Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 22:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc0e342580e9985a967f09cf6fe250f9d99b05282800e682fa59174e3e34507c.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
bc0e342580e9985a967f09cf6fe250f9d99b05282800e682fa59174e3e34507c.exe
-
Size
456KB
-
MD5
9a0acb46e58a2e5731df6b5bc09a3f32
-
SHA1
d263d4b927971896eb1fef2f05f5c3248da290ee
-
SHA256
bc0e342580e9985a967f09cf6fe250f9d99b05282800e682fa59174e3e34507c
-
SHA512
33e1782f8a7d064daa2f0d948dbfe1cee6d993eadf0fabacdb1011bef693baef211ccdb097816e3572d66c11acca208c2f825478d491bec1755e4b264bd6f0bd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRc:q7Tc2NYHUrAwfMp3CDRc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/1300-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1348-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1392-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1020-198-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2488-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-239-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1824-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-298-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2736-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-459-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1284-466-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1092-473-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/272-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-495-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1728-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-812-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-871-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2352-885-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1392-905-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-939-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1116-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-972-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2964-979-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-999-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2424-1002-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2424-1007-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1284-1020-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1348 6084624.exe 1084 o028806.exe 2376 vpjvv.exe 2556 jvppv.exe 2824 0400006.exe 2456 rfflxxr.exe 1392 u086288.exe 2792 pjvdj.exe 2636 0826880.exe 1864 fxrfflr.exe 2232 48286.exe 1484 ntttbn.exe 1116 444688.exe 3020 llfrflr.exe 1208 6840262.exe 3056 886666.exe 264 64464.exe 2268 66020.exe 2400 224002.exe 1848 3hbbhn.exe 1020 806608.exe 2488 8464022.exe 2036 xrxxlff.exe 700 5hhntb.exe 1384 886800.exe 1720 fxxflrf.exe 1680 xxxrllf.exe 1272 40682.exe 1672 tnbhhn.exe 1824 o200284.exe 628 64280.exe 888 046840.exe 2516 2866046.exe 328 xffrxrx.exe 2292 nnhntb.exe 2820 pdvdj.exe 1600 082642.exe 2736 dvjpj.exe 2784 6888446.exe 1692 nbbbbb.exe 2920 64280.exe 2972 lrffllr.exe 2848 6668686.exe 2844 g6468.exe 2676 48624.exe 2684 jvvdp.exe 1316 4042626.exe 2980 ppjjv.exe 2264 fxrlrlx.exe 2900 04284.exe 2880 88620.exe 3060 426684.exe 2884 vjdpj.exe 1224 hbttnt.exe 1996 pppjv.exe 2284 22240.exe 2424 3lrrrxf.exe 1748 s8622.exe 1284 084820.exe 1092 bnbhbb.exe 272 8228420.exe 2060 ffxxfrf.exe 1868 k00648.exe 2036 nhhbhn.exe -
