Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 09:13
Behavioral task
behavioral1
Sample
78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe
-
Size
65KB
-
MD5
1d153d2c1756575f601e7bc0ef323e57
-
SHA1
7537b663257b3376e984bd6cf1d2bfa4186b03ab
-
SHA256
78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806
-
SHA512
7350142b190bc763ad1c71d888099abd0a40cf53605285cadaa43d8588ad00557e8a521f809f4406b8fb2b78ab655c6d3a95170159df42c675af319e6f792abe
-
SSDEEP
1536:tvQBeOGtrYS3srx93UBWfwC6Ggnouy8gA2l5CcSgui36:thOmTsF93UYfwC6GIoutgVocSr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 58 IoCs
resource yara_rule behavioral1/memory/2468-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2080-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2720-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2564-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2232-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2232-74-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/532-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3060-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2028-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1864-131-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1936-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2884-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2884-116-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1108-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1108-149-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/288-205-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1992-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1992-187-0x00000000002D0000-0x00000000002F7000-memory.dmp family_blackmoon behavioral1/memory/2568-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/620-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/620-172-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1820-227-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1372-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2464-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2540-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2696-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1372-262-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2964-312-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2964-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2624-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2724-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2040-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2272-463-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/664-482-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/584-489-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2304-590-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2612-623-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2620-631-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2764-682-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1360-698-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1300-716-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1300-737-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1928-735-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1456-805-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1652-812-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1652-813-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/872-839-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2736-842-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2708-901-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-904-0x00000000005C0000-0x00000000005E7000-memory.dmp family_blackmoon behavioral1/memory/480-927-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2556-1005-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2352-1032-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/1132-1059-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2920-1196-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2080 