Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe
-
Size
453KB
-
MD5
a1116d6bfa61125560eaff75ac26caa0
-
SHA1
f0cb409e123ad4c8d2942881d2b88dfaac46e842
-
SHA256
29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918f
-
SHA512
3cbc69b08a451cdeae09bf71cdd989516036c9822419b7cd930d3d1dd5916e9102a501f97fb86b96405b25b931f7dfb1073b8019ea49fe3865ff04c55767cea3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/776-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1292-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-25-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2352-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-61-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2644-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1416-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-86-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2824-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/544-411-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1616-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-424-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2968-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-397-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/280-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-295-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/568-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-225-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2372-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-189-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1728-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-115-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1600-119-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2756-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-877-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1292 ppjjd.exe 2352 862226.exe 2436 5tbbtt.exe 1416 4246662.exe 2740 42888.exe 2384 64666.exe 2644 022604.exe 2824 68448.exe 2756 9dpjd.exe 2600 htbtnn.exe 2772 08484.exe 1600 nnnbbt.exe 2260 3rxxxrl.exe 800 0480468.exe 2444 a0222.exe 2340 64262.exe 1564 2460044.exe 1728 64486.exe 2480 bnbttn.exe 2836 7tbttn.exe 2840 hnbtht.exe 2372 htttht.exe 3060 vpddj.exe 2404 2082862.exe 1808 lxxxrff.exe 2380 7lfxxxr.exe 2392 9hntbt.exe 536 3thnnn.exe 1940 thnhtn.exe 568 e64066.exe 988 dvdpv.exe 3028 806026.exe 280 806044.exe 772 tbhbnh.exe 2952 tnbbbb.exe 3012 frffllr.exe 3016 8646888.exe 3068 6400606.exe 2752 9vvjj.exe 580 a4662.exe 2784 6860606.exe 2552 86228.exe 2636 248664.exe 2852 lxxxfxx.exe 2824 084404.exe 2604 vdpdp.exe 2524 u266228.exe 2968 2004044.exe 1988 tbnhhb.exe 544 64622.exe 2444 206248.exe 1968 w68888.exe 1564 206628.exe 1740 flxfffx.exe 1616 nhbhhn.exe 1580 08446.exe 2812 s6628.exe 2776 8684006.exe 2868 48246.exe 1676 826206.exe 1808 rrllxxf.exe 1632 9pdvd.exe 1572 tnhhnn.exe 1308 04882.exe -
resource yara_rule behavioral1/memory/776-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-397-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2636-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/280-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-295-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/568-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-822-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-921-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-1019-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-1051-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-1060-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-1090-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-1187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-1206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-1213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-1347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-1366-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2066884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u802226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c462824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8646888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 