Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:54
Behavioral task
behavioral1
Sample
955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe
-
Size
333KB
-
MD5
af5dd4a22905b691573b8336d067e257
-
SHA1
88565884ff2c487405e604ab91092097a8958c33
-
SHA256
955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4
-
SHA512
00b137fdd837274e6de7c294abdb81a4fc6458d649c0043a2235e7dae4cdef715fc3104ba5de027c615af7ca5ee15899e0bf0a3af420afad7c9e246991f6884d
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeq:R4wFHoSHYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2408-0-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1948-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1644-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/824-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3064-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2968-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1144-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2348-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2944-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1032-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2520-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1992-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1140-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2024-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2904-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/924-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2136-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1868-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1800-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2264-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/896-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/600-259-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/600-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2372-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2952-346-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2868-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2980-373-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2156-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1552-460-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2268-511-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2888-620-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/760-747-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/760-748-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1584-761-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/1892-806-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2460-851-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2948-864-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/776-1133-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1628-1186-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1992-1193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2288-6979-0x0000000076E20000-0x0000000076F3F000-memory.dmp family_blackmoon behavioral1/memory/2288-8003-0x0000000076E20000-0x0000000076F3F000-memory.dmp family_blackmoon behavioral1/memory/2288-10567-0x0000000076E20000-0x0000000076F3F000-memory.dmp family_blackmoon behavioral1/memory/2288-16402-0x0000000076F40000-0x000000007703A000-memory.dmp family_blackmoon behavioral1/memory/2288-19150-0x0000000076E20000-0x0000000076F3F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1644 9bntht.exe 1948 nbhntt.exe 2356 862206.exe 3064 frfrxfr.exe 824 u424602.exe 2968 5xflxll.exe 1144 4266262.exe 2348 0844040.exe 2784 22628.exe 2944 s4628.exe 2728 tntthn.exe 1956 046628.exe 1032 260688.exe 1740 608024.exe 2520 6462888.exe 1992 4684020.exe 1140 rxrxfrl.exe 2024 420022.exe 2904 1jppv.exe 