Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 07:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe
-
Size
337KB
-
MD5
04ba193d6fd0f8ffd778b9bacb7cd8f6
-
SHA1
90e9d9540e6f8296404142a2a5698e373920d3da
-
SHA256
cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894
-
SHA512
89c8c5f0a36087ce87975f7333e137a0277c02073e4237f651c03e1c4dfa0a3e137c27a09637f32eb1b5ed69cef4aa43cd5b489a47fac73530edda41d7461bbb
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhd:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 60 IoCs
resource yara_rule behavioral1/memory/1704-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-101-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2764-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-116-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2300-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1360-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1176-165-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1360-159-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2468-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-216-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1680-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-240-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2384-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-310-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2360-327-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2908-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-396-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2480-404-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1936-409-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1936-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-416-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1652-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-486-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/896-494-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1704-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-564-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2360-574-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2152-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-586-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2952-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-680-0x0000000001B80000-0x0000000001BAA000-memory.dmp family_blackmoon behavioral1/memory/1652-706-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1944-713-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2328-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-790-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1488-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-898-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2880-935-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1820-1001-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-1008-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2144-1043-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2388 4669j.exe 1720 xxrrlfr.exe 2152 2662080.exe 2784 tnnnht.exe 2920 4062884.exe 2904 xrllfrl.exe 3016 hntbbb.exe 2780 486244.exe 2648 2664842.exe 2764 400606.exe 676 c206468.exe 2880 xxxrrxx.exe 2300 tnhtbb.exe 2852 5vjpj.exe 1932 0806440.exe 1360 2268624.exe 1176 c206880.exe 2988 066420.exe 1168 008802.exe 2468 9lfllxf.exe 832 666482.exe 2136 048462.exe 1116 428888.exe 1680 rxlxfrl.exe 1252 lflffrr.exe 2384 fffflrf.exe 2464 606240.exe 2392 48244.exe 1420 5bthnb.exe 2416 lffrflf.exe 2368 0420246.exe 2360 88248.exe 1148 hbnthn.exe 984 jjvdv.exe 2924 9lxfllx.exe 3000 jdpjp.exe 2908 llxfxlx.exe 2768 3vjdp.exe 2824 ntntnt.exe 2692 lrlfxlx.exe 2700 0442402.exe 2780 8246204.exe 2272 80400.exe 2480 lxfflrr.exe 2312 dpdjv.exe 2876 9xffxlx.exe 1812 284064.exe 1936 hbntbh.exe 836 8262464.exe 328 nhhnnh.exe 1652 bbbtbh.exe 1840 o868402.exe 3036 jpvpv.exe 1036 pppjd.exe 2988 604240.exe 392 bbbtnb.exe 756 660846.exe 1776 vvpdj.exe 832 5pddj.exe 896 jpdpd.exe 952 668204.exe 1464 jjdjd.exe 2624 664024.exe 1612 tnbhtb.exe -