776 wrote to memory of 1292 776 29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe 30 PID 776 wrote to memory of 1292 776 29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe 30 PID 776 wrote to memory of 1292 776 29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe 30 PID 776 wrote to memory of 1292 776 29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe 30 PID 1292 wrote to memory of 2352 1292 ppjjd.exe 31 PID 1292 wrote to memory of 2352 1292 ppjjd.exe 31 PID 1292 wrote to memory of 2352 1292 ppjjd.exe 31 PID 1292 wrote to memory of 2352 1292 ppjjd.exe 31 PID 2352 wrote to memory of 2436 2352 862226.exe 32 PID 2352 wrote to memory of 2436 2352 862226.exe 32 PID 2352 wrote to memory of 2436 2352 862226.exe 32 PID 2352 wrote to memory of 2436 2352 862226.exe 32 PID 2436 wrote to memory of 1416 2436 5tbbtt.exe 33 PID 2436 wrote to memory of 1416 2436 5tbbtt.exe 33 PID 2436 wrote to memory of 1416 2436 5tbbtt.exe 33 PID 2436 wrote to memory of 1416 2436 5tbbtt.exe 33 PID 1416 wrote to memory of 2740 1416 4246662.exe 34 PID 1416 wrote to memory of 2740 1416 4246662.exe 34 PID 1416 wrote to memory of 2740 1416 4246662.exe 34 PID 1416 wrote to memory of 2740 1416 4246662.exe 34 PID 2740 wrote to memory of 2384 2740 42888.exe 35 PID 2740 wrote to memory of 2384 2740 42888.exe 35 PID 2740 wrote to memory of 2384 2740 42888.exe 35 PID 2740 wrote to memory of 2384 2740 42888.exe 35 PID 2384 wrote to memory of 2644 2384 64666.exe 36 PID 2384 wrote to memory of 2644 2384 64666.exe 36 PID 2384 wrote to memory of 2644 2384 64666.exe 36 PID 2384 wrote to memory of 2644 2384 64666.exe 36 PID 2644 wrote to memory of 2824 2644 022604.exe 74 PID 2644 wrote to memory of 2824 2644 022604.exe 74 PID 2644 wrote to memory of 2824 2644 022604.exe 74 PID 2644 wrote to memory of 2824 2644 022604.exe 74 PID 2824 wrote to memory of 2756 2824 68448.exe 38 PID 2824 wrote to memory of 2756 2824 68448.exe 38 PID 2824 wrote to memory of 2756 2824 68448.exe 38 PID 2824 wrote to memory of 2756 2824 68448.exe 38 PID 2756 wrote to memory of 2600 2756 9dpjd.exe 39 PID 2756 wrote to memory of 2600 2756 9dpjd.exe 39 PID 2756 wrote to memory of 2600 2756 9dpjd.exe 39 PID 2756 wrote to memory of 2600 2756 9dpjd.exe 39 PID 2600 wrote to memory of 2772 2600 htbtnn.exe 40 PID 2600 wrote to memory of 2772 2600 htbtnn.exe 40 PID 2600 wrote to memory of 2772 2600 htbtnn.exe 40 PID 2600 wrote to memory of 2772 2600 htbtnn.exe 40 PID 2772 wrote to memory of 1600 2772 08484.exe 41 PID 2772 wrote to memory of 1600 2772 08484.exe 41 PID 2772 wrote to memory of 1600 2772 08484.exe 41 PID 2772 wrote to memory of 1600 2772 08484.exe 41 PID 1600 wrote to memory of 2260 1600 nnnbbt.exe 42 PID 1600 wrote to memory of 2260 1600 nnnbbt.exe 42 PID 1600 wrote to memory of 2260 1600 nnnbbt.exe 42 PID 1600 wrote to memory of 2260 1600 nnnbbt.exe 42 PID 2260 wrote to memory of 800 2260 3rxxxrl.exe 43 PID 2260 wrote to memory of 800 2260 3rxxxrl.exe 43 PID 2260 wrote to memory of 800 2260 3rxxxrl.exe 43 PID 2260 wrote to memory of 800 2260 3rxxxrl.exe 43 PID 800 wrote to memory of 2444 800 0480468.exe 80 PID 800 wrote to memory of 2444 800 0480468.exe 80 PID 800 wrote to memory of 2444 800 0480468.exe 80 PID 800 wrote to memory of 2444 800 0480468.exe 80 PID 2444 wrote to memory of 2340 2444 a0222.exe 45 PID 2444 wrote to memory of 2340 2444 a0222.exe 45 PID 2444 wrote to memory of 2340 2444 a0222.exe 45 PID 2444 wrote to memory of 2340 2444 a0222.