Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11-01-2025 06:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe
-
Size
454KB
-
MD5
6a366e9f87e39ad6b8204d91d388c25b
-
SHA1
c30609d4b42c3f37caf982aae38cfff7bd8c8242
-
SHA256
389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec
-
SHA512
e56a94ee89da6dbd4167888328c8f6b022a35db26437ae22a34a8247cd4610e36be3604f356996d3b17dc803ecb467ac9ba502acaf551c67872a589dfe72b8ed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/1700-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-85-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/3032-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-83-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/552-142-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3004-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-150-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1720-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-114-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/2360-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-170-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/1536-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1472-263-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1472-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1472-268-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2312-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1200-316-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-425-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1772-430-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-469-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/732-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-643-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/2736-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-740-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1372-779-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1372-798-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1472-819-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1940-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-833-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/3068-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-878-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1000-953-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1876 jjdjv.exe 2484 6820602.exe 2952 m0464.exe 2540 a0802.exe 2900 k04682.exe 2796 20864.exe 2944 rxrxllf.exe 3032 826644.exe 2664 1bhntn.exe 2360 2022884.exe 1056 48640.exe 1480 hbnttt.exe 3004 5vpdj.exe 552 pjvdj.exe 1720 2600846.exe 568 48808.exe 1536 rflxxxl.exe 2752 pdppd.exe 2764 frffffx.exe 2592 1bhbtb.exe 1296 nhtnbb.exe 912 fxrrxxr.exe 2128 3vvpd.exe 2036 9jjjj.exe 892 208466.exe 1548 1lfrthb.exe 2580 vjdpd.exe 1472 ppjpj.exe 728 046248.exe 1944 5dvvp.exe 2228 xrlrffx.exe 1564 pjddv.exe 2312 606262.exe 1200 3djjd.exe 868 rlrrxfr.exe 2148 9bthht.exe 2808 pppjv.exe 2880 48628.exe 2672 1pjdj.exe 2288 42002.exe 2688 042460.exe 2804 i644446.exe 2680 46440.exe 2740 2044002.exe 2508 9vjjp.exe 1764 i400040.exe 576 862860.exe 484 624062.exe 3004 8484888.exe 2724 thtbhn.exe 1772 6428002.exe 2840 q00088.exe 2964 042288.exe 3012 q46688.exe 1536 ffrrxxr.exe 2896 48224.exe 2052 lrfffrl.exe 3028 820806.exe 3056 2028406.exe 1928 8640842.exe 408 nhnhbb.exe 2240 k08466.exe 1684 fflrlll.exe 2036 60428.exe -