resource yara_rule behavioral1/memory/1704-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-486-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/896-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-706-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2328-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-790-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1488-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-898-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2864-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-935-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2376-949-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6600624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i640662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8262464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i262028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c428408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w42460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i268820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428080.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2388 1704 cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe 31 PID 1704 wrote to memory of 2388 1704 cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe 31 PID 1704 wrote to memory of 2388 1704 cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe 31 PID 1704 wrote to memory of 2388 1704 cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe 31 PID 2388 wrote to memory of 1720 2388 4669j.exe 32 PID 2388 wrote to memory of 1720 2388 4669j.exe 32 PID 2388 wrote to memory of 1720 2388 4669j.exe 32 PID 2388 wrote to memory of 1720 2388 4669j.exe 32 PID 1720 wrote to memory of 2152 1720 xxrrlfr.exe 33 PID 1720 wrote to memory of 2152 1720 xxrrlfr.exe 33 PID 1720 wrote to memory of 2152 1720 xxrrlfr.exe 33 PID 1720 wrote to memory of 2152 1720 xxrrlfr.exe 33 PID 2152 wrote to memory of 2784 2152 2662080.exe 34 PID 2152 wrote to memory of 2784 2152 2662080.exe 34 PID 2152 wrote to memory of 2784 2152 2662080.exe 34 PID 2152 wrote to memory of 2784 2152 2662080.exe 34 PID 2784 wrote to memory of 2920 2784 tnnnht.exe 35 PID 2784 wrote to memory of 2920 2784 tnnnht.exe 35 PID 2784 wrote to memory of 2920 2784 tnnnht.exe 35 PID 2784 wrote to memory of 2920 2784 tnnnht.exe 35 PID 2920 wrote to memory of 2904 2920 4062884.exe 36 PID 2920 wrote to memory of 2904 2920 4062884.exe 36 PID 2920 wrote to memory of 2904 2920 4062884.exe 36 PID 2920 wrote to memory of 2904 2920 4062884.exe 36 PID 2904 wrote to memory of 3016 2904 xrllfrl.exe 37 PID 2904 wrote to memory of 3016 2904 xrllfrl.exe 37 PID 2904 wrote to memory of 3016 2904 xrllfrl.exe 37 PID 2904 wrote to memory of 3016 2904 xrllfrl.exe 37 PID 3016 wrote to memory of 2780 3016 hntbbb.exe 38 PID 3016 wrote to memory of 2780 3016 hntbbb.exe 38 PID 3016 wrote to memory of 2780 3016 hntbbb.exe 38 PID 3016 wrote to memory of 2780 3016 hntbbb.exe 38 PID 2780 wrote to memory of 2648 2780 486244.exe 39 PID 2780 wrote to memory of 2648 2780 486244.exe 39 PID 2780 wrote to memory of 2648 2780 486244.exe 39 PID 2780 wrote to memory of 2648 2780 486244.exe 39 PID 2648 wrote to memory of 2764 2648 2664842.exe 40 PID 2648 wrote to memory of 2764 2648 2664842.exe 40 PID 2648 wrote to memory of 2764 2648 2664842.exe 40 PID 2648 wrote to memory of 2764 2648 2664842.exe 40 PID 2764 wrote to memory of 676 2764 400606.exe 41 PID 2764 wrote to memory of 676 2764 400606.exe 41 PID 2764 wrote to memory of 676 2764 400606.exe 41 PID 2764 wrote to memory of 676 2764 400606.exe 41 PID 676 wrote to memory of 2880 676 c206468.exe 42 PID 676 wrote to memory of 2880 676 c206468.exe 42 PID 676 wrote to memory of 2880 676 c206468.exe 42 PID 676 wrote to memory of 2880 676 c206468.exe 42 PID 2880 wrote to memory of 2300 2880 xxxrrxx.exe 43 PID 2880 wrote to memory of 2300 2880 xxxrrxx.exe 43 PID 