Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 20:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe
-
Size
453KB
-
MD5
b290e973507fda7f8903c0f2fe963af1
-
SHA1
bc55489f62b57c44dec28fae1a989d9bb54aa830
-
SHA256
1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05
-
SHA512
e9d3ea6e8d39f9aea292d0bf946f46d794cbb771a285a57992ad137e17068cbb596b12337114f0cbd248cb15e10f8d7381af2d837af8c0247caa27c9d5ab60e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2292-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-74-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2808-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-184-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1716-182-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1044-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/792-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-675-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2436-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-826-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1228-863-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1228-864-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2136-1014-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1948-1095-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1948-1094-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2740-1245-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2508 3tthth.exe 1512 rxflxfr.exe 2828 268860.exe 2752 04802.exe 2860 086246.exe 2604 vpddj.exe 2744 tnbbhn.exe 2808 6088880.exe 2656 9ntbnh.exe 2532 lfxxrlx.exe 2944 lxxrlrx.exe 3036 lfrrfxf.exe 3048 080088.exe 3060 rxlllll.exe 2740 c422228.exe 380 dddpd.exe 1312 btthnb.exe 388 4824286.exe 1716 86284.exe 1080 28040.exe 1044 5tnhnt.exe 1880 7nhhbb.exe 2052 vpjvd.exe 1444 nbbbbt.exe 792 c824668.exe 1372 8246220.exe 1744 jjdjv.exe 2040 c606886.exe 1052 080666.exe 1948 k42282.exe 2220 3jpvd.exe 1248 80666.exe 1380 nbtttn.exe 1688 4268446.exe 1228 o484446.exe 1796 nbhtbt.exe 2588 5ttntt.exe 2748 hbntbb.exe 2796 ttbntt.exe 2860 frfxrll.exe 2060 824026.exe 2892 8688488.exe 2684 jddpd.exe 2688 k64844.exe 2812 c622228.exe 2464 7bnhnn.exe 1812 tnbbnh.exe 1296 484062.exe 3024 w64004.exe 2820 08444.exe 3056 q64088.exe 2728 5rfllrx.exe 1276 tnbbhb.exe 2700 82680.exe 1304 tthnnt.exe 2364 nhhhhh.exe 388 ddjjp.exe 536 3rflllx.exe 2180 3xllxrx.exe 2028 684440.exe 688 k64084.exe 1592 lfxxflx.exe 1032 5thbhb.exe 1540 1vjdp.exe -
resource yara_rule behavioral1/memory/2292-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-675-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1304-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-889-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-896-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-909-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-961-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-993-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-1199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-1212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-1270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-1360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-1373-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6028880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4806262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2508 2292 1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe 31 PID 2292 wrote to memory of 2508 2292 1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe 31 PID 2292 wrote to memory of 2508 2292 1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe 31 PID 2292 wrote to memory of 2508 2292 1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe 31 PID 2508 wrote to memory of 1512 2508 3tthth.exe 32 PID 2508 wrote to memory of 1512 2508 3tthth.exe 32 PID 2508 wrote to memory of 1512 2508 3tthth.exe 32 PID 2508 wrote to memory of 1512 2508 3tthth.exe 32 PID 1512 wrote to memory of 2828 1512 rxflxfr.exe 33 PID 1512 wrote to memory of 2828 1512 rxflxfr.exe 33 PID 1512 wrote to memory of 2828 1512 rxflxfr.exe 33 PID 1512 wrote to memory of 2828 1512 rxflxfr.exe 33 PID 2828 wrote to memory of 2752 2828 268860.exe 34 PID 2828 wrote to memory of 2752 2828 268860.exe 34 PID 2828 wrote to memory of 2752 2828 268860.exe 34 PID 2828 wrote to memory of 2752 2828 268860.exe 34 PID 2752 wrote to memory of 2860 2752 04802.exe 35 PID 2752 wrote to memory of 2860 2752 04802.exe 35 PID 2752 wrote to memory of 2860 2752 04802.exe 35 PID 2752 wrote to memory of 2860 2752 04802.exe 35 PID 2860 wrote to memory of 2604 2860 086246.exe 36 PID 2860 wrote to memory of 2604 2860 086246.exe 36 PID 2860 wrote to memory of 2604 2860 086246.exe 36 PID 2860 wrote to memory of 2604 2860 086246.exe 36 PID 2604 wrote to memory of 2744 2604 vpddj.exe 37 PID 2604 wrote to memory of 2744 2604 vpddj.exe 37 PID 2604 wrote to memory of 2744 2604 vpddj.exe 37 PID 2604 wrote to memory of 2744 2604 vpddj.exe 37 PID 2744 wrote to memory of 2808 2744 tnbbhn.exe 38 PID 2744 wrote to memory of 2808 2744 tnbbhn.exe 38 PID 2744 wrote to memory of 2808 2744 tnbbhn.exe 38 PID 2744 wrote to memory of 2808 2744 tnbbhn.exe 38 PID 2808 wrote to memory of 2656 2808 6088880.exe 39 PID 2808 wrote to memory of 2656 2808 6088880.exe 39 PID 2808 wrote to memory of 2656 2808 6088880.exe 39 PID 2808 wrote to memory of 2656 2808 6088880.exe 39 PID 2656 wrote to memory of 2532 2656 9ntbnh.exe 40 PID 2656 wrote to memory of 2532 2656 9ntbnh.exe 40 PID 2656 wrote to memory of 2532 2656 9ntbnh.exe 40 PID 2656 wrote to memory of 2532 2656 9ntbnh.exe 40 PID 2532 wrote to memory of 2944 2532 lfxxrlx.exe 41 PID 2532 wrote to memory of 2944 2532 lfxxrlx.exe 41 PID 2532 wrote to memory of 2944 2532 lfxxrlx.exe 41 PID 2532 wrote to memory of 2944 2532 lfxxrlx.exe 41 PID 2944 wrote to memory of 3036 2944 lxxrlrx.exe 42 PID 2944 wrote to memory of 3036 2944 lxxrlrx.exe 42 PID 2944 wrote to memory of 3036 2944 lxxrlrx.exe 42 PID 2944 wrote to memory of 3036 2944 lxxrlrx.exe 42 PID 3036 wrote to memory of 3048 3036 lfrrfxf.exe 43 PID 3036 wrote to memory of 3048 3036 lfrrfxf.exe 43 PID 3036 wrote to memory of 3048 3036 lfrrfxf.exe 43 PID 3036 wrote to memory of 3048 3036 lfrrfxf.exe 43 PID 3048 wrote to memory of 3060 3048 080088.exe 44 PID 3048 wrote to memory of 3060 3048 080088.exe 44 PID 3048 wrote to memory of 3060 3048 080088.exe 44 PID 3048 wrote to memory of 3060 3048 080088.exe 44 PID 3060 wrote to memory of 2740 3060 rxlllll.exe 45 PID 3060 wrote to memory of 2740 3060 rxlllll.exe 45 PID 3060 wrote to memory of 2740 3060 rxlllll.exe 45 PID 3060 wrote to memory of 2740 3060 rxlllll.exe 45 PID 2740 wrote to memory of 380 2740 c422228.exe 46 PID 2740 wrote to memory of 380 2740 c422228.exe 46 PID 2740 wrote to memory of 380 2740 c422228.exe 46 PID 2740 wrote to memory of 380 2740 c422228.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe"C:\Users\Admin\AppData\Local\Temp\1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\3tthth.exec:\3tthth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\rxflxfr.exec:\rxflxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\268860.exec:\268860.