resource yara_rule behavioral1/memory/1300-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/272-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-697-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1100-704-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2608-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-861-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-959-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-1002-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2424-1007-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-1027-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-1054-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4282224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6024044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 624240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6668686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1300 wrote to memory of 1348 1300 bc0e342580e9985a967f09cf6fe250f9d99b05282800e682fa59174e3e34507c.exe 30 PID 1300 wrote to memory of 1348 1300 bc0e342580e9985a967f09cf6fe250f9d99b05282800e682fa59174e3e34507c.exe 30 PID 1300 wrote to memory of 1348 1300 bc0e342580e9985a967f09cf6fe250f9d99b05282800e682fa59174e3e34507c.exe 30 PID 1300 wrote to memory of 1348 1300 bc0e342580e9985a967f09cf6fe250f9d99b05282800e682fa59174e3e34507c.exe 30 PID 1348 wrote to memory of 1084 1348 6084624.exe 31 PID 1348 wrote to memory of 1084 1348 6084624.exe 31 PID 1348 wrote to memory of 1084 1348 6084624.exe 31 PID 1348 wrote to memory of 1084 1348 6084624.exe 31 PID 1084 wrote to memory of 2376 1084 o028806.exe 32 PID 1084 wrote to memory of 2376 1084 o028806.exe 32 PID 1084 wrote to memory of 2376 1084 o028806.exe 32 PID 1084 wrote to memory of 2376 1084 o028806.exe 32 PID 2376 wrote to memory of 2556 2376 vpjvv.exe 33 PID 2376 wrote to memory of 2556 2376 vpjvv.exe 33 PID 2376 wrote to memory of 2556 2376 vpjvv.exe 33 PID 2376 wrote to memory of 2556 2376 vpjvv.exe 33 PID 2556 wrote to memory of 2824 2556 jvppv.exe 34 PID 2556 wrote to memory of 2824 2556 jvppv.exe 34 PID 2556 wrote to memory of 2824 2556 jvppv.exe 34 PID 2556 wrote to memory of 2824 2556 jvppv.exe 34 PID 2824 wrote to memory of 2456 2824 0400006.exe 35 PID 2824 wrote to memory of 2456 2824 0400006.exe 35 PID 2824 wrote to memory of 2456 2824 0400006.exe 35 PID 2824 wrote to memory of 2456 2824 0400006.exe 35 PID 2456 wrote to memory of 1392 2456 rfflxxr.exe 36 PID 2456 wrote to memory of 1392 2456 rfflxxr.exe 36 PID 2456 wrote to memory of 1392 2456 rfflxxr.exe 36 PID 2456 wrote to memory of 1392 2456 rfflxxr.exe 36 PID 1392 wrote to memory of 2792 1392 u086288.exe 37 PID 1392 wrote to memory of 2792 1392 u086288.exe 37 PID 1392 wrote to memory of 2792 1392 u086288.exe 37 PID 1392 wrote to memory of 2792 1392 u086288.exe 37 PID 2792 wrote to memory of 2636 2792 pjvdj.exe 38 PID 2792 wrote to memory of 2636 2792 pjvdj.exe 38 PID 2792 wrote to memory of 2636 2792 pjvdj.exe 38 PID 2792 wrote to memory of 2636 2792 pjvdj.exe 38 PID 2636 wrote to memory of 1864 2636 0826880.exe 39 PID 2636 wrote to memory of 1864 2636 0826880.exe 39 PID 2636 wrote to memory of 1864 2636 0826880.exe 39 PID 2636 wrote to memory of 1864 2636 0826880.exe 39 PID 1864 wrote to memory of 2232 1864 fxrfflr.exe 40 PID 1864 wrote to memory of 2232 1864 fxrfflr.exe 40 PID 1864 wrote to memory of 2232 1864 fxrfflr.exe 40 PID 1864 wrote to memory of 2232 1864 fxrfflr.exe 40 PID 2232 wrote to memory of 1484 2232 48286.exe 41 PID 2232 wrote to memory of 1484 2232 48286.exe 41 PID 2232 wrote to memory of 1484 2232 48286.exe 41 PID 2232 wrote to memory of 1484 2232 48286.exe 41 PID 1484 wrote to memory of 1116 1484 ntttbn.exe 42 PID 1484 wrote to memory of 1116 1484 ntttbn.exe 42 PID 1484 wrote to memory of 1116 1484 ntttbn.exe 42 PID 1484 wrote to memory of 1116 1484 ntttbn.exe 42 PID 1116 wrote to memory of 3020 1116 444688.exe 43 PID 1116 wrote to memory of 3020 1116 444688.exe 43 PID 1116 wrote to memory of 3020 1116 444688.exe 43 PID 1116 wrote to memory of 3020 1116 444688.exe 43 PID 3020 wrote to memory of 1208 3020 llfrflr.exe 44 PID 3020 wrote to memory of 1208 3020 llfrflr.exe 44 PID 3020 wrote to memory of 1208 3020 llfrflr.exe 44 PID 3020 wrote to memory of 1208 3020 llfrflr.exe 44 PID 1208 wrote to memory of 3056 1208 6840262.exe 45 PID 1208 wrote to memory of 3056 1208 6840262.exe 45 PID 1208 wrote to memory of 3056 1208 6840262.exe 45 PID 1208 wrote to memory of 3056 1208 6840262.