Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 02:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe
-
Size
453KB
-
MD5
1ed920f9954d0971060e9a75577cd7ac
-
SHA1
16f3876f008c05239a2ea00423cda1762a2959ac
-
SHA256
98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720
-
SHA512
66ac63cab28eeddc2b79905b29fc94fff96ca64956406ee7e3e8aa71ba9bf00420627f45bf904a8bedf43b31091af88bd20a40267f363ad97214333224cd69c8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
Processes:
resource yara_rule behavioral1/memory/2380-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/848-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1184-97-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2872-101-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3060-109-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3060-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1184-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-188-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2700-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1064-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/924-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/924-256-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1044-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1288-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-368-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2812-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-383-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2624-409-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1060-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-456-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1564-520-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1564-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-577-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2036-585-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2036-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-599-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2976-621-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2812-664-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/540-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-703-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1788-817-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
86888.exe484088.exefxlrxrf.exe6044662.exe9vdpd.exe488860.exe8640668.exe264088.exeq48022.exefxlrffr.exe48624.exe3jppv.exenbbbhn.exebbtbtt.exeppdpv.exebbbnhn.exefxrrffl.exerxxfxxl.exe8244628.exe9xllffl.exee04062.exea0464.exe26068.exeg4286.exedppjv.exe6028668.exe886806.exepdvdj.exe9xllrrx.exe60408.exes6068.exehbthnn.exepjddd.exe9vvdp.exehthhnn.exe2680880.exe26068.exedvpvj.exes4628.exehbnnhn.exenhnnnn.exebtntnt.exerlflxxf.exe4828624.exe1rfxfxf.exe826206.exeppdjv.exe60066.exenhnbht.exe20842.exe608488.exe2026228.exeu800222.exe88068.exe3xlxffx.exe26286.exefrlrrfl.exeo828002.exe4200008.exe2602002.exevpddp.exe264022.exe3xfflrx.exe9rxxffr.exepid Process 2380 86888.exe 3032 484088.exe 848 fxlrxrf.exe 2312 6044662.exe 2852 9vdpd.exe 2728 488860.exe 2872 8640668.exe 1796 264088.exe 2608 q48022.exe 1184 fxlrffr.exe 3060 48624.exe 2824 3jppv.exe 1628 