3xllxfl.exe 2856 86666.exe 2720 tnbtnt.exe 2452 206684.exe 2564 48644.exe 2588 5nnbnn.exe 2664 08668.exe 2232 82664.exe 2688 rlffllx.exe 3060 bbhhnt.exe 532 htnttb.exe 2884 lxrrrxr.exe 1936 028804.exe 1864 o086240.exe 2028 7fflxlr.exe 1108 dvjvp.exe 1724 pdpvd.exe 620 bthbtb.exe 2568 5thtnn.exe 1992 606244.exe 2224 w06200.exe 288 nbthnn.exe 752 rlrrfrr.exe 1820 8628624.exe 1084 8628442.exe 1028 7xlxxxf.exe 844 nbhnbb.exe 1372 g6402.exe 2464 202806.exe 2540 i644044.exe 2952 480284.exe 2696 thbhnt.exe 2828 w62244.exe 2964 u640244.exe 1588 frfflxr.exe 2624 86280.exe 2756 s0888.exe 2724 8622884.exe 1552 220806.exe 2620 nbhnhn.exe 2232 dvjpv.exe 2148 w40466.exe 2652 26802.exe 2184 u422406.exe 768 7xlrxfl.exe 3064 thnthh.exe 2440 rfrxllr.exe 2388 c462222.exe 2496 3pjjd.exe 2040 1dvvd.exe 804 jpjjj.exe 1108 42224.exe 1288 2688066.exe 2904 86624.exe 1248 60880.exe 1764 8684662.exe 1972 i268668.exe 2272 1bttbb.exe 2424 e62800.exe 2416 xflfflx.exe 664 nhnhtb.exe 584 64402.exe 1088 480200.exe 2992 nnbntt.exe -
resource yara_rule behavioral1/memory/2468-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000120f6-8.dat upx behavioral1/memory/2468-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015d88-17.dat upx behavioral1/memory/2080-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2720-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015d90-27.dat upx behavioral1/memory/2856-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015da1-37.dat upx behavioral1/memory/2720-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2564-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015df1-45.dat upx behavioral1/files/0x0007000000015e4f-54.dat upx behavioral1/memory/2664-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015f38-62.dat upx behavioral1/memory/2688-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d22-81.dat upx behavioral1/files/0x0009000000015f4e-71.dat upx behavioral1/memory/2232-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d6f-107.dat upx behavioral1/memory/532-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d68-99.dat upx behavioral1/memory/3060-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d4c-90.dat upx behavioral1/memory/2028-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016dd9-137.dat upx behavioral1/files/0x0006000000016dd5-128.dat upx behavioral1/memory/1936-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d73-119.dat upx behavioral1/memory/2884-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2884-116-0x00000000002B0000-0x00000000002D7000-memory.dmp upx behavioral1/memory/2884-114-0x00000000002B0000-0x00000000002D7000-memory.dmp upx behavioral1/files/0x0006000000016df5-155.dat upx behavioral1/files/0x0006000000016de9-146.dat upx behavioral1/memory/1108-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016df8-163.dat upx behavioral1/files/0x00060000000174f8-211.dat upx behavioral1/files/0x00060000000174b4-202.dat upx behavioral1/files/0x000600000001707f-194.dat upx behavioral1/files/0x0006000000017570-219.dat upx behavioral1/memory/1992-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016f02-184.dat upx behavioral1/memory/2568-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016edc-175.dat upx behavioral1/memory/620-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000175f1-229.dat upx behavioral1/memory/1820-225-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/844-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d000000018683-244.dat upx behavioral1/files/0x00060000000175f7-237.dat upx behavioral1/files/0x0005000000018697-253.dat upx behavioral1/memory/1372-260-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1372-264-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2464-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018706-265.dat