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc0e342580e9985a967f09cf6fe250f9d99b05282800e682fa59174e3e34507c.exe"C:\Users\Admin\AppData\Local\Temp\bc0e342580e9985a967f09cf6fe250f9d99b05282800e682fa59174e3e34507c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\6084624.exec:\6084624.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\o028806.exec:\o028806.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\vpjvv.exec:\vpjvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\jvppv.exec:\jvppv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\0400006.exec:\0400006.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\rfflxxr.exec:\rfflxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\u086288.exec:\u086288.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\pjvdj.exec:\pjvdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\0826880.exec:\0826880.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\fxrfflr.exec:\fxrfflr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\48286.exec:\48286.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\ntttbn.exec:\ntttbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\444688.exec:\444688.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\llfrflr.exec:\llfrflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\6840262.exec:\6840262.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\886666.exec:\886666.exe17⤵
- Executes dropped EXE
PID:3056 -
\??\c:\64464.exec:\64464.exe18⤵
- Executes dropped EXE
PID:264 -
\??\c:\66020.exec:\66020.exe19⤵
- Executes dropped EXE
PID:2268 -
\??\c:\224002.exec:\224002.exe20⤵
- Executes dropped EXE
PID:2400 -
\??\c:\3hbbhn.exec:\3hbbhn.exe21⤵
- Executes dropped EXE
PID:1848 -
\??\c:\806608.exec:\806608.exe22⤵
- Executes dropped EXE
PID:1020 -
\??\c:\8464022.exec:\8464022.exe23⤵
- Executes dropped EXE
PID:2488 -
\??\c:\xrxxlff.exec:\xrxxlff.exe24⤵
- Executes dropped EXE
PID:2036 -
\??\c:\5hhntb.exec:\5hhntb.exe25⤵
- Executes dropped EXE
PID:700 -
\??\c:\886800.exec:\886800.exe26⤵
- Executes dropped EXE
PID:1384 -
\??\c:\fxxflrf.exec:\fxxflrf.exe27⤵
- Executes dropped EXE
PID:1720 -
\??\c:\xxxrllf.exec:\xxxrllf.exe28⤵
- Executes dropped EXE
PID:1680 -
\??\c:\40682.exec:\40682.exe29⤵
- Executes dropped EXE
PID:1272 -
\??\c:\tnbhhn.exec:\tnbhhn.exe30⤵
- Executes dropped EXE
PID:1672 -
\??\c:\o200284.exec:\o200284.exe31⤵
- Executes dropped EXE
PID:1824 -
\??\c:\64280.exec:\64280.exe32⤵
- Executes dropped EXE
PID:628 -
\??\c:\046840.exec:\046840.exe33⤵
- Executes dropped EXE
PID:888 -
\??\c:\2866046.exec:\2866046.exe34⤵
- Executes dropped EXE
PID:2516 -
\??\c:\xffrxrx.exec:\xffrxrx.exe35⤵
- Executes dropped EXE
PID:328 -
\??\c:\nnhntb.exec:\nnhntb.exe36⤵
- Executes dropped EXE
PID:2292 -
\??\c:\pdvdj.exec:\pdvdj.exe37⤵
- Executes dropped EXE
PID:2820 -
\??\c:\082642.exec:\082642.exe38⤵
- Executes dropped EXE
PID:1600 -
\??\c:\dvjpj.exec:\dvjpj.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\6888446.exec:\6888446.exe40⤵
- Executes dropped EXE
PID:2784 -
\??\c:\nbbbbb.exec:\nbbbbb.exe41⤵
- Executes dropped EXE
PID:1692 -
\??\c:\64280.exec:\64280.exe42⤵
- Executes dropped EXE
PID:2920 -
\??\c:\lrffllr.exec:\lrffllr.exe43⤵
- Executes dropped EXE
PID:2972 -
\??\c:\6668686.exec:\6668686.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2848 -
\??\c:\g6468.exec:\g6468.exe45⤵
- Executes dropped EXE
PID:2844 -
\??\c:\48624.exec:\48624.exe46⤵
- Executes dropped EXE
PID:2676 -
\??\c:\jvvdp.exec:\jvvdp.exe47⤵
- Executes dropped EXE
PID:2684 -
