exe35⤵
- Executes dropped EXE
PID:2704 -
\??\c:\4204006.exec:\4204006.exe36⤵
- Executes dropped EXE
PID:1820 -
\??\c:\646666.exec:\646666.exe37⤵
- Executes dropped EXE
PID:1580 -
\??\c:\462848.exec:\462848.exe38⤵
- Executes dropped EXE
PID:2900 -
\??\c:\k64400.exec:\k64400.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\9jpjj.exec:\9jpjj.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\808806.exec:\808806.exe41⤵
- Executes dropped EXE
PID:2740 -
\??\c:\640408.exec:\640408.exe42⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pppvd.exec:\pppvd.exe43⤵
- Executes dropped EXE
PID:2784 -
\??\c:\7rfllfr.exec:\7rfllfr.exe44⤵
- Executes dropped EXE
PID:2616 -
\??\c:\bthhht.exec:\bthhht.exe45⤵
- Executes dropped EXE
PID:2732 -
\??\c:\82408.exec:\82408.exe46⤵
- Executes dropped EXE
PID:2664 -
\??\c:\64602.exec:\64602.exe47⤵
- Executes dropped EXE
PID:1784 -
\??\c:\2062828.exec:\2062828.exe48⤵
- Executes dropped EXE
PID:1844 -
\??\c:\nhnntt.exec:\nhnntt.exe49⤵
- Executes dropped EXE
PID:1084 -
\??\c:\frlxffr.exec:\frlxffr.exe50⤵
- Executes dropped EXE
PID:2824 -
\??\c:\a0226.exec:\a0226.exe51⤵
- Executes dropped EXE
PID:1792 -
\??\c:\thnbtn.exec:\thnbtn.exe52⤵
- Executes dropped EXE
PID:1280 -
\??\c:\s4662.exec:\s4662.exe53⤵
- Executes dropped EXE
PID:1980 -
\??\c:\6028666.exec:\6028666.exe54⤵
- Executes dropped EXE
PID:2212 -
\??\c:\hthbbb.exec:\hthbbb.exe55⤵
- Executes dropped EXE
PID:1144 -
\??\c:\80880.exec:\80880.exe56⤵
- Executes dropped EXE
PID:2852 -
\??\c:\rxfrlll.exec:\rxfrlll.exe57⤵
- Executes dropped EXE
PID:780 -
\??\c:\c006288.exec:\c006288.exe58⤵
- Executes dropped EXE
PID:996 -
\??\c:\246682.exec:\246682.exe59⤵
- Executes dropped EXE
PID:2240 -
\??\c:\08006.exec:\08006.exe60⤵
- Executes dropped EXE
PID:2596 -
\??\c:\4288828.exec:\4288828.exe61⤵
- Executes dropped EXE
PID:2376 -
\??\c:\rfrrrrx.exec:\rfrrrrx.exe62⤵
- Executes dropped EXE
PID:1392 -
\??\c:\42446.exec:\42446.exe63⤵
- Executes dropped EXE
PID:1852 -
\??\c:\jdvjp.exec:\jdvjp.exe64⤵
- Executes dropped EXE
PID:396 -
\??\c:\0800846.exec:\0800846.exe65⤵
- Executes dropped EXE
PID:968 -
\??\c:\vvjdv.exec:\vvjdv.exe66⤵PID:1664
-
\??\c:\5jddp.exec:\5jddp.exe67⤵PID:916
-
\??\c:\q08882.exec:\q08882.exe68⤵PID:1644
-
\??\c:\lfxfrxr.exec:\lfxfrxr.exe69⤵PID:2416
-
\??\c:\rxxffxr.exec:\rxxffxr.exe70⤵PID:800
-
\??\c:\c040244.exec:\c040244.exe71⤵PID:2012
-