upx behavioral1/files/0x000500000001871c-283.dat upx behavioral1/memory/2540-282-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2696-300-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018745-292.dat upx behavioral1/files/0x000500000001870c-274.dat upx behavioral1/memory/2964-314-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2624-327-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2724-340-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2040-414-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2680042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i202444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6064288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o428622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w02884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i020666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2080 2468 78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe 30 PID 2468 wrote to memory of 2080 2468 78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe 30 PID 2468 wrote to memory of 2080 2468 78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe 30 PID 2468 wrote to memory of 2080 2468 78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe 30 PID 2080 wrote to memory of 2856 2080 3xllxfl.exe 31 PID 2080 wrote to memory of 2856 2080 3xllxfl.exe 31 PID 2080 wrote to memory of 2856 2080 3xllxfl.exe 31 PID 2080 wrote to memory of 2856 2080 3xllxfl.exe 31 PID 2856 wrote to memory of 2720 2856 86666.exe 32 PID 2856 wrote to memory of 2720 2856 86666.exe 32 PID 2856 wrote to memory of 2720 2856 86666.exe 32 PID 2856 wrote to memory of 2720 2856 86666.exe 32 PID 2720 wrote to memory of 2452 2720 tnbtnt.exe 33 PID 2720 wrote to memory of 2452 2720 tnbtnt.exe 33 PID 2720 wrote to memory of 2452 2720 tnbtnt.exe 33 PID 2720 wrote to memory of 2452 2720 tnbtnt.exe 33 PID 2452 wrote to memory of 2564 2452 206684.exe 34 PID 2452 wrote to memory of 2564 2452 206684.exe 34 PID 2452 wrote to memory of 2564 2452 206684.exe 34 PID 2452 wrote to memory of 2564 2452 206684.exe 34 PID 2564 wrote to memory of 2588 2564 48644.exe 35 PID 2564 wrote to memory of 2588 2564 48644.exe 35 PID 2564 wrote to memory of 2588 2564 48644.exe 35 PID 2564 wrote to memory of 2588 2564 48644.exe 35 PID 2588 wrote to memory of 2664 2588 5nnbnn.exe 36 PID 2588 wrote to memory of 2664 2588 5nnbnn.exe 36 PID 2588 wrote to memory of 2664 2588 5nnbnn.exe 36 PID 2588 wrote to memory of 2664 2588 5nnbnn.exe 36 PID 2664 wrote to memory of 2232 2664 08668.exe 37 PID 2664 wrote to memory of 2232 2664 08668.exe 37 PID 2664 wrote to memory of 2232 2664 08668.exe 37 PID 2664 wrote to memory of 2232 2664 08668.exe 37 PID 2232 wrote to memory of 2688 2232 82664.exe 38 PID 2232 wrote to memory of 2688 2232 82664.exe 38 PID 2232 wrote to memory of 2688 2232 82664.exe 38 PID 2232 wrote to memory of 2688 2232 82664.exe 38 PID 2688 wrote to memory of 3060 2688 rlffllx.exe 39 PID 2688 wrote to memory of 3060 2688 rlffllx.exe 39 PID 2688 wrote to memory of 3060 2688 rlffllx.exe 39 PID 2688 wrote to memory of 3060 2688 rlffllx.exe 39 PID 3060 wrote to memory of 532 3060 bbhhnt.exe 40 PID 3060 wrote to memory of 532 3060 bbhhnt.exe 40 PID 3060 wrote to memory of 532 3060 bbhhnt.exe 40 PID 3060 wrote to memory of 532 3060 bbhhnt.exe 40 PID 532 wrote to memory of 2884 532 htnttb.exe 41 PID 532 wrote to memory of 2884 532 htnttb.exe 41 PID 532 wrote to memory of 2884 532 htnttb.exe 41 PID 532 wrote to memory of 2884 532 htnttb.exe 41 PID 2884 wrote to memory of 1936 2884 lxrrrxr.exe 42 PID 2884 wrote to memory of 1936 2884 lxrrrxr.exe 42 PID 2884 wrote to memory of 1936 2884 lxrrrxr.exe 42 PID 2884 wrote to memory of 1936 2884 lxrrrxr.exe 42 PID 1936 wrote to memory of 1864 1936 