2880 wrote to memory of 2300 2880 xxxrrxx.exe 43 PID 2880 wrote to memory of 2300 2880 xxxrrxx.exe 43 PID 2300 wrote to memory of 2852 2300 tnhtbb.exe 44 PID 2300 wrote to memory of 2852 2300 tnhtbb.exe 44 PID 2300 wrote to memory of 2852 2300 tnhtbb.exe 44 PID 2300 wrote to memory of 2852 2300 tnhtbb.exe 44 PID 2852 wrote to memory of 1932 2852 5vjpj.exe 45 PID 2852 wrote to memory of 1932 2852 5vjpj.exe 45 PID 2852 wrote to memory of 1932 2852 5vjpj.exe 45 PID 2852 wrote to memory of 1932 2852 5vjpj.exe 45 PID 1932 wrote to memory of 1360 1932 0806440.exe 46 PID 1932 wrote to memory of 1360 1932 0806440.exe 46 PID 1932 wrote to memory of 1360 1932 0806440.exe 46 PID 1932 wrote to memory of 1360 1932 0806440.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe"C:\Users\Admin\AppData\Local\Temp\cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\4669j.exec:\4669j.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\xxrrlfr.exec:\xxrrlfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\2662080.exec:\2662080.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\tnnnht.exec:\tnnnht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\4062884.exec:\4062884.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\xrllfrl.exec:\xrllfrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\hntbbb.exec:\hntbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\486244.exec:\486244.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\2664842.exec:\2664842.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\400606.exec:\400606.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\c206468.exec:\c206468.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\xxxrrxx.exec:\xxxrrxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\tnhtbb.exec:\tnhtbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\5vjpj.exec:\5vjpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\0806440.exec:\0806440.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\2268624.exec:\2268624.exe17⤵
- Executes dropped EXE
PID:1360 -
\??\c:\c206880.exec:\c206880.exe18⤵
- Executes dropped EXE
PID:1176 -
\??\c:\066420.exec:\066420.exe19⤵
- Executes dropped EXE
PID:2988 -
\??\c:\008802.exec:\008802.exe20⤵
- Executes dropped EXE
PID:1168 -
\??\c:\9lfllxf.exec:\9lfllxf.exe21⤵
- Executes dropped EXE
PID:2468 -
\??\c:\666482.exec:\666482.exe22⤵
- Executes dropped EXE
PID:832 -
\??\c:\048462.exec:\048462.exe23⤵
- Executes dropped EXE
PID:2136 -
\??\c:\428888.exec:\428888.exe24⤵
- Executes dropped EXE
PID:1116 -
\??\c:\rxlxfrl.exec:\rxlxfrl.exe25⤵
- Executes dropped EXE
PID:1680 -
\??\c:\lflffrr.exec:\lflffrr.exe26⤵
- Executes dropped EXE
PID:1252 -
\??\c:\fffflrf.exec:\fffflrf.exe27⤵
- Executes dropped EXE
PID:2384 -
\??\c:\606240.exec:\606240.exe28⤵
- Executes dropped EXE
PID:2464 -
\??\c:\48244.exec:\48244.exe29⤵
- Executes dropped EXE
PID:2392 -
\??\c:\5bthnb.exec:\5bthnb.exe30⤵
- Executes dropped EXE
PID:1420 -
\??\c:\lffrflf.exec:\lffrflf.exe31⤵
- Executes dropped EXE
PID:2416 -
\??\c:\0420246.exec:\0420246.exe32⤵
- Executes dropped EXE
PID:2368 -
\??\c:\88248.exec:\88248.exe33⤵
- Executes dropped EXE
PID:2360 -
\??\c:\hbnthn.exec:\hbnthn.exe34⤵
- Executes dropped EXE
PID:1148 -
\??\c:\jjvdv.exec:\jjvdv.exe35⤵
- Executes dropped EXE
PID:984 -
\??\c:\9lxfllx.exec:\9lxfllx.exe36⤵
- Executes dropped EXE
PID:2924 -
\??\c:\jdpjp.exec:\jdpjp.exe37⤵
- Executes dropped EXE
PID:3000 -
\??\c:\llxfxlx.exec:\llxfxlx.exe38⤵
- Executes dropped EXE
PID:2908 -
\??\c:\3vjdp.exec:\3vjdp.exe39⤵
- Executes dropped EXE
PID:2768 -
\??\c:\ntntnt.exec:\ntntnt.exe40⤵
- Executes dropped EXE
PID:2824 -
\??\c:\lrlfxlx.exec:\lrlfxlx.exe41⤵
- Executes dropped EXE
PID:2692 -
\??\c:\0442402.exec:\0442402.exe42⤵
- Executes dropped EXE
PID:2700 -
\??\c:\8246204.exec:\8246204.exe43⤵
- Executes dropped EXE
PID:2780 -
\??\c:\80400.exec:\80400.exe44⤵
- Executes dropped EXE
PID:2272 -
\??\c:\lxfflrr.exec:\lxfflrr.exe45⤵
- Executes dropped EXE
PID:2480 -
\??\c:\dpdjv.exec:\dpdjv.exe46⤵