556 3jpjd.exe 1552 8486026.exe 2572 jddjp.exe 924 3httbh.exe 2136 4888062.exe 2008 82680.exe 1868 djvvp.exe 1800 pjvvj.exe 896 9xlrxxf.exe 2264 9rxlrrf.exe 2292 pjpjv.exe 600 3frlxxl.exe 2280 xrrlxfl.exe 2424 042062.exe 1964 lffrxxx.exe 2616 pdppd.exe 2408 hbnnbh.exe 1504 7rlrfll.exe 1256 llrxrrf.exe 2072 26468.exe 2592 jpjjd.exe 2372 jdvpd.exe 2788 2688002.exe 2800 ppjjj.exe 2960 2628402.exe 2956 606244.exe 2952 084062.exe 3056 9jdjv.exe 2992 hhntth.exe 2724 pdvdv.exe 2868 4244002.exe 2980 q88006.exe 876 48688.exe 2760 dvjpd.exe 2596 2024006.exe 1732 0822884.exe 2604 vvvdp.exe 2940 nhtbhb.exe 1672 028460.exe 2516 7xlxlxx.exe 1044 64488.exe 2756 2080246.exe 2244 g6884.exe 1560 6064024.exe 3036 o242286.exe -
resource yara_rule behavioral1/memory/2408-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c00000001202c-5.dat upx behavioral1/memory/2408-6-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1644-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000186f1-17.dat upx behavioral1/memory/1948-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1644-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000186f4-25.dat upx behavioral1/memory/2356-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018704-34.dat upx behavioral1/memory/824-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018739-42.dat upx behavioral1/files/0x0006000000018744-50.dat upx behavioral1/memory/3064-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1144-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2968-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001878e-57.dat upx behavioral1/files/0x00070000000187a8-66.dat upx behavioral1/memory/1144-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2348-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2784-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019451-76.dat upx behavioral1/files/0x0005000000019458-85.dat upx behavioral1/memory/2944-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194a9-92.dat upx behavioral1/memory/2728-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2944-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194b9-101.dat upx behavioral1/files/0x00050000000194c9-108.dat upx behavioral1/files/0x00050000000194ee-115.dat upx behavioral1/memory/1032-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194f1-123.dat upx behavioral1/memory/1992-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000900000001755b-133.dat upx behavioral1/memory/2520-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019502-140.dat upx behavioral1/memory/1992-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1140-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019509-149.dat upx behavioral1/memory/2024-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001950e-156.dat upx behavioral1/memory/2904-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019512-165.dat upx behavioral1/files/0x000500000001957e-171.dat upx behavioral1/files/0x000500000001958e-179.dat upx behavioral1/files/0x00050000000195ab-185.dat upx behavioral1/memory/924-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195f0-193.dat upx behavioral1/files/0x0005000000019621-203.dat upx behavioral1/memory/2136-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019623-209.dat upx behavioral1/files/0x0005000000019624-218.dat upx behavioral1/memory/1868-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019625-230.dat upx behavioral1/memory/896-229-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1800-228-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019627-237.dat upx behavioral1/memory/2264-239-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/896-236-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019629-245.dat upx behavioral1/files/0x000500000001962b-252.dat upx behavioral1/memory/600-259-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/600-260-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001962d-263.