028804.exe 43 PID 1936 wrote to memory of 1864 1936 028804.exe 43 PID 1936 wrote to memory of 1864 1936 028804.exe 43 PID 1936 wrote to memory of 1864 1936 028804.exe 43 PID 1864 wrote to memory of 2028 1864 o086240.exe 44 PID 1864 wrote to memory of 2028 1864 o086240.exe 44 PID 1864 wrote to memory of 2028 1864 o086240.exe 44 PID 1864 wrote to memory of 2028 1864 o086240.exe 44 PID 2028 wrote to memory of 1108 2028 7fflxlr.exe 45 PID 2028 wrote to memory of 1108 2028 7fflxlr.exe 45 PID 2028 wrote to memory of 1108 2028 7fflxlr.exe 45 PID 2028 wrote to memory of 1108 2028 7fflxlr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe"C:\Users\Admin\AppData\Local\Temp\78fe7f44e720704e83d60aa3de20e97899f26939f833d7ac2365b9ad31322806.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\3xllxfl.exec:\3xllxfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\86666.exec:\86666.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\tnbtnt.exec:\tnbtnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\206684.exec:\206684.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\48644.exec:\48644.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\5nnbnn.exec:\5nnbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\08668.exec:\08668.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\82664.exec:\82664.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\rlffllx.exec:\rlffllx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\bbhhnt.exec:\bbhhnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\htnttb.exec:\htnttb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\lxrrrxr.exec:\lxrrrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\028804.exec:\028804.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\o086240.exec:\o086240.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\7fflxlr.exec:\7fflxlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\dvjvp.exec:\dvjvp.exe17⤵
- Executes dropped EXE
PID:1108 -
\??\c:\pdpvd.exec:\pdpvd.exe18⤵
- Executes dropped EXE
PID:1724 -
\??\c:\bthbtb.exec:\bthbtb.exe19⤵
- Executes dropped EXE
PID:620 -
\??\c:\5thtnn.exec:\5thtnn.exe20⤵
- Executes dropped EXE
PID:2568 -
\??\c:\606244.exec:\606244.exe21⤵
- Executes dropped EXE
PID:1992 -
\??\c:\w06200.exec:\w06200.exe22⤵
- Executes dropped EXE
PID:2224 -
\??\c:\nbthnn.exec:\nbthnn.exe23⤵
- Executes dropped EXE
PID:288 -
\??\c:\rlrrfrr.exec:\rlrrfrr.exe24⤵
- Executes dropped EXE
PID:752 -
\??\c:\8628624.exec:\8628624.exe25⤵
- Executes dropped EXE
PID:1820 -
\??\c:\8628442.exec:\8628442.exe26⤵
- Executes dropped EXE
PID:1084 -
\??\c:\7xlxxxf.exec:\7xlxxxf.exe27⤵
- Executes dropped EXE
PID:1028 -
\??\c:\nbhnbb.exec:\nbhnbb.exe28⤵
- Executes dropped EXE
PID:844 -
\??\c:\g6402.exec:\g6402.exe29⤵
- Executes dropped EXE
PID:1372 -
\??\c:\202806.exec:\202806.exe30⤵
- Executes dropped EXE
PID:2464 -
\??\c:\i644044.exec:\i644044.exe31⤵
- Executes dropped EXE
PID:2540 -
\??\c:\480284.exec:\480284.exe32⤵
- Executes dropped EXE
PID:2952 -
\??\c:\thbhnt.exec:\thbhnt.exe33⤵
- Executes dropped EXE
PID:2696 -
\??\c:\w62244.exec:\w62244.exe34⤵
- Executes dropped EXE
PID:2828 -
\??\c:\u640244.exec:\u640244.exe35⤵
- Executes dropped EXE
PID:2964 -
\??\c:\frfflxr.exec:\frfflxr.exe36⤵
- Executes dropped EXE
PID:1588 -
\??\c:\86280.exec:\86280.exe37⤵
- Executes dropped EXE
PID:2624 -
\??\c:\s0888.exec:\s0888.exe38⤵
- Executes dropped EXE
PID:2756 -
\??\c:\8622884.exec:\8622884.exe39⤵
- Executes dropped EXE
PID:2724 -
\??\c:\220806.exec:\220806.exe40⤵
- Executes dropped EXE
PID:1552 -
\??\c:\nbhnhn.exec:\nbhnhn.exe41⤵
- Executes dropped EXE
PID:2620 -
\??\c:\dvjpv.exec:\dvjpv.exe42⤵
- Executes dropped EXE
PID:2232 -
\??\c:\w40466.exec:\w40466.exe43⤵
- Executes dropped EXE
PID:2148 -
\??\c:\26802.exec:\26802.exe44⤵
- Executes dropped EXE
PID:2652 -
\??\c:\u422406.exec:\u422406.exe45⤵
- Executes dropped EXE
PID:2184 -