resource yara_rule behavioral1/memory/1700-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-95-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/568-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-170-0x0000000001C80000-0x0000000001CAA000-memory.dmp upx behavioral1/memory/1536-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/732-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-979-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-1042-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-1092-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c286828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1876 1700 389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe 30 PID 1700 wrote to memory of 1876 1700 389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe 30 PID 1700 wrote to memory of 1876 1700 389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe 30 PID 1700 wrote to memory of 1876 1700 389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe 30 PID 1876 wrote to memory of 2484 1876 jjdjv.exe 31 PID 1876 wrote to memory of 2484 1876 jjdjv.exe 31 PID 1876 wrote to memory of 2484 1876 jjdjv.exe 31 PID 1876 wrote to memory of 2484 1876 jjdjv.exe 31 PID 2484 wrote to memory of 2952 2484 6820602.exe 32 PID 2484 wrote to memory of 2952 2484 6820602.exe 32 PID 2484 wrote to memory of 2952 2484 6820602.exe 32 PID 2484 wrote to memory of 2952 2484 6820602.exe 32 PID 2952 wrote to memory of 2540 2952 m0464.exe 33 PID 2952 wrote to memory of 2540 2952 m0464.exe 33 PID 2952 wrote to memory of 2540 2952 m0464.exe 33 PID 2952 wrote to memory of 2540 2952 m0464.exe 33 PID 2540 wrote to memory of 2900 2540 a0802.exe 34 PID 2540 wrote to memory of 2900 2540 a0802.exe 34 PID 2540 wrote to memory of 2900 2540 a0802.exe 34 PID 2540 wrote to memory of 2900 2540 a0802.exe 34 PID 2900 wrote to memory of 2796 2900 k04682.exe 35 PID 2900 wrote to memory of 2796 2900 k04682.exe 35 PID 2900 wrote to memory of 2796 2900 k04682.exe 35 PID 2900 wrote to memory of 2796 2900 k04682.exe 35 PID 2796 wrote to memory of 2944 2796 20864.exe 36 PID 2796 wrote to memory of 2944 2796 20864.exe 36 PID 2796 wrote to memory of 2944 2796 20864.exe 36 PID 2796 wrote to memory of 2944 2796 20864.exe 36 PID 2944 wrote to memory of 3032 2944 rxrxllf.exe 37 PID 2944 wrote to memory of 3032 2944 rxrxllf.exe 37 PID 2944 wrote to memory of 3032 2944 rxrxllf.exe 37 PID 2944 wrote to memory of 3032 2944 rxrxllf.exe 37 PID 3032 wrote to memory of 2664 3032 826644.exe 38 PID 3032 wrote to memory of 2664 3032 826644.exe 38 PID 3032 wrote to memory of 2664 3032 826644.exe 38 PID 3032 wrote to memory of 2664 3032 826644.exe 38 PID 2664 wrote to memory of 2360 2664 1bhntn.exe 39 PID 2664 wrote to memory of 2360 2664 1bhntn.exe 39 PID 2664 wrote to memory of 2360 2664 1bhntn.exe 39 PID 2664 wrote to memory of 2360 2664 1bhntn.exe 39 PID 2360 wrote to memory of 1056 2360 2022884.exe 40 PID 2360 wrote to memory of 1056 2360 2022884.exe 40 PID 2360 wrote to memory of 1056 2360 2022884.exe 40 PID 2360 wrote to memory of 1056 2360 2022884.exe 40 PID 1056 wrote to memory of 1480 1056 48640.exe 41 PID 1056 wrote to memory of 1480 1056 48640.exe 41 PID 1056 wrote to memory of 1480 1056 48640.exe 41 PID 1056 wrote to memory of 1480 1056 48640.exe 41 PID 1480 wrote to memory of 3004 1480 hbnttt.exe 42 PID 1480 wrote to memory of 3004 1480 hbnttt.exe 42 PID 1480 wrote to memory of 3004 1480 hbnttt.exe 42 PID 1480 wrote to memory of 3004 1480 hbnttt.exe 42 PID 3004 wrote to memory of 552 3004 5vpdj.exe 43 PID 3004 wrote to memory of 552 3004 5vpdj.exe 43 PID 3004 wrote to memory of 552 3004 5vpdj.exe 43 PID 3004 wrote to memory of 552 3004 5vpdj.exe 43 PID 552 wrote to memory of 1720 552 pjvdj.exe 44 PID 552 wrote to memory of 1720 552 pjvdj.exe 44 PID 552 wrote to memory of 1720 552 pjvdj.exe 44 PID 552 wrote to memory of 1720 552 pjvdj.exe 44 PID 1720 wrote to memory of 568 1720 2600846.exe 45 PID 1720 wrote to memory of 568 1720 2600846.exe 45 PID 1720 wrote to memory of 568 1720 2600846.exe 45 PID 1720 wrote to memory of 568 1720 2600846.