nbbbhn.exe 2092 bbtbtt.exe 764 ppdpv.exe 2644 bbbnhn.exe 2492 fxrrffl.exe 1868 rxxfxxl.exe 2700 8244628.exe 3044 9xllffl.exe 3004 e04062.exe 1940 a0464.exe 1812 26068.exe 1064 g4286.exe 2228 dppjv.exe 924 6028668.exe 1044 886806.exe 2168 pdvdj.exe 1832 9xllrrx.exe 2384 60408.exe 2544 s6068.exe 1288 hbthnn.exe 1528 pjddd.exe 1692 9vvdp.exe 2976 hthhnn.exe 1648 2680880.exe 2132 26068.exe 2312 dvpvj.exe 2860 s4628.exe 2888 hbnnhn.exe 2812 nhnnnn.exe 2648 btntnt.exe 2624 rlflxxf.exe 2772 4828624.exe 2436 1rfxfxf.exe 2180 826206.exe 2620 ppdjv.exe 1060 60066.exe 1720 nhnbht.exe 2704 20842.exe 272 608488.exe 1660 2026228.exe 2964 u800222.exe 2644 88068.exe 1948 3xlxffx.exe 2276 26286.exe 1868 frlrrfl.exe 1732 o828002.exe 904 4200008.exe 2584 2602002.exe 3004 vpddp.exe 1876 264022.exe 1564 3xfflrx.exe 1356 9rxxffr.exe -
Processes:
resource yara_rule behavioral1/memory/2380-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/924-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-368-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2812-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-520-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1564-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-621-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/2752-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-664-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/540-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-703-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2780-758-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1788-817-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2992-837-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bnbhhh.exepvppj.exevpjjj.exepjvdj.exe64448.exe5xlrxxf.exeu044662.exetnntnb.exe4200008.exejppvd.exe64828.exevvvvp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u044662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4200008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe86888.exe484088.exefxlrxrf.exe6044662.exe9vdpd.exe488860.exe8640668.exe264088.exeq48022.exefxlrffr.exe48624.exe3jppv.exenbbbhn.exebbtbtt.exeppdpv.exedescription pid Process procid_target PID 1984 wrote to memory of 2380 1984 98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe 30 PID 1984 wrote to memory of 2380 1984 98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe 30 PID 1984 wrote to memory of 2380 1984 98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe 30 PID 1984 wrote to memory of 2380 1984 98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe 30 PID 2380 wrote to memory of 3032 2380 86888.exe 31 PID 2380 wrote to memory of 3032 2380 86888.exe 31 PID 2380 wrote to memory of 3032 2380 86888.exe 31 PID 2380 wrote to memory of 3032 2380 86888.exe 31 PID 3032 wrote to memory of 848 3032 484088.exe 32 PID 3032 wrote to memory of 848 3032 484088.exe 32 PID 3032 wrote to memory of 848 3032 484088.exe 32 PID 3032 wrote to memory of 848 3032 484088.exe 32 PID 848 wrote to memory of 2312 848 fxlrxrf.exe 33 PID 848 wrote to memory of 2312 848 fxlrxrf.exe 33 PID 848 wrote to memory of 2312 848 fxlrxrf.exe 33 PID 848 wrote to memory of 2312 848 fxlrxrf.exe 33 PID 2312 wrote to memory of 2852 