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe"C:\Users\Admin\AppData\Local\Temp\29fbfe3a7e49219c0aeea998093e3b1b15915170794a7d33cbdad6290c81918fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\ppjjd.exec:\ppjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\862226.exec:\862226.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\5tbbtt.exec:\5tbbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\4246662.exec:\4246662.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\42888.exec:\42888.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\64666.exec:\64666.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\022604.exec:\022604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\68448.exec:\68448.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\9dpjd.exec:\9dpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\htbtnn.exec:\htbtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\08484.exec:\08484.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\nnnbbt.exec:\nnnbbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\3rxxxrl.exec:\3rxxxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\0480468.exec:\0480468.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\a0222.exec:\a0222.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\64262.exec:\64262.exe17⤵
- Executes dropped EXE
PID:2340 -
\??\c:\2460044.exec:\2460044.exe18⤵
- Executes dropped EXE
PID:1564 -
\??\c:\64486.exec:\64486.exe19⤵
- Executes dropped EXE
PID:1728 -
\??\c:\bnbttn.exec:\bnbttn.exe20⤵
- Executes dropped EXE
PID:2480 -
\??\c:\7tbttn.exec:\7tbttn.exe21⤵
- Executes dropped EXE
PID:2836 -
\??\c:\hnbtht.exec:\hnbtht.exe22⤵
- Executes dropped EXE
PID:2840 -
\??\c:\htttht.exec:\htttht.exe23⤵
- Executes dropped EXE
PID:2372 -
\??\c:\vpddj.exec:\vpddj.exe24⤵
- Executes dropped EXE
PID:3060 -
\??\c:\2082862.exec:\2082862.exe25⤵
- Executes dropped EXE
PID:2404 -
\??\c:\lxxxrff.exec:\lxxxrff.exe26⤵
- Executes dropped EXE
PID:1808 -
\??\c:\7lfxxxr.exec:\7lfxxxr.exe27⤵
- Executes dropped EXE
PID:2380 -
\??\c:\9hntbt.exec:\9hntbt.exe28⤵
- Executes dropped EXE
PID:2392 -
\??\c:\3thnnn.exec:\3thnnn.exe29⤵
- Executes dropped EXE
PID:536 -
\??\c:\thnhtn.exec:\thnhtn.exe30⤵
- Executes dropped EXE
PID:1940 -
\??\c:\e64066.exec:\e64066.exe31⤵
- Executes dropped EXE
PID:568 -
\??\c:\dvdpv.exec:\dvdpv.exe32⤵
- Executes dropped EXE
PID:988 -
\??\c:\806026.exec:\806026.exe33⤵
- Executes dropped EXE
PID:3028 -
\??\c:\806044.exec:\806044.exe34⤵
- Executes dropped EXE
PID:280 -
\??\c:\tbhbnh.exec:\tbhbnh.exe35⤵
- Executes dropped EXE
PID:772 -
\??\c:\tnbbbb.exec:\tnbbbb.exe36⤵
- Executes dropped EXE
PID:2952 -
\??\c:\frffllr.exec:\frffllr.exe37⤵
- Executes dropped EXE
PID:3012 -
\??\c:\8646888.exec:\8646888.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016 -
\??\c:\6400606.exec:\6400606.exe39⤵
- Executes dropped EXE
PID:3068 -
\??\c:\9vvjj.exec:\9vvjj.exe40⤵
- Executes dropped EXE
PID:2752 -
\??\c:\a4662.exec:\a4662.exe41⤵
- Executes dropped EXE
PID:580 -
\??\c:\6860606.exec:\6860606.exe42⤵
- Executes dropped EXE
PID:2784 -
\??\c:\86228.exec:\86228.exe43⤵
- Executes dropped EXE
PID:2552 -
\??\c:\248664.exec:\248664.exe44⤵
- Executes dropped EXE
PID:2636 -
\??\c:\lxxxfxx.exec:\lxxxfxx.exe45⤵
- Executes dropped EXE
PID:2852 -
\??\c:\084404.exec:\084404.exe46⤵
- Executes dropped EXE
PID:2824 -
\??\c:\vdpdp.exec:\vdpdp.exe47⤵
- Executes dropped EXE
PID:2604 -
\??\c:\u266228.exec:\u266228.exe48⤵
- Executes dropped EXE
PID:2524 -
\??\c:\2004044.exec:\2004044.exe49⤵
- Executes dropped EXE
PID:2968 -
\??\c:\tbnhhb.exec:\tbnhhb.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
\??\c:\64622.exec:\64622.exe51⤵