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe"C:\Users\Admin\AppData\Local\Temp\389c5ad9869e40d6626f06d5a831345464af68883e10b185ccbdba235c6b65ec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\jjdjv.exec:\jjdjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\6820602.exec:\6820602.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\m0464.exec:\m0464.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\a0802.exec:\a0802.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\k04682.exec:\k04682.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\20864.exec:\20864.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\rxrxllf.exec:\rxrxllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\826644.exec:\826644.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\1bhntn.exec:\1bhntn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\2022884.exec:\2022884.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\48640.exec:\48640.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\hbnttt.exec:\hbnttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\5vpdj.exec:\5vpdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\pjvdj.exec:\pjvdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\2600846.exec:\2600846.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\48808.exec:\48808.exe17⤵
- Executes dropped EXE
PID:568 -
\??\c:\rflxxxl.exec:\rflxxxl.exe18⤵
- Executes dropped EXE
PID:1536 -
\??\c:\pdppd.exec:\pdppd.exe19⤵
- Executes dropped EXE
PID:2752 -
\??\c:\frffffx.exec:\frffffx.exe20⤵
- Executes dropped EXE
PID:2764 -
\??\c:\1bhbtb.exec:\1bhbtb.exe21⤵
- Executes dropped EXE
PID:2592 -
\??\c:\nhtnbb.exec:\nhtnbb.exe22⤵
- Executes dropped EXE
PID:1296 -
\??\c:\fxrrxxr.exec:\fxrrxxr.exe23⤵
- Executes dropped EXE
PID:912 -
\??\c:\3vvpd.exec:\3vvpd.exe24⤵
- Executes dropped EXE
PID:2128 -
\??\c:\9jjjj.exec:\9jjjj.exe25⤵
- Executes dropped EXE
PID:2036 -
\??\c:\208466.exec:\208466.exe26⤵
- Executes dropped EXE
PID:892 -
\??\c:\1lfrthb.exec:\1lfrthb.exe27⤵
- Executes dropped EXE
PID:1548 -
\??\c:\vjdpd.exec:\vjdpd.exe28⤵
- Executes dropped EXE
PID:2580 -
\??\c:\ppjpj.exec:\ppjpj.exe29⤵
- Executes dropped EXE
PID:1472 -
\??\c:\046248.exec:\046248.exe30⤵
- Executes dropped EXE
PID:728 -
\??\c:\5dvvp.exec:\5dvvp.exe31⤵
- Executes dropped EXE
PID:1944 -
\??\c:\xrlrffx.exec:\xrlrffx.exe32⤵
- Executes dropped EXE
PID:2228 -
\??\c:\pjddv.exec:\pjddv.exe33⤵
- Executes dropped EXE
PID:1564 -
\??\c:\606262.exec:\606262.exe34⤵
- Executes dropped EXE
PID:2312 -
\??\c:\3djjd.exec:\3djjd.exe35⤵
- Executes dropped EXE
PID:1200 -
\??\c:\rlrrxfr.exec:\rlrrxfr.exe36⤵
- Executes dropped EXE
PID:868 -
\??\c:\9bthht.exec:\9bthht.exe37⤵
- Executes dropped EXE
PID:2148 -
\??\c:\pppjv.exec:\pppjv.exe38⤵
- Executes dropped EXE
PID:2808 -
\??\c:\48628.exec:\48628.exe39⤵
- Executes dropped EXE
PID:2880 -
\??\c:\1pjdj.exec:\1pjdj.exe40⤵
- Executes dropped EXE
PID:2672 -
\??\c:\42002.exec:\42002.exe41⤵
- Executes dropped EXE
PID:2288 -
\??\c:\042460.exec:\042460.exe42⤵
- Executes dropped EXE
PID:2688 -
\??\c:\i644446.exec:\i644446.exe43⤵
- Executes dropped EXE
PID:2804 -
\??\c:\46440.exec:\46440.exe44⤵
- Executes dropped EXE
PID:2680 -
\??\c:\2044002.exec:\2044002.exe45⤵
- Executes dropped EXE
PID:2740 -
\??\c:\9vjjp.exec:\9vjjp.exe46⤵
- Executes dropped EXE
PID:2508 -
\??\c:\i400040.exec:\i400040.exe47⤵
- Executes dropped EXE
PID:1764 -
\??\c:\862860.exec:\862860.exe48⤵
- Executes dropped EXE
PID:576 -
\??\c:\624062.exec:\624062.exe49⤵
- Executes dropped EXE