\??\c:\bbbthn.exec:\bbbthn.exe72⤵PID:2672
-
\??\c:\s8222.exec:\s8222.exe73⤵PID:896
-
\??\c:\604466.exec:\604466.exe74⤵PID:888
-
\??\c:\s2068.exec:\s2068.exe75⤵PID:2528
-
\??\c:\q68400.exec:\q68400.exe76⤵PID:2940
-
\??\c:\pjppv.exec:\pjppv.exe77⤵PID:2936
-
\??\c:\42400.exec:\42400.exe78⤵PID:2704
-
\??\c:\pjdjj.exec:\pjdjj.exe79⤵PID:2248
-
\??\c:\64606.exec:\64606.exe80⤵PID:1696
-
\??\c:\rflffxf.exec:\rflffxf.exe81⤵PID:2816
-
\??\c:\lrflxfr.exec:\lrflxfr.exe82⤵PID:2924
-
\??\c:\66442.exec:\66442.exe83⤵PID:2880
-
\??\c:\m6462.exec:\m6462.exe84⤵PID:2328
-
\??\c:\rlxlrrl.exec:\rlxlrrl.exe85⤵PID:2828
-
\??\c:\o480222.exec:\o480222.exe86⤵PID:2612
-
\??\c:\6602408.exec:\6602408.exe87⤵PID:2688
-
\??\c:\486884.exec:\486884.exe88⤵PID:2964
-
\??\c:\820022.exec:\820022.exe89⤵PID:1808
-
\??\c:\c428402.exec:\c428402.exe90⤵PID:2364
-
\??\c:\a0828.exec:\a0828.exe91⤵PID:564
-
\??\c:\xlxflrx.exec:\xlxflrx.exe92⤵PID:1608
-
\??\c:\c422880.exec:\c422880.exe93⤵PID:2860
-
\??\c:\w48028.exec:\w48028.exe94⤵PID:1792
-
\??\c:\3rffflx.exec:\3rffflx.exe95⤵PID:1780
-
\??\c:\60628.exec:\60628.exe96⤵PID:1228
-
\??\c:\8260684.exec:\8260684.exe97⤵PID:2580
-
\??\c:\xlrflfl.exec:\xlrflfl.exe98⤵PID:3036
-
\??\c:\42620.exec:\42620.exe99⤵PID:2500
-
\??\c:\nthhnt.exec:\nthhnt.exe100⤵PID:2852
-
\??\c:\6488062.exec:\6488062.exe101⤵PID:768
-
\??\c:\rlfllll.exec:\rlfllll.exe102⤵PID:1240
-
\??\c:\08620.exec:\08620.exe103⤵PID:2240
-
\??\c:\vvjjv.exec:\vvjjv.exe104⤵PID:836
-
\??\c:\02444.exec:\02444.exe105⤵PID:2492
-
\??\c:\820866.exec:\820866.exe106⤵PID:1104
-
\??\c:\5dvpp.exec:\5dvpp.exe107⤵PID:1852
-
\??\c:\w60088.exec:\w60088.exe108⤵PID:1924
-
\??\c:\46664.exec:\46664.exe109⤵PID:1532
-
\??\c:\vvpvj.exec:\vvpvj.exe110⤵PID:1712
-
\??\c:\rlxxlrr.exec:\rlxxlrr.exe111⤵PID:784
-
\??\c:\pjdjv.exec:\pjdjv.exe112⤵PID:2484
-
\??\c:\1tntbh.exec:\1tntbh.exe113⤵PID:2380
-
\??\c:\rrrrxff.exec:\rrrrxff.exe114⤵PID:308
-
\??\c:\9xrxflf.exec:\9xrxflf.exe115⤵PID:2480
-
\??\c:\04802.exec:\04802.exe116⤵PID:1920
-
\??\c:\tthhhh.exec:\tthhhh.exe117⤵PID:2472
-
\??\c:\48642.exec:\48642.exe118⤵PID:2356
-
\??\c:\w86682.exec:\w86682.exe119⤵
- System Location Discovery: System Language Discovery
PID:1856 -
\??\c:\lfrflxl.exec:\lfrflxl.exe120⤵
- System Location Discovery: System Language Discovery
PID:2388 -
\??\c:\9bhhtt.exec:\9bhhtt.exe121⤵PID:2704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-