2312 6044662.exe 34 PID 2312 wrote to memory of 2852 2312 6044662.exe 34 PID 2312 wrote to memory of 2852 2312 6044662.exe 34 PID 2312 wrote to memory of 2852 2312 6044662.exe 34 PID 2852 wrote to memory of 2728 2852 9vdpd.exe 35 PID 2852 wrote to memory of 2728 2852 9vdpd.exe 35 PID 2852 wrote to memory of 2728 2852 9vdpd.exe 35 PID 2852 wrote to memory of 2728 2852 9vdpd.exe 35 PID 2728 wrote to memory of 2872 2728 488860.exe 36 PID 2728 wrote to memory of 2872 2728 488860.exe 36 PID 2728 wrote to memory of 2872 2728 488860.exe 36 PID 2728 wrote to memory of 2872 2728 488860.exe 36 PID 2872 wrote to memory of 1796 2872 8640668.exe 37 PID 2872 wrote to memory of 1796 2872 8640668.exe 37 PID 2872 wrote to memory of 1796 2872 8640668.exe 37 PID 2872 wrote to memory of 1796 2872 8640668.exe 37 PID 1796 wrote to memory of 2608 1796 264088.exe 38 PID 1796 wrote to memory of 2608 1796 264088.exe 38 PID 1796 wrote to memory of 2608 1796 264088.exe 38 PID 1796 wrote to memory of 2608 1796 264088.exe 38 PID 2608 wrote to memory of 1184 2608 q48022.exe 39 PID 2608 wrote to memory of 1184 2608 q48022.exe 39 PID 2608 wrote to memory of 1184 2608 q48022.exe 39 PID 2608 wrote to memory of 1184 2608 q48022.exe 39 PID 1184 wrote to memory of 3060 1184 fxlrffr.exe 40 PID 1184 wrote to memory of 3060 1184 fxlrffr.exe 40 PID 1184 wrote to memory of 3060 1184 fxlrffr.exe 40 PID 1184 wrote to memory of 3060 1184 fxlrffr.exe 40 PID 3060 wrote to memory of 2824 3060 48624.exe 41 PID 3060 wrote to memory of 2824 3060 48624.exe 41 PID 3060 wrote to memory of 2824 3060 48624.exe 41 PID 3060 wrote to memory of 2824 3060 48624.exe 41 PID 2824 wrote to memory of 1628 2824 3jppv.exe 42 PID 2824 wrote to memory of 1628 2824 3jppv.exe 42 PID 2824 wrote to memory of 1628 2824 3jppv.exe 42 PID 2824 wrote to memory of 1628 2824 3jppv.exe 42 PID 1628 wrote to memory of 2092 1628 nbbbhn.exe 43 PID 1628 wrote to memory of 2092 1628 nbbbhn.exe 43 PID 1628 wrote to memory of 2092 1628 nbbbhn.exe 43 PID 1628 wrote to memory of 2092 1628 nbbbhn.exe 43 PID 2092 wrote to memory of 764 2092 bbtbtt.exe 44 PID 2092 wrote to memory of 764 2092 bbtbtt.exe 44 PID 2092 wrote to memory of 764 2092 bbtbtt.exe 44 PID 2092 wrote to memory of 764 2092 bbtbtt.exe 44 PID 764 wrote to memory of 2644 764 ppdpv.exe 45 PID 764 wrote to memory of 2644 764 ppdpv.exe 45 PID 764 wrote to memory of 2644 764 ppdpv.exe 45 PID 764 wrote to memory of 2644 764 ppdpv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe"C:\Users\Admin\AppData\Local\Temp\98f6a9eb5af52fca53cceedf89688553b42758ea49e4b4a52d493ec5d0e20720.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\86888.exec:\86888.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\484088.exec:\484088.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\fxlrxrf.exec:\fxlrxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\6044662.exec:\6044662.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\9vdpd.exec:\9vdpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\488860.exec:\488860.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\8640668.exec:\8640668.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\264088.exec:\264088.