\??\c:\7xlrxfl.exec:\7xlrxfl.exe46⤵
- Executes dropped EXE
PID:768 -
\??\c:\thnthh.exec:\thnthh.exe47⤵
- Executes dropped EXE
PID:3064 -
\??\c:\rfrxllr.exec:\rfrxllr.exe48⤵
- Executes dropped EXE
PID:2440 -
\??\c:\c462222.exec:\c462222.exe49⤵
- Executes dropped EXE
PID:2388 -
\??\c:\3pjjd.exec:\3pjjd.exe50⤵
- Executes dropped EXE
PID:2496 -
\??\c:\1dvvd.exec:\1dvvd.exe51⤵
- Executes dropped EXE
PID:2040 -
\??\c:\jpjjj.exec:\jpjjj.exe52⤵
- Executes dropped EXE
PID:804 -
\??\c:\42224.exec:\42224.exe53⤵
- Executes dropped EXE
PID:1108 -
\??\c:\2688066.exec:\2688066.exe54⤵
- Executes dropped EXE
PID:1288 -
\??\c:\86624.exec:\86624.exe55⤵
- Executes dropped EXE
PID:2904 -
\??\c:\60880.exec:\60880.exe56⤵
- Executes dropped EXE
PID:1248 -
\??\c:\8684662.exec:\8684662.exe57⤵
- Executes dropped EXE
PID:1764 -
\??\c:\i268668.exec:\i268668.exe58⤵
- Executes dropped EXE
PID:1972 -
\??\c:\1bttbb.exec:\1bttbb.exe59⤵
- Executes dropped EXE
PID:2272 -
\??\c:\e62800.exec:\e62800.exe60⤵
- Executes dropped EXE
PID:2424 -
\??\c:\xflfflx.exec:\xflfflx.exe61⤵
- Executes dropped EXE
PID:2416 -
\??\c:\nhnhtb.exec:\nhnhtb.exe62⤵
- Executes dropped EXE
PID:664 -
\??\c:\64402.exec:\64402.exe63⤵
- Executes dropped EXE
PID:584 -
\??\c:\480200.exec:\480200.exe64⤵
- Executes dropped EXE
PID:1088 -
\??\c:\nnbntt.exec:\nnbntt.exe65⤵
- Executes dropped EXE
PID:2992 -
\??\c:\lfrxflr.exec:\lfrxflr.exe66⤵PID:836
-
\??\c:\xlxxlrx.exec:\xlxxlrx.exe67⤵PID:1616
-
\??\c:\vjvjp.exec:\vjvjp.exe68⤵PID:2188
-
\??\c:\btnhtt.exec:\btnhtt.exe69⤵PID:1456
-
\??\c:\824044.exec:\824044.exe70⤵PID:3008
-
\??\c:\86288.exec:\86288.exe71⤵PID:1372
-
\??\c:\080028.exec:\080028.exe72⤵PID:2500
-
\??\c:\5hbbnb.exec:\5hbbnb.exe73⤵PID:984
-
\??\c:\xlrrxxf.exec:\xlrrxxf.exe74⤵PID:1752
-
\??\c:\3pdvj.exec:\3pdvj.exe75⤵PID:2356
-
\??\c:\0806440.exec:\0806440.exe76⤵PID:2812
-
\??\c:\9jddp.exec:\9jddp.exe77⤵PID:1572
-
\??\c:\llxrrxf.exec:\llxrrxf.exe78⤵PID:1548
-
\??\c:\nbhnbt.exec:\nbhnbt.exe79⤵PID:2304
-
\??\c:\64624.exec:\64624.exe80⤵PID:2960
-
\??\c:\bttbhn.exec:\bttbhn.exe81⤵PID:2924
-
\??\c:\46226.exec:\46226.exe82⤵PID:2756
-
\??\c:\q60628.exec:\q60628.exe83⤵PID:2600
-
\??\c:\m6884.exec:\m6884.exe84⤵PID:2612
-
\??\c:\200606.exec:\200606.exe85⤵PID:2620
-
\??\c:\44262.exec:\44262.exe86⤵PID:2036
-
\??\c:\xlfxrrx.exec:\xlfxrrx.exe87⤵PID:3060
-
\??\c:\vpdpv.exec:\vpdpv.exe88⤵PID:2432
-
\??\c:\vjvjv.exec:\vjvjv.exe89⤵PID:2684
-
\??\c:\2644224.exec:\2644224.exe90⤵PID:2408
-
\??\c:\dpjpv.exec:\dpjpv.exe91⤵PID:2000
-
\??\c:\6028244.exec:\6028244.exe92⤵PID:2340
-
\??\c:\pjdjp.exec:\pjdjp.exe93⤵PID:2764
-
\??\c:\c422064.exec:\c422064.exe94⤵PID:2032
-
\??\c:\5thhtt.exec:\5thhtt.exe95⤵PID:1484
-
\??\c:\2684440.exec:\2684440.exe96⤵PID:1360
-
\??\c:\jvjjv.exec:\jvjjv.exe97⤵PID:936
-
\??\c:\pjvdp.exec:\pjvdp.exe98⤵PID:1300
-
\??\c:\2088040.exec:\2088040.exe99⤵PID:1248
-
\??\c:\7jdpj.exec:\7jdpj.exe100⤵PID:1764
-
\??\c:\0484662.exec:\0484662.exe101⤵PID:1928
-
\??\c:\frxxrrx.exec:\frxxrrx.exe102⤵PID:2272
-
\??\c:\5lxxxxl.exec:\5lxxxxl.exe103⤵PID:1048
-
\??\c:\0844006.exec:\0844006.exe104⤵PID:664
-
\??\c:\bththn.exec:\bththn.exe105⤵PID:2420
-
\??\c:\5bnntt.exec:\5bnntt.exe106⤵PID:1384
-
\??\c:\btbbnn.exec:\btbbnn.exe107⤵PID:1820
-
\??\c:\20668.exec:\20668.exe108⤵PID:2992
-
\??\c:\nbhhtn.exec:\nbhhtn.exe109⤵PID:1156
-
\??\c:\08442.exec:\08442.exe110⤵PID:692
-
\??\c:\086880.exec:\086880.exe111⤵PID:1888
-
\??\c:\8288828.exec:\8288828.exe112⤵PID:1456
-
\??\c:\htbhtb.exec:\htbhtb.exe113⤵PID:1652
-
\??\c:\2062662.exec:\2062662.exe114⤵PID:884
-
\??\c:\pjjdp.exec:\pjjdp.exe115⤵PID:2252
-
\??\c:\vpjpv.exec:\vpjpv.exe116⤵PID:2824
-
\??\c:\1hbtbn.exec:\1hbtbn.exe117⤵PID:872
-
\??\c:\5xrflrr.exec:\5xrflrr.exe118⤵PID:2736
-
\??\c:\8240046.exec:\8240046.exe119⤵PID:2228
-
\??\c:\5hbntt.exec:\5hbntt.exe120⤵PID:2712
-
\??\c:\208400.exec:\208400.exe121⤵PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-