\??\c:\4042626.exec:\4042626.exe48⤵
- Executes dropped EXE
PID:1316 -
\??\c:\ppjjv.exec:\ppjjv.exe49⤵
- Executes dropped EXE
PID:2980 -
\??\c:\fxrlrlx.exec:\fxrlrlx.exe50⤵
- Executes dropped EXE
PID:2264 -
\??\c:\04284.exec:\04284.exe51⤵
- Executes dropped EXE
PID:2900 -
\??\c:\88620.exec:\88620.exe52⤵
- Executes dropped EXE
PID:2880 -
\??\c:\426684.exec:\426684.exe53⤵
- Executes dropped EXE
PID:3060 -
\??\c:\vjdpj.exec:\vjdpj.exe54⤵
- Executes dropped EXE
PID:2884 -
\??\c:\hbttnt.exec:\hbttnt.exe55⤵
- Executes dropped EXE
PID:1224 -
\??\c:\pppjv.exec:\pppjv.exe56⤵
- Executes dropped EXE
PID:1996 -
\??\c:\22240.exec:\22240.exe57⤵
- Executes dropped EXE
PID:2284 -
\??\c:\3lrrrxf.exec:\3lrrrxf.exe58⤵
- Executes dropped EXE
PID:2424 -
\??\c:\s8622.exec:\s8622.exe59⤵
- Executes dropped EXE
PID:1748 -
\??\c:\084820.exec:\084820.exe60⤵
- Executes dropped EXE
PID:1284 -
\??\c:\bnbhbb.exec:\bnbhbb.exe61⤵
- Executes dropped EXE
PID:1092 -
\??\c:\8228420.exec:\8228420.exe62⤵
- Executes dropped EXE
PID:272 -
\??\c:\ffxxfrf.exec:\ffxxfrf.exe63⤵
- Executes dropped EXE
PID:2060 -
\??\c:\k00648.exec:\k00648.exe64⤵
- Executes dropped EXE
PID:1868 -
\??\c:\nhhbhn.exec:\nhhbhn.exe65⤵
- Executes dropped EXE
PID:2036 -
\??\c:\0442666.exec:\0442666.exe66⤵PID:1712
-
\??\c:\2486644.exec:\2486644.exe67⤵PID:2536
-
\??\c:\02822.exec:\02822.exe68⤵PID:1780
-
\??\c:\60404.exec:\60404.exe69⤵PID:968
-
\??\c:\2640644.exec:\2640644.exe70⤵PID:2260
-
\??\c:\w68802.exec:\w68802.exe71⤵PID:572
-
\??\c:\6624680.exec:\6624680.exe72⤵PID:1808
-
\??\c:\ppdpv.exec:\ppdpv.exe73⤵PID:2236
-
\??\c:\ddvdj.exec:\ddvdj.exe74⤵PID:1304
-
\??\c:\602288.exec:\602288.exe75⤵PID:628
-
\??\c:\5hbhhn.exec:\5hbhhn.exe76⤵PID:1300
-
\??\c:\pjdjj.exec:\pjdjj.exe77⤵PID:2420
-
\??\c:\002288.exec:\002288.exe78⤵PID:1084
-
\??\c:\8880286.exec:\8880286.exe79⤵PID:2832
-
\??\c:\hnhnhn.exec:\hnhnhn.exe80⤵PID:2496
-
\??\c:\82628.exec:\82628.exe81⤵PID:1728
-
\??\c:\22246.exec:\22246.exe82⤵PID:2936
-
\??\c:\rfrxrxf.exec:\rfrxrxf.exe83⤵PID:2956
-
\??\c:\2880802.exec:\2880802.exe84⤵PID:2444
-
\??\c:\xxxlfff.exec:\xxxlfff.exe85⤵PID:2632
-
\??\c:\nhhbnn.exec:\nhhbnn.exe86⤵PID:2648
-
\??\c:\ffrflrl.exec:\ffrflrl.exe87⤵PID:2848
-
\??\c:\6480246.exec:\6480246.exe88⤵PID:2620
-
\??\c:\820624.exec:\820624.exe89⤵PID:2748
-
\??\c:\000866.exec:\000866.exe90⤵PID:2700
-
\??\c:\04680.exec:\04680.exe91⤵PID:1804
-
\??\c:\flflxfr.exec:\flflxfr.exe92⤵PID:908
-
\??\c:\e82804.exec:\e82804.exe93⤵PID:2308
-
\??\c:\9vppd.exec:\9vppd.exe94⤵PID:580
-
\??\c:\6080886.exec:\6080886.exe95⤵PID:1488
-
\??\c:\pvdpv.exec:\pvdpv.exe96⤵PID:3064
-
\??\c:\4868406.exec:\4868406.exe97⤵PID:1100
-
\??\c:\4486020.exec:\4486020.exe98⤵PID:1444
-
\??\c:\684066.exec:\684066.exe99⤵PID:2588
-
\??\c:\xlxrxll.exec:\xlxrxll.exe100⤵PID:608
-
\??\c:\ddjjv.exec:\ddjjv.exe101⤵PID:2608
-
\??\c:\jpvjp.exec:\jpvjp.exe102⤵PID:2132
-
\??\c:\868264.exec:\868264.exe103⤵PID:2400
-
\??\c:\06240.exec:\06240.exe104⤵PID:1148
-
\??\c:\xrlrflx.exec:\xrlrflx.exe105⤵
- System Location Discovery: System Language Discovery
PID:1328 -
\??\c:\rxxflxr.exec:\rxxflxr.exe106⤵PID:964
-
\??\c:\2662064.exec:\2662064.exe107⤵PID:1396
-
\??\c:\ddpdd.exec:\ddpdd.exe108⤵PID:2272
-
\??\c:\s4802.exec:\s4802.exe109⤵PID:1740
-
\??\c:\5pvvd.exec:\5pvvd.exe110⤵PID:1860
-
\??\c:\vvpjv.exec:\vvpjv.exe111⤵PID:1656
-
\??\c:\bnhnnt.exec:\bnhnnt.exe112⤵PID:1800
-
\??\c:\nnhntn.exec:\nnhntn.exe113⤵PID:1680
-
\??\c:\88246.exec:\88246.exe114⤵PID:1112
-
\??\c:\4224626.exec:\4224626.exe115⤵PID:1508
-
\??\c:\u442446.exec:\u442446.exe116⤵PID:1568
-
\??\c:\jjddp.exec:\jjddp.exe117⤵PID:1264
-
\??\c:\3dvvp.exec:\3dvvp.exe118⤵PID:304
-
\??\c:\frfflrf.exec:\frfflrf.exe119⤵PID:1820
-
\??\c:\42240.exec:\42240.exe120⤵PID:2516
-
\??\c:\7vddj.exec:\7vddj.exe121⤵PID:2440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-