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\04802.exec:\04802.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\086246.exec:\086246.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\vpddj.exec:\vpddj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\tnbbhn.exec:\tnbbhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\6088880.exec:\6088880.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\9ntbnh.exec:\9ntbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\lfxxrlx.exec:\lfxxrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\lxxrlrx.exec:\lxxrlrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\lfrrfxf.exec:\lfrrfxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\080088.exec:\080088.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\rxlllll.exec:\rxlllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\c422228.exec:\c422228.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\dddpd.exec:\dddpd.exe17⤵
- Executes dropped EXE
PID:380 -
\??\c:\btthnb.exec:\btthnb.exe18⤵
- Executes dropped EXE
PID:1312 -
\??\c:\4824286.exec:\4824286.exe19⤵
- Executes dropped EXE
PID:388 -
\??\c:\86284.exec:\86284.exe20⤵
- Executes dropped EXE
PID:1716 -
\??\c:\28040.exec:\28040.exe21⤵
- Executes dropped EXE
PID:1080 -
\??\c:\5tnhnt.exec:\5tnhnt.exe22⤵
- Executes dropped EXE
PID:1044 -
\??\c:\7nhhbb.exec:\7nhhbb.exe23⤵
- Executes dropped EXE
PID:1880 -
\??\c:\vpjvd.exec:\vpjvd.exe24⤵
- Executes dropped EXE
PID:2052 -
\??\c:\nbbbbt.exec:\nbbbbt.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1444 -
\??\c:\c824668.exec:\c824668.exe26⤵
- Executes dropped EXE
PID:792 -
\??\c:\8246220.exec:\8246220.exe27⤵
- Executes dropped EXE
PID:1372 -
\??\c:\jjdjv.exec:\jjdjv.exe28⤵
- Executes dropped EXE
PID:1744 -
\??\c:\c606886.exec:\c606886.exe29⤵
- Executes dropped EXE
PID:2040 -
\??\c:\080666.exec:\080666.exe30⤵
- Executes dropped EXE
PID:1052 -
\??\c:\k42282.exec:\k42282.exe31⤵
- Executes dropped EXE
PID:1948 -
\??\c:\3jpvd.exec:\3jpvd.exe32⤵
- Executes dropped EXE
PID:2220 -
\??\c:\80666.exec:\80666.exe33⤵
- Executes dropped EXE
PID:1248 -
\??\c:\nbtttn.exec:\nbtttn.exe34⤵
- Executes dropped EXE
PID:1380 -
\??\c:\4268446.exec:\4268446.exe35⤵
- Executes dropped EXE
PID:1688 -
\??\c:\o484446.exec:\o484446.exe36⤵
- Executes dropped EXE
PID:1228 -
\??\c:\nbhtbt.exec:\nbhtbt.exe37⤵
- Executes dropped EXE
PID:1796 -
\??\c:\5ttntt.exec:\5ttntt.exe38⤵
- Executes dropped EXE
PID:2588 -
\??\c:\hbntbb.exec:\hbntbb.exe39⤵
- Executes dropped EXE
PID:2748 -
\??\c:\ttbntt.exec:\ttbntt.exe40⤵
- Executes dropped EXE
PID:2796 -
\??\c:\frfxrll.exec:\frfxrll.exe41⤵
- Executes dropped EXE
PID:2860 -
\??\c:\824026.exec:\824026.exe42⤵
- Executes dropped EXE
PID:2060 -
\??\c:\8688488.exec:\8688488.exe43⤵
- Executes dropped EXE
PID:2892 -
\??\c:\jddpd.exec:\jddpd.exe44⤵
- Executes dropped EXE
PID:2684 -
\??\c:\k64844.exec:\k64844.exe45⤵
- Executes dropped EXE
PID:2688 -
\??\c:\c622228.exec:\c622228.exe46⤵
- Executes dropped EXE
PID:2812 -
\??\c:\7bnhnn.exec:\7bnhnn.exe47⤵
- Executes dropped EXE
PID:2464 -
\??\c:\tnbbnh.exec:\tnbbnh.exe48⤵
- Executes dropped EXE
PID:1812 -
\??\c:\484062.exec:\484062.exe49⤵
- Executes dropped EXE
PID:1296 -
\??\c:\w64004.exec:\w64004.exe50⤵
- Executes dropped EXE
PID:3024 -
\??\c:\08444.exec:\08444.exe51⤵
- Executes dropped EXE
PID:2820 -
\??\c:\q64088.exec:\q64088.exe52⤵