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\q48022.exec:\q48022.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\fxlrffr.exec:\fxlrffr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\48624.exec:\48624.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\3jppv.exec:\3jppv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\nbbbhn.exec:\nbbbhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\bbtbtt.exec:\bbtbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\ppdpv.exec:\ppdpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\bbbnhn.exec:\bbbnhn.exe17⤵
- Executes dropped EXE
PID:2644 -
\??\c:\fxrrffl.exec:\fxrrffl.exe18⤵
- Executes dropped EXE
PID:2492 -
\??\c:\rxxfxxl.exec:\rxxfxxl.exe19⤵
- Executes dropped EXE
PID:1868 -
\??\c:\8244628.exec:\8244628.exe20⤵
- Executes dropped EXE
PID:2700 -
\??\c:\9xllffl.exec:\9xllffl.exe21⤵
- Executes dropped EXE
PID:3044 -
\??\c:\e04062.exec:\e04062.exe22⤵
- Executes dropped EXE
PID:3004 -
\??\c:\a0464.exec:\a0464.exe23⤵
- Executes dropped EXE
PID:1940 -
\??\c:\26068.exec:\26068.exe24⤵
- Executes dropped EXE
PID:1812 -
\??\c:\g4286.exec:\g4286.exe25⤵
- Executes dropped EXE
PID:1064 -
\??\c:\dppjv.exec:\dppjv.exe26⤵
- Executes dropped EXE
PID:2228 -
\??\c:\6028668.exec:\6028668.exe27⤵
- Executes dropped EXE
PID:924 -
\??\c:\886806.exec:\886806.exe28⤵
- Executes dropped EXE
PID:1044 -
\??\c:\pdvdj.exec:\pdvdj.exe29⤵
- Executes dropped EXE
PID:2168 -
\??\c:\9xllrrx.exec:\9xllrrx.exe30⤵
- Executes dropped EXE
PID:1832 -
\??\c:\60408.exec:\60408.exe31⤵
- Executes dropped EXE
PID:2384 -
\??\c:\s6068.exec:\s6068.exe32⤵
- Executes dropped EXE
PID:2544 -
\??\c:\hbthnn.exec:\hbthnn.exe33⤵
- Executes dropped EXE
PID:1288 -
\??\c:\pjddd.exec:\pjddd.exe34⤵
- Executes dropped EXE
PID:1528 -
\??\c:\9vvdp.exec:\9vvdp.exe35⤵
- Executes dropped EXE
PID:1692 -
\??\c:\hthhnn.exec:\hthhnn.exe36⤵
- Executes dropped EXE
PID:2976 -
\??\c:\2680880.exec:\2680880.exe37⤵
- Executes dropped EXE
PID:1648 -
\??\c:\26068.exec:\26068.exe38⤵
- Executes dropped EXE
PID:2132 -
\??\c:\dvpvj.exec:\dvpvj.exe39⤵
- Executes dropped EXE
PID:2312 -
\??\c:\s4628.exec:\s4628.exe40⤵
- Executes dropped EXE
PID:2860 -
\??\c:\hbnnhn.exec:\hbnnhn.exe41⤵
- Executes dropped EXE
PID:2888 -
\??\c:\nhnnnn.exec:\nhnnnn.exe42⤵
- Executes dropped EXE
PID:2812 -
\??\c:\btntnt.exec:\btntnt.exe43⤵
- Executes dropped EXE
PID:2648 -
\??\c:\rlflxxf.exec:\rlflxxf.exe44⤵
- Executes dropped EXE
PID:2624 -
\??\c:\4828624.exec:\4828624.exe45⤵
- Executes dropped EXE
PID:2772 -
\??\c:\1rfxfxf.exec:\1rfxfxf.exe46⤵
- Executes dropped EXE
PID:2436 -
\??\c:\826206.exec:\826206.exe47⤵
- Executes dropped EXE
PID:2180 -
\??\c:\ppdjv.exec:\ppdjv.exe48⤵
- Executes dropped EXE
PID:2620 -
\??\c:\60066.exec:\60066.exe49⤵
- Executes dropped EXE
PID:1060 -
\??\c:\nhnbht.exec:\nhnbht.exe50⤵
- Executes dropped EXE
PID:1720 -
\??\c:\20842.exec:\20842.exe51⤵
- Executes dropped EXE
PID:2704 -
\??\c:\608488.exec:\608488.exe52⤵
- Executes dropped EXE
PID:272 -
\??\c:\2026228.exec:\2026228.exe53⤵
- Executes dropped EXE
PID:1660 -
\??\c:\u800222.exec:\u800222.exe54⤵
- Executes dropped EXE
PID:2964 -
\??\c:\88068.exec:\88068.exe55⤵
- Executes dropped EXE
PID:2644 -
\??\c:\3xlxffx.exec:\3xlxffx.exe56⤵