PID:484 -
\??\c:\8484888.exec:\8484888.exe50⤵
- Executes dropped EXE
PID:3004 -
\??\c:\thtbhn.exec:\thtbhn.exe51⤵
- Executes dropped EXE
PID:2724 -
\??\c:\6428002.exec:\6428002.exe52⤵
- Executes dropped EXE
PID:1772 -
\??\c:\q00088.exec:\q00088.exe53⤵
- Executes dropped EXE
PID:2840 -
\??\c:\042288.exec:\042288.exe54⤵
- Executes dropped EXE
PID:2964 -
\??\c:\q46688.exec:\q46688.exe55⤵
- Executes dropped EXE
PID:3012 -
\??\c:\ffrrxxr.exec:\ffrrxxr.exe56⤵
- Executes dropped EXE
PID:1536 -
\??\c:\48224.exec:\48224.exe57⤵
- Executes dropped EXE
PID:2896 -
\??\c:\lrfffrl.exec:\lrfffrl.exe58⤵
- Executes dropped EXE
PID:2052 -
\??\c:\820806.exec:\820806.exe59⤵
- Executes dropped EXE
PID:3028 -
\??\c:\2028406.exec:\2028406.exe60⤵
- Executes dropped EXE
PID:3056 -
\??\c:\8640842.exec:\8640842.exe61⤵
- Executes dropped EXE
PID:1928 -
\??\c:\nhnhbb.exec:\nhnhbb.exe62⤵
- Executes dropped EXE
PID:408 -
\??\c:\k08466.exec:\k08466.exe63⤵
- Executes dropped EXE
PID:2240 -
\??\c:\fflrlll.exec:\fflrlll.exe64⤵
- Executes dropped EXE
PID:1684 -
\??\c:\60428.exec:\60428.exe65⤵
- Executes dropped EXE
PID:2036 -
\??\c:\dpdvp.exec:\dpdvp.exe66⤵PID:1636
-
\??\c:\lxlrffl.exec:\lxlrffl.exe67⤵PID:732
-
\??\c:\nbtnhn.exec:\nbtnhn.exe68⤵PID:2380
-
\??\c:\fxllxxx.exec:\fxllxxx.exe69⤵PID:1572
-
\??\c:\42228.exec:\42228.exe70⤵PID:1880
-
\??\c:\ffrrxxl.exec:\ffrrxxl.exe71⤵PID:1652
-
\??\c:\nhtbnt.exec:\nhtbnt.exe72⤵PID:2180
-
\??\c:\tnhhbb.exec:\tnhhbb.exe73⤵PID:2516
-
\??\c:\608466.exec:\608466.exe74⤵PID:1600
-
\??\c:\tnnnht.exec:\tnnnht.exe75⤵PID:1592
-
\??\c:\c202446.exec:\c202446.exe76⤵PID:1792
-
\??\c:\nnhnhn.exec:\nnhnhn.exe77⤵PID:2312
-
\??\c:\fxlflrx.exec:\fxlflrx.exe78⤵PID:2324
-
\??\c:\64826.exec:\64826.exe79⤵PID:2792
-
\??\c:\frrlrrf.exec:\frrlrrf.exe80⤵PID:2952
-
\??\c:\nhtbnt.exec:\nhtbnt.exe81⤵PID:2808
-
\??\c:\3rxrxlx.exec:\3rxrxlx.exe82⤵PID:2904
-
\??\c:\rlrrxfl.exec:\rlrrxfl.exe83⤵PID:2700
-
\??\c:\dvpvd.exec:\dvpvd.exe84⤵PID:2244
-
\??\c:\dvpdj.exec:\dvpdj.exe85⤵PID:2832
-
\??\c:\086200.exec:\086200.exe86⤵PID:2676
-
\??\c:\82062.exec:\82062.exe87⤵PID:2716
-
\??\c:\htbbnt.exec:\htbbnt.exe88⤵PID:2736
-
\??\c:\w08022.exec:\w08022.exe89⤵PID:1852
-
\??\c:\6020642.exec:\6020642.exe90⤵PID:2976
-
\??\c:\4240684.exec:\4240684.exe91⤵PID:596
-
\??\c:\642848.exec:\642848.exe92⤵PID:2972
-
\??\c:\xrlrxxr.exec:\xrlrxxr.exe93⤵PID:536
-
\??\c:\3tthnn.exec:\3tthnn.exe94⤵PID:3008
-
\??\c:\264684.exec:\264684.exe95⤵PID:1644
-
\??\c:\llfrxfr.exec:\llfrxfr.exe96⤵PID:2564
-
\??\c:\nhtbtt.exec:\nhtbtt.exe97⤵PID:568
-
\??\c:\u862068.exec:\u862068.exe98⤵PID:1680
-
\??\c:\g4846.exec:\g4846.exe99⤵PID:2856
-
\??\c:\i084284.exec:\i084284.exe100⤵PID:1536
-
\??\c:\0466246.exec:\0466246.exe101⤵PID:2896
-
\??\c:\i666284.exec:\i666284.exe102⤵PID:1272
-
\??\c:\c488402.exec:\c488402.exe103⤵PID:1788
-
\??\c:\vjvvj.exec:\vjvvj.exe104⤵PID:704
-
\??\c:\0422884.exec:\0422884.exe105⤵PID:912
-
\??\c:\4284222.exec:\4284222.exe106⤵PID:1036
-
\??\c:\s4228.exec:\s4228.exe107⤵PID:1372
-
\??\c:\6606846.exec:\6606846.exe108⤵PID:932
-
\??\c:\7fllxfl.exec:\7fllxfl.exe109⤵PID:892
-
\??\c:\i066880.exec:\i066880.exe110⤵PID:1004
-
\??\c:\xrlxllr.exec:\xrlxllr.exe111⤵PID:2292
-
\??\c:\ppvvj.exec:\ppvvj.exe112⤵PID:2380
-
\??\c:\0424664.exec:\0424664.exe113⤵PID:1472
-
\??\c:\08280.exec:\08280.exe114⤵PID:1940
-
\??\c:\a8620.exec:\a8620.exe115⤵PID:1948
-
\??\c:\6466224.exec:\6466224.exe116⤵PID:2168
-
\??\c:\rrflrxl.exec:\rrflrxl.exe117⤵PID:1724
-
\??\c:\4866402.exec:\4866402.exe118⤵PID:2092
-
\??\c:\ffxxlrf.exec:\ffxxlrf.exe119⤵PID:3068
-
\??\c:\ppjdv.exec:\ppjdv.exe120⤵PID:2484
-
\??\c:\6046446.exec:\6046446.exe121⤵PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-