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c428602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0082286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2646808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2004880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u880848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2408 wrote to memory of 1644 2408 955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe 30 PID 2408 wrote to memory of 1644 2408 955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe 30 PID 2408 wrote to memory of 1644 2408 955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe 30 PID 2408 wrote to memory of 1644 2408 955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe 30 PID 1644 wrote to memory of 1948 1644 9bntht.exe 31 PID 1644 wrote to memory of 1948 1644 9bntht.exe 31 PID 1644 wrote to memory of 1948 1644 9bntht.exe 31 PID 1644 wrote to memory of 1948 1644 9bntht.exe 31 PID 1948 wrote to memory of 2356 1948 nbhntt.exe 32 PID 1948 wrote to memory of 2356 1948 nbhntt.exe 32 PID 1948 wrote to memory of 2356 1948 nbhntt.exe 32 PID 1948 wrote to memory of 2356 1948 nbhntt.exe 32 PID 2356 wrote to memory of 3064 2356 862206.exe 33 PID 2356 wrote to memory of 3064 2356 862206.exe 33 PID 2356 wrote to memory of 3064 2356 862206.exe 33 PID 2356 wrote to memory of 3064 2356 862206.exe 33 PID 3064 wrote to memory of 824 3064 frfrxfr.exe 34 PID 3064 wrote to memory of 824 3064 frfrxfr.exe 34 PID 3064 wrote to memory of 824 3064 frfrxfr.exe 34 PID 3064 wrote to memory of 824 3064 frfrxfr.exe 34 PID 824 wrote to memory of 2968 824 u424602.exe 35 PID 824 wrote to memory of 2968 824 u424602.exe 35 PID 824 wrote to memory of 2968 824 u424602.exe 35 PID 824 wrote to memory of 2968 824 u424602.exe 35 PID 2968 wrote to memory of 1144 2968 5xflxll.exe 36 PID 2968 wrote to memory of 1144 2968 5xflxll.exe 36 PID 2968 wrote to memory of 1144 2968 5xflxll.exe 36 PID 2968 wrote to memory of 1144 2968 5xflxll.exe 36 PID 1144 wrote to memory of 2348 1144 4266262.exe 37 PID 1144 wrote to memory of 2348 1144 4266262.exe 37 PID 1144 wrote to memory of 2348 1144 4266262.exe 37 PID 1144 wrote to memory of 2348 1144 4266262.exe 37 PID 2348 wrote to memory of 2784 2348 0844040.exe 38 PID 2348 wrote to memory of 2784 2348 0844040.exe 38 PID 2348 wrote to memory of 2784 2348 0844040.exe 38 PID 2348 wrote to memory of 2784 2348 0844040.exe 38 PID 2784 wrote to memory of 2944 2784 22628.exe 39 PID 2784 wrote to memory of 2944 2784 22628.exe 39 PID 2784 wrote to memory of 2944 2784 22628.exe 39 PID 2784 wrote to memory of 2944 2784 22628.exe 39 PID 2944 wrote to memory of 2728 2944 s4628.exe 40 PID 2944 wrote to memory of 2728 2944 s4628.exe 40 PID 2944 wrote to memory of 2728 2944 s4628.exe 40 PID 2944 wrote to memory of 2728 2944 s4628.exe 40 PID 2728 wrote to memory of 1956 2728 tntthn.exe 41 PID 2728 wrote to memory of 1956 2728 tntthn.exe 41 PID 2728 wrote to memory of 1956 2728 tntthn.exe 41 PID 2728 wrote to memory of 1956 2728 tntthn.exe 41 PID 1956 wrote to memory of 1032 1956 046628.exe 42 PID 1956 wrote to memory of 1032 1956 046628.exe 42 PID 1956 wrote to memory of 1032 1956 046628.exe 42 PID 1956 wrote to memory of 1032 1956 046628.exe 42 PID 1032 wrote to memory of 1740 1032 260688.exe 43 PID 1032 wrote to memory of 1740 1032 260688.exe 43 PID 1032 wrote to memory of 1740 1032 260688.exe 43 PID 1032 wrote to memory of 1740 1032 260688.exe 43 PID 1740 wrote to memory of 2520 1740 608024.exe 44 PID 1740 wrote to memory of 2520 1740 608024.exe 44 PID 1740 wrote to memory of 2520 1740 608024.exe 44 PID 1740 wrote to memory of 2520 1740 608024.exe 44 PID 2520 wrote to memory of 1992 2520 6462888.exe 45 PID 2520 wrote to memory of 1992 2520 6462888.exe 45 PID 2520 wrote to memory of 1992 2520 6462888.exe 45 PID 2520 wrote to memory of 1992 2520 6462888.