- Executes dropped EXE
PID:2312 -
\??\c:\9xffxlx.exec:\9xffxlx.exe47⤵
- Executes dropped EXE
PID:2876 -
\??\c:\284064.exec:\284064.exe48⤵
- Executes dropped EXE
PID:1812 -
\??\c:\hbntbh.exec:\hbntbh.exe49⤵
- Executes dropped EXE
PID:1936 -
\??\c:\8262464.exec:\8262464.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836 -
\??\c:\nhhnnh.exec:\nhhnnh.exe51⤵
- Executes dropped EXE
PID:328 -
\??\c:\bbbtbh.exec:\bbbtbh.exe52⤵
- Executes dropped EXE
PID:1652 -
\??\c:\o868402.exec:\o868402.exe53⤵
- Executes dropped EXE
PID:1840 -
\??\c:\jpvpv.exec:\jpvpv.exe54⤵
- Executes dropped EXE
PID:3036 -
\??\c:\pppjd.exec:\pppjd.exe55⤵
- Executes dropped EXE
PID:1036 -
\??\c:\604240.exec:\604240.exe56⤵
- Executes dropped EXE
PID:2988 -
\??\c:\bbbtnb.exec:\bbbtnb.exe57⤵
- Executes dropped EXE
PID:392 -
\??\c:\660846.exec:\660846.exe58⤵
- Executes dropped EXE
PID:756 -
\??\c:\vvpdj.exec:\vvpdj.exe59⤵
- Executes dropped EXE
PID:1776 -
\??\c:\5pddj.exec:\5pddj.exe60⤵
- Executes dropped EXE
PID:832 -
\??\c:\jpdpd.exec:\jpdpd.exe61⤵
- Executes dropped EXE
PID:896 -
\??\c:\668204.exec:\668204.exe62⤵
- Executes dropped EXE
PID:952 -
\??\c:\jjdjd.exec:\jjdjd.exe63⤵
- Executes dropped EXE
PID:1464 -
\??\c:\664024.exec:\664024.exe64⤵
- Executes dropped EXE
PID:2624 -
\??\c:\tnbhtb.exec:\tnbhtb.exe65⤵
- Executes dropped EXE
PID:1612 -
\??\c:\6606802.exec:\6606802.exe66⤵PID:2520
-
\??\c:\u480806.exec:\u480806.exe67⤵PID:2208
-
\??\c:\0428062.exec:\0428062.exe68⤵PID:2464
-
\??\c:\220646.exec:\220646.exe69⤵PID:1844
-
\??\c:\u684006.exec:\u684006.exe70⤵PID:3060
-
\??\c:\fxlxlxf.exec:\fxlxlxf.exe71⤵PID:1704
-
\??\c:\002822.exec:\002822.exe72⤵PID:2536
-
\??\c:\a4864.exec:\a4864.exe73⤵PID:2368
-
\??\c:\004240.exec:\004240.exe74⤵PID:2360
-
\??\c:\00460.exec:\00460.exe75⤵PID:2840
-
\??\c:\442402.exec:\442402.exe76⤵PID:2152
-
\??\c:\rrrxlxf.exec:\rrrxlxf.exe77⤵PID:2796
-
\??\c:\c800842.exec:\c800842.exe78⤵PID:2776
-
\??\c:\5bntbh.exec:\5bntbh.exe79⤵PID:2652
-
\??\c:\ffxfllr.exec:\ffxfllr.exe80⤵
- System Location Discovery: System Language Discovery
PID:2904 -
\??\c:\422866.exec:\422866.exe81⤵PID:3016
-
\??\c:\0048402.exec:\0048402.exe82⤵PID:2684
-
\??\c:\88006.exec:\88006.exe83⤵PID:1200
-
\??\c:\28028.exec:\28028.exe84⤵PID:2648
-
\??\c:\o484886.exec:\o484886.exe85⤵PID:2116
-
\??\c:\22682.exec:\22682.exe86⤵PID:1196
-
\??\c:\04808.exec:\04808.exe87⤵PID:2952
-
\??\c:\42406.exec:\42406.exe88⤵PID:2880
-
\??\c:\w42240.exec:\w42240.exe89⤵PID:1812
-
\??\c:\462060.exec:\462060.exe90⤵PID:2868
-
\??\c:\248428.exec:\248428.exe91⤵PID:2376
-
\??\c:\2800624.exec:\2800624.exe92⤵PID:1932
-
\??\c:\602842.exec:\602842.exe93⤵
- System Location Discovery: System Language Discovery
PID:1244 -
\??\c:\k82426.exec:\k82426.exe94⤵PID:1652
-
\??\c:\ppjpv.exec:\ppjpv.exe95⤵PID:1944
-
\??\c:\4468060.exec:\4468060.exe96⤵PID:2980
-
\??\c:\hbntbn.exec:\hbntbn.exe97⤵PID:1216
-
\??\c:\82068.exec:\82068.exe98⤵PID:2328
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe99⤵PID:556
-
\??\c:\602244.exec:\602244.exe100⤵PID:324
-
\??\c:\480642.exec:\480642.exe101⤵PID:1756
-
\??\c:\008468.exec:\008468.exe102⤵PID:1116
-
\??\c:\7hbhtb.exec:\7hbhtb.exe103⤵PID:2108
-
\??\c:\ttbntt.exec:\ttbntt.exe104⤵PID:2100
-
\??\c:\k20882.exec:\k20882.exe105⤵PID:1648
-
\??\c:\k26400.exec:\k26400.exe106⤵PID:2444
-
\??\c:\pdjdj.exec:\pdjdj.exe107⤵PID:1044
-
\??\c:\rrlrlrl.exec:\rrlrlrl.exe108⤵PID:2384
-
\??\c:\820240.exec:\820240.exe109⤵PID:2560
-
\??\c:\5htbtb.exec:\5htbtb.exe110⤵PID:908
-
\??\c:\824406.exec:\824406.exe111⤵PID:2580
-
\??\c:\64280.exec:\64280.exe112⤵PID:2188
-
\??\c:\nnbnht.exec:\nnbnht.exe113⤵PID:2416
-
\??\c:\9jvdj.exec:\9jvdj.exe114⤵PID:1488
-
\??\c:\fxlfllx.exec:\fxlfllx.exe115⤵PID:1560
-
\??\c:\3tthtt.exec:\3tthtt.exe116⤵PID:3020
-
\??\c:\vpddj.exec:\vpddj.exe117⤵PID:2236
-
\??\c:\jvjpp.exec:\jvjpp.exe118⤵PID:2752
-
\??\c:\6046846.exec:\6046846.exe119⤵PID:2924
-
\??\c:\a2408.exec:\a2408.exe120⤵PID:2796
-
\??\c:\w42846.exec:\w42846.exe121⤵PID:1856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-