- Executes dropped EXE
PID:1948 -
\??\c:\26286.exec:\26286.exe57⤵
- Executes dropped EXE
PID:2276 -
\??\c:\frlrrfl.exec:\frlrrfl.exe58⤵
- Executes dropped EXE
PID:1868 -
\??\c:\o828002.exec:\o828002.exe59⤵
- Executes dropped EXE
PID:1732 -
\??\c:\4200008.exec:\4200008.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:904 -
\??\c:\2602002.exec:\2602002.exe61⤵
- Executes dropped EXE
PID:2584 -
\??\c:\vpddp.exec:\vpddp.exe62⤵
- Executes dropped EXE
PID:3004 -
\??\c:\264022.exec:\264022.exe63⤵
- Executes dropped EXE
PID:1876 -
\??\c:\3xfflrx.exec:\3xfflrx.exe64⤵
- Executes dropped EXE
PID:1564 -
\??\c:\9rxxffr.exec:\9rxxffr.exe65⤵
- Executes dropped EXE
PID:1356 -
\??\c:\djvpv.exec:\djvpv.exe66⤵PID:2192
-
\??\c:\tbttnb.exec:\tbttnb.exe67⤵PID:908
-
\??\c:\04026.exec:\04026.exe68⤵PID:2316
-
\??\c:\42440.exec:\42440.exe69⤵PID:2112
-
\??\c:\486060.exec:\486060.exe70⤵PID:1044
-
\??\c:\frllrrx.exec:\frllrrx.exe71⤵PID:1736
-
\??\c:\rlxxrlr.exec:\rlxxrlr.exe72⤵PID:1792
-
\??\c:\hbnhbb.exec:\hbnhbb.exe73⤵PID:1764
-
\??\c:\7fllxfl.exec:\7fllxfl.exe74⤵PID:2036
-
\??\c:\rrfrxfl.exec:\rrfrxfl.exe75⤵PID:2160
-
\??\c:\flflxxl.exec:\flflxxl.exe76⤵PID:2516
-
\??\c:\0480008.exec:\0480008.exe77⤵PID:1288
-
\??\c:\42086.exec:\42086.exe78⤵PID:1584
-
\??\c:\ffxllxl.exec:\ffxllxl.exe79⤵PID:2788
-
\??\c:\xlffxxl.exec:\xlffxxl.exe80⤵PID:2976
-
\??\c:\i480280.exec:\i480280.exe81⤵PID:2752
-
\??\c:\822402.exec:\822402.exe82⤵PID:2088
-
\??\c:\jvpjv.exec:\jvpjv.exe83⤵PID:2836
-
\??\c:\tnhthh.exec:\tnhthh.exe84⤵PID:2860
-
\??\c:\2040268.exec:\2040268.exe85⤵PID:2028
-
\??\c:\482800.exec:\482800.exe86⤵PID:2812
-
\??\c:\ffrxlrf.exec:\ffrxlrf.exe87⤵PID:2616
-
\??\c:\082800.exec:\082800.exe88⤵PID:2680
-
\??\c:\vjpvp.exec:\vjpvp.exe89⤵PID:2324
-
\??\c:\g2648.exec:\g2648.exe90⤵PID:540
-
\??\c:\btnhnt.exec:\btnhnt.exe91⤵PID:1040
-
\??\c:\600622.exec:\600622.exe92⤵PID:320
-
\??\c:\3pjvj.exec:\3pjvj.exe93⤵PID:2824
-
\??\c:\026440.exec:\026440.exe94⤵PID:2012
-
\??\c:\5vjdj.exec:\5vjdj.exe95⤵PID:1260
-
\??\c:\hthbbb.exec:\hthbbb.exe96⤵PID:2092
-
\??\c:\9dvdp.exec:\9dvdp.exe97⤵PID:1336
-
\??\c:\6424662.exec:\6424662.exe98⤵PID:2780
-
\??\c:\7jvdd.exec:\7jvdd.exe99⤵PID:2932
-
\??\c:\flflflx.exec:\flflflx.exe100⤵PID:2296
-
\??\c:\htnbhh.exec:\htnbhh.exe101⤵PID:2264
-
\??\c:\86408.exec:\86408.exe102⤵PID:1252
-
\??\c:\bnhntt.exec:\bnhntt.exe103⤵PID:1348
-
\??\c:\k66800.exec:\k66800.exe104⤵PID:2588
-
\??\c:\7ppdd.exec:\7ppdd.exe105⤵PID:324
-
\??\c:\rrfrxfr.exec:\rrfrxfr.exe106⤵PID:2692
-
\??\c:\6088006.exec:\6088006.exe107⤵PID:548
-
\??\c:\42480.exec:\42480.exe108⤵PID:1364
-
\??\c:\i462848.exec:\i462848.exe109⤵PID:1064
-
\??\c:\480684.exec:\480684.exe110⤵PID:1788
-
\??\c:\4868068.exec:\4868068.exe111⤵PID:772
-
\??\c:\6040600.exec:\6040600.exe112⤵PID:3016
-
\??\c:\q64006.exec:\q64006.exe113⤵PID:2184
-
\??\c:\824022.exec:\824022.exe114⤵PID:2992
-
\??\c:\5tbtht.exec:\5tbtht.exe115⤵PID:2440
-
\??\c:\22068.exec:\22068.exe116⤵PID:2032
-
\??\c:\jdvvj.exec:\jdvvj.exe117⤵PID:1752
-
\??\c:\m2060.exec:\m2060.exe118⤵PID:2404
-
\??\c:\1nbbbb.exec:\1nbbbb.exe119⤵PID:2512
-
\??\c:\w08466.exec:\w08466.exe120⤵PID:1808
-
\??\c:\8266246.exec:\8266246.exe121⤵PID:1576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-