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe"C:\Users\Admin\AppData\Local\Temp\955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\9bntht.exec:\9bntht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\nbhntt.exec:\nbhntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\862206.exec:\862206.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\frfrxfr.exec:\frfrxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\u424602.exec:\u424602.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\5xflxll.exec:\5xflxll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\4266262.exec:\4266262.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\0844040.exec:\0844040.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\22628.exec:\22628.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\s4628.exec:\s4628.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\tntthn.exec:\tntthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\046628.exec:\046628.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\260688.exec:\260688.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\608024.exec:\608024.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\6462888.exec:\6462888.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\4684020.exec:\4684020.exe17⤵
- Executes dropped EXE
PID:1992 -
\??\c:\rxrxfrl.exec:\rxrxfrl.exe18⤵
- Executes dropped EXE
PID:1140 -
\??\c:\420022.exec:\420022.exe19⤵
- Executes dropped EXE
PID:2024 -
\??\c:\1jppv.exec:\1jppv.exe20⤵
- Executes dropped EXE
PID:2904 -
\??\c:\3jpjd.exec:\3jpjd.exe21⤵
- Executes dropped EXE
PID:556 -
\??\c:\8486026.exec:\8486026.exe22⤵
- Executes dropped EXE
PID:1552 -
\??\c:\jddjp.exec:\jddjp.exe23⤵
- Executes dropped EXE
PID:2572 -
\??\c:\3httbh.exec:\3httbh.exe24⤵
- Executes dropped EXE
PID:924 -
\??\c:\4888062.exec:\4888062.exe25⤵
- Executes dropped EXE
PID:2136 -
\??\c:\82680.exec:\82680.exe26⤵
- Executes dropped EXE
PID:2008 -
\??\c:\djvvp.exec:\djvvp.exe27⤵
- Executes dropped EXE
PID:1868 -
\??\c:\pjvvj.exec:\pjvvj.exe28⤵
- Executes dropped EXE
PID:1800 -
\??\c:\9xlrxxf.exec:\9xlrxxf.exe29⤵
- Executes dropped EXE
PID:896 -
\??\c:\9rxlrrf.exec:\9rxlrrf.exe30⤵
- Executes dropped EXE
PID:2264 -
\??\c:\pjpjv.exec:\pjpjv.exe31⤵
- Executes dropped EXE
PID:2292 -
\??\c:\3frlxxl.exec:\3frlxxl.exe32⤵
- Executes dropped EXE
PID:600 -
\??\c:\xrrlxfl.exec:\xrrlxfl.exe33⤵
- Executes dropped EXE
PID:2280 -
\??\c:\042062.exec:\042062.exe34⤵
- Executes dropped EXE
PID:2424 -
\??\c:\lffrxxx.exec:\lffrxxx.exe35⤵
- Executes dropped EXE
PID:1964 -
\??\c:\pdppd.exec:\pdppd.exe36⤵
- Executes dropped EXE
PID:2616 -
\??\c:\hbnnbh.exec:\hbnnbh.exe37⤵
- Executes dropped EXE
PID:2408 -
\??\c:\7rlrfll.exec:\7rlrfll.exe38⤵
- Executes dropped EXE
PID:1504 -
\??\c:\llrxrrf.exec:\llrxrrf.exe39⤵
- Executes dropped EXE
PID:1256 -
\??\c:\26468.exec:\26468.exe40⤵
- Executes dropped EXE
PID:2072 -
\??\c:\jpjjd.exec:\jpjjd.exe41⤵
- Executes dropped EXE
PID:2592 -
\??\c:\jdvpd.exec:\jdvpd.exe42⤵
- Executes dropped EXE
PID:2372 -
\??\c:\2688002.exec:\2688002.exe43⤵
- Executes dropped EXE
PID:2788 -
\??\c:\ppjjj.exec:\ppjjj.exe44⤵
- Executes dropped EXE
PID:2800 -
\??\c:\2628402.exec:\2628402.exe45⤵
- Executes dropped EXE
PID:2960 -
\??\c:\606244.exec:\606244.exe46⤵
- Executes dropped EXE
PID:2956 -
\??\c:\084062.exec:\084062.exe47⤵
- Executes dropped EXE
PID:2952 -
\??\c:\9jdjv.exec:\9jdjv.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