- Executes dropped EXE
PID:544 -
\??\c:\206248.exec:\206248.exe52⤵
- Executes dropped EXE
PID:2444 -
\??\c:\w68888.exec:\w68888.exe53⤵
- Executes dropped EXE
PID:1968 -
\??\c:\206628.exec:\206628.exe54⤵
- Executes dropped EXE
PID:1564 -
\??\c:\flxfffx.exec:\flxfffx.exe55⤵
- Executes dropped EXE
PID:1740 -
\??\c:\nhbhhn.exec:\nhbhhn.exe56⤵
- Executes dropped EXE
PID:1616 -
\??\c:\08446.exec:\08446.exe57⤵
- Executes dropped EXE
PID:1580 -
\??\c:\s6628.exec:\s6628.exe58⤵
- Executes dropped EXE
PID:2812 -
\??\c:\8684006.exec:\8684006.exe59⤵
- Executes dropped EXE
PID:2776 -
\??\c:\48246.exec:\48246.exe60⤵
- Executes dropped EXE
PID:2868 -
\??\c:\826206.exec:\826206.exe61⤵
- Executes dropped EXE
PID:1676 -
\??\c:\rrllxxf.exec:\rrllxxf.exe62⤵
- Executes dropped EXE
PID:1808 -
\??\c:\9pdvd.exec:\9pdvd.exe63⤵
- Executes dropped EXE
PID:1632 -
\??\c:\tnhhnn.exec:\tnhhnn.exe64⤵
- Executes dropped EXE
PID:1572 -
\??\c:\04882.exec:\04882.exe65⤵
- Executes dropped EXE
PID:1308 -
\??\c:\4226440.exec:\4226440.exe66⤵PID:2864
-
\??\c:\9frlrrf.exec:\9frlrrf.exe67⤵PID:2492
-
\??\c:\4822402.exec:\4822402.exe68⤵PID:2188
-
\??\c:\m2242.exec:\m2242.exe69⤵PID:1644
-
\??\c:\086840.exec:\086840.exe70⤵PID:2112
-
\??\c:\04660.exec:\04660.exe71⤵
- System Location Discovery: System Language Discovery
PID:1528 -
\??\c:\1hbbnn.exec:\1hbbnn.exe72⤵PID:2280
-
\??\c:\vpjpd.exec:\vpjpd.exe73⤵
- System Location Discovery: System Language Discovery
PID:1540 -
\??\c:\20284.exec:\20284.exe74⤵PID:2892
-
\??\c:\vvjjv.exec:\vvjjv.exe75⤵PID:3004
-
\??\c:\s4284.exec:\s4284.exe76⤵
- System Location Discovery: System Language Discovery
PID:804 -
\??\c:\64880.exec:\64880.exe77⤵PID:1120
-
\??\c:\a2026.exec:\a2026.exe78⤵PID:2800
-
\??\c:\a4668.exec:\a4668.exe79⤵PID:1064
-
\??\c:\lfrxlrl.exec:\lfrxlrl.exe80⤵PID:2672
-
\??\c:\rlxlffx.exec:\rlxlffx.exe81⤵PID:2408
-
\??\c:\424422.exec:\424422.exe82⤵PID:2528
-
\??\c:\9nnhtb.exec:\9nnhtb.exe83⤵PID:2536
-
\??\c:\7thhhh.exec:\7thhhh.exe84⤵PID:2808
-
\??\c:\g6626.exec:\g6626.exe85⤵PID:2564
-
\??\c:\7jpvv.exec:\7jpvv.exe86⤵PID:2032
-
\??\c:\3pvvd.exec:\3pvvd.exe87⤵PID:2556
-
\??\c:\ddpjp.exec:\ddpjp.exe88⤵PID:1988
-
\??\c:\w42844.exec:\w42844.exe89⤵PID:2560
-
\??\c:\4262480.exec:\4262480.exe90⤵PID:2444
-
\??\c:\860066.exec:\860066.exe91⤵PID:2772
-
\??\c:\5dpvv.exec:\5dpvv.exe92⤵PID:1968
-
\??\c:\bhbbht.exec:\bhbbht.exe93⤵PID:316
-
\??\c:\ffrxlrf.exec:\ffrxlrf.exe94⤵PID:1852
-
\??\c:\48620.exec:\48620.exe95⤵
- System Location Discovery: System Language Discovery
PID:2976 -
\??\c:\64002.exec:\64002.exe96⤵PID:1736
-
\??\c:\86402.exec:\86402.exe97⤵PID:288
-
\??\c:\k64440.exec:\k64440.exe98⤵PID:1640
-
\??\c:\a6068.exec:\a6068.exe99⤵PID:1860
-
\??\c:\9vppp.exec:\9vppp.exe100⤵PID:1580
-
\??\c:\080022.exec:\080022.exe101⤵PID:2992
-
\??\c:\646244.exec:\646244.exe102⤵PID:2880
-
\??\c:\pvvpp.exec:\pvvpp.exe103⤵PID:2096
-
\??\c:\080022.exec:\080022.exe104⤵PID:2972
-
\??\c:\dpjjd.exec:\dpjjd.exe105⤵PID:3024
-
\??\c:\426888.exec:\426888.exe106⤵PID:2400
-
\??\c:\rrflxxl.exec:\rrflxxl.exe107⤵PID:856
-
\??\c:\8240662.exec:\8240662.exe108⤵PID:1508
-
\??\c:\9ntnnn.exec:\9ntnnn.exe109⤵PID:2416
-
\??\c:\pjdpd.exec:\pjdpd.exe110⤵PID:276
-
\??\c:\s2002.exec:\s2002.exe111⤵PID:916
-
\??\c:\484066.exec:\484066.exe112⤵PID:2240
-
\??\c:\208466.exec:\208466.exe113⤵PID:2328
-
\??\c:\404600.exec:\404600.exe114⤵PID:2112
-
\??\c:\u268886.exec:\u268886.exe115⤵PID:784
-
\??\c:\040822.exec:\040822.exe116⤵PID:2028
-
\??\c:\5nbbtb.exec:\5nbbtb.exe117⤵PID:2056
-
\??\c:\8688884.exec:\8688884.exe118⤵PID:3012
-
\??\c:\vpjjv.exec:\vpjjv.exe119⤵PID:3016
-
\??\c:\nhbbnt.exec:\nhbbnt.exe120⤵PID:2764
-
\??\c:\w46000.exec:\w46000.exe121⤵PID:3020
-
\??\c:\xrffflf.exec:\xrffflf.exe122⤵PID:580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-