- Executes dropped EXE
PID:3056 -
\??\c:\5rfllrx.exec:\5rfllrx.exe53⤵
- Executes dropped EXE
PID:2728 -
\??\c:\tnbbhb.exec:\tnbbhb.exe54⤵
- Executes dropped EXE
PID:1276 -
\??\c:\82680.exec:\82680.exe55⤵
- Executes dropped EXE
PID:2700 -
\??\c:\tthnnt.exec:\tthnnt.exe56⤵
- Executes dropped EXE
PID:1304 -
\??\c:\nhhhhh.exec:\nhhhhh.exe57⤵
- Executes dropped EXE
PID:2364 -
\??\c:\ddjjp.exec:\ddjjp.exe58⤵
- Executes dropped EXE
PID:388 -
\??\c:\3rflllx.exec:\3rflllx.exe59⤵
- Executes dropped EXE
PID:536 -
\??\c:\3xllxrx.exec:\3xllxrx.exe60⤵
- Executes dropped EXE
PID:2180 -
\??\c:\684440.exec:\684440.exe61⤵
- Executes dropped EXE
PID:2028 -
\??\c:\k64084.exec:\k64084.exe62⤵
- Executes dropped EXE
PID:688 -
\??\c:\lfxxflx.exec:\lfxxflx.exe63⤵
- Executes dropped EXE
PID:1592 -
\??\c:\5thbhb.exec:\5thbhb.exe64⤵
- Executes dropped EXE
PID:1032 -
\??\c:\1vjdp.exec:\1vjdp.exe65⤵
- Executes dropped EXE
PID:1540 -
\??\c:\260684.exec:\260684.exe66⤵
- System Location Discovery: System Language Discovery
PID:900 -
\??\c:\086244.exec:\086244.exe67⤵PID:1604
-
\??\c:\w04466.exec:\w04466.exe68⤵PID:784
-
\??\c:\1xllrrx.exec:\1xllrrx.exe69⤵PID:1372
-
\??\c:\60402.exec:\60402.exe70⤵PID:868
-
\??\c:\086200.exec:\086200.exe71⤵PID:1744
-
\??\c:\44802.exec:\44802.exe72⤵PID:780
-
\??\c:\llflrxl.exec:\llflrxl.exe73⤵PID:1088
-
\??\c:\tnnthn.exec:\tnnthn.exe74⤵PID:568
-
\??\c:\vpvvj.exec:\vpvvj.exe75⤵PID:1816
-
\??\c:\vddpj.exec:\vddpj.exe76⤵PID:752
-
\??\c:\w20000.exec:\w20000.exe77⤵PID:1248
-
\??\c:\c044002.exec:\c044002.exe78⤵PID:2544
-
\??\c:\jjvdd.exec:\jjvdd.exe79⤵PID:2340
-
\??\c:\424066.exec:\424066.exe80⤵PID:2208
-
\??\c:\rfrrrrx.exec:\rfrrrrx.exe81⤵PID:2336
-
\??\c:\q82428.exec:\q82428.exe82⤵PID:2772
-
\??\c:\e64404.exec:\e64404.exe83⤵PID:2836
-
\??\c:\hbbhhn.exec:\hbbhhn.exe84⤵PID:2188
-
\??\c:\nhtbbb.exec:\nhtbbb.exe85⤵PID:2888
-
\??\c:\608422.exec:\608422.exe86⤵PID:2904
-
\??\c:\260628.exec:\260628.exe87⤵PID:2660
-
\??\c:\rlxxlfr.exec:\rlxxlfr.exe88⤵PID:2696
-
\??\c:\864622.exec:\864622.exe89⤵PID:2640
-
\??\c:\e42082.exec:\e42082.exe90⤵PID:2692
-
\??\c:\7nhttn.exec:\7nhttn.exe91⤵PID:2812
-
\??\c:\7lfrlfl.exec:\7lfrlfl.exe92⤵PID:1780
-
\??\c:\vpvdv.exec:\vpvdv.exe93⤵PID:1812
-
\??\c:\bnhttb.exec:\bnhttb.exe94⤵PID:2492
-
\??\c:\vpvjp.exec:\vpvjp.exe95⤵PID:3024
-
\??\c:\i462228.exec:\i462228.exe96⤵PID:2964
-
\??\c:\3lfflll.exec:\3lfflll.exe97⤵PID:3004
-
\??\c:\lfrrfff.exec:\lfrrfff.exe98⤵PID:1508
-
\??\c:\9jddd.exec:\9jddd.exe99⤵PID:1276
-
\??\c:\vvvjv.exec:\vvvjv.exe100⤵PID:2700
-
\??\c:\vjpjp.exec:\vjpjp.exe101⤵PID:1304
-
\??\c:\jjddj.exec:\jjddj.exe102⤵PID:2364
-
\??\c:\nntnht.exec:\nntnht.exe103⤵PID:1716
-
\??\c:\4648484.exec:\4648484.exe104⤵PID:1016
-
\??\c:\8628884.exec:\8628884.exe105⤵PID:1628
-
\??\c:\28662.exec:\28662.exe106⤵PID:1600
-
\??\c:\hbnntt.exec:\hbnntt.exe107⤵PID:2080
-
\??\c:\0208844.exec:\0208844.exe108⤵PID:1820
-
\??\c:\086000.exec:\086000.exe109⤵PID:1048
-
\??\c:\nhtttt.exec:\nhtttt.exe110⤵PID:608
-
\??\c:\1nhbbh.exec:\1nhbbh.exe111⤵PID:2436
-
\??\c:\u260640.exec:\u260640.exe112⤵PID:1740
-
\??\c:\20840.exec:\20840.exe113⤵PID:1436
-
\??\c:\nhbbht.exec:\nhbbht.exe114⤵PID:1056
-
\??\c:\bthntb.exec:\bthntb.exe115⤵PID:1620
-
\??\c:\642248.exec:\642248.exe116⤵PID:2040
-
\??\c:\240066.exec:\240066.exe117⤵PID:996
-
\??\c:\g2440.exec:\g2440.exe118⤵PID:2572
-
\??\c:\1dvvv.exec:\1dvvv.exe119⤵PID:1816
-
\??\c:\64622.exec:\64622.exe120⤵PID:1560
-
\??\c:\xlrrxrr.exec:\xlrrxrr.exe121⤵PID:2528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-