\??\c:\hhntth.exec:\hhntth.exe49⤵
- Executes dropped EXE
PID:2992 -
\??\c:\pdvdv.exec:\pdvdv.exe50⤵
- Executes dropped EXE
PID:2724 -
\??\c:\4244002.exec:\4244002.exe51⤵
- Executes dropped EXE
PID:2868 -
\??\c:\q88006.exec:\q88006.exe52⤵
- Executes dropped EXE
PID:2980 -
\??\c:\48688.exec:\48688.exe53⤵
- Executes dropped EXE
PID:876 -
\??\c:\dvjpd.exec:\dvjpd.exe54⤵
- Executes dropped EXE
PID:2760 -
\??\c:\2024006.exec:\2024006.exe55⤵
- Executes dropped EXE
PID:2596 -
\??\c:\0822884.exec:\0822884.exe56⤵
- Executes dropped EXE
PID:1732 -
\??\c:\vvvdp.exec:\vvvdp.exe57⤵
- Executes dropped EXE
PID:2604 -
\??\c:\nhtbhb.exec:\nhtbhb.exe58⤵
- Executes dropped EXE
PID:2940 -
\??\c:\028460.exec:\028460.exe59⤵
- Executes dropped EXE
PID:1672 -
\??\c:\7xlxlxx.exec:\7xlxlxx.exe60⤵
- Executes dropped EXE
PID:2516 -
\??\c:\64488.exec:\64488.exe61⤵
- Executes dropped EXE
PID:1044 -
\??\c:\2080246.exec:\2080246.exe62⤵
- Executes dropped EXE
PID:2756 -
\??\c:\g6884.exec:\g6884.exe63⤵
- Executes dropped EXE
PID:2244 -
\??\c:\6064024.exec:\6064024.exe64⤵
- Executes dropped EXE
PID:1560 -
\??\c:\o242286.exec:\o242286.exe65⤵
- Executes dropped EXE
PID:3036 -
\??\c:\040288.exec:\040288.exe66⤵PID:2156
-
\??\c:\dvddp.exec:\dvddp.exe67⤵PID:2792
-
\??\c:\rfrrfxf.exec:\rfrrfxf.exe68⤵PID:1552
-
\??\c:\8268080.exec:\8268080.exe69⤵PID:1900
-
\??\c:\ddvvp.exec:\ddvvp.exe70⤵PID:764
-
\??\c:\1xlrxxf.exec:\1xlrxxf.exe71⤵PID:2332
-
\??\c:\pjvjd.exec:\pjvjd.exe72⤵PID:1804
-
\??\c:\0804860.exec:\0804860.exe73⤵PID:1440
-
\??\c:\g8286.exec:\g8286.exe74⤵PID:1876
-
\??\c:\jjvdj.exec:\jjvdj.exe75⤵PID:912
-
\??\c:\608800.exec:\608800.exe76⤵PID:1488
-
\??\c:\264468.exec:\264468.exe77⤵PID:2268
-
\??\c:\640644.exec:\640644.exe78⤵PID:700
-
\??\c:\8644664.exec:\8644664.exe79⤵PID:1456
-
\??\c:\pjvvd.exec:\pjvvd.exe80⤵PID:1920
-
\??\c:\xrxfxfl.exec:\xrxfxfl.exe81⤵PID:2456
-
\??\c:\9fxxxxl.exec:\9fxxxxl.exe82⤵PID:2996
-
\??\c:\lfrrxff.exec:\lfrrxff.exe83⤵PID:2432
-
\??\c:\bnbbtt.exec:\bnbbtt.exe84⤵PID:2492
-
\??\c:\04440.exec:\04440.exe85⤵PID:2328
-
\??\c:\vvpvd.exec:\vvpvd.exe86⤵PID:1260
-
\??\c:\nhnhnt.exec:\nhnhnt.exe87⤵PID:1656
-
\??\c:\q82280.exec:\q82280.exe88⤵PID:1572
-
\??\c:\hbhhtt.exec:\hbhhtt.exe89⤵PID:2624
-
\??\c:\nhbbnb.exec:\nhbbnb.exe90⤵PID:2640
-
\??\c:\4868028.exec:\4868028.exe91⤵PID:2060
-
\??\c:\i422008.exec:\i422008.exe92⤵PID:2804
-
\??\c:\2684064.exec:\2684064.exe93⤵PID:3064
-
\??\c:\4262288.exec:\4262288.exe94⤵PID:2976
-
\??\c:\48624.exec:\48624.exe95⤵PID:2972
-
\??\c:\rrllrrx.exec:\rrllrrx.exe96⤵PID:3040
-
\??\c:\hbhhnt.exec:\hbhhnt.exe97⤵PID:1144
-
\??\c:\604088.exec:\604088.exe98⤵PID:2888
-
\??\c:\446448.exec:\446448.exe99⤵PID:2732
-
\??\c:\xxxxfff.exec:\xxxxfff.exe100⤵PID:2696
-
\??\c:\60086.exec:\60086.exe101⤵PID:2716
-
\??\c:\60804.exec:\60804.exe102⤵PID:2692
-
\??\c:\602280.exec:\602280.exe103⤵PID:2584
-
\??\c:\6826020.exec:\6826020.exe104⤵PID:2740
-
\??\c:\7xrlfll.exec:\7xrlfll.exe105⤵PID:1232
-
\??\c:\0462068.exec:\0462068.exe106⤵PID:2932
-
\??\c:\82002.exec:\82002.exe107⤵PID:3000
-
\??\c:\hnntbt.exec:\hnntbt.exe108⤵PID:2000
-
\??\c:\648248.exec:\648248.exe109⤵PID:2908
-
\??\c:\tbhbhh.exec:\tbhbhh.exe110⤵PID:2516
-
\??\c:\424628.exec:\424628.exe111⤵PID:1588
-
\??\c:\c606066.exec:\c606066.exe112⤵PID:2012
-
\??\c:\3hbhtn.exec:\3hbhtn.exe113⤵PID:2236
-
\??\c:\nnntnt.exec:\nnntnt.exe114⤵PID:2880
-
\??\c:\fxffrrf.exec:\fxffrrf.exe115⤵PID:2904
-
\??\c:\1lrllrx.exec:\1lrllrx.exe116⤵PID:2600
-
\??\c:\nnntht.exec:\nnntht.exe117⤵PID:2452
-
\??\c:\hhthhh.exec:\hhthhh.exe118⤵PID:1052
-
\??\c:\q42460.exec:\q42460.exe119⤵PID:1612
-
\??\c:\tbtbnt.exec:\tbtbnt.exe120⤵PID:236
-
\??\c:\jjjjd.exec:\jjjjd.exe121⤵PID:1280
-
\??\c:\204402.exec:\204402.exe122⤵PID:760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-