Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 20:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe
-
Size
455KB
-
MD5
b993acf5ccc1da6c3745f4c467a82a25
-
SHA1
ab8d1302822117db6868e5ea336a1a8f11252cfc
-
SHA256
23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5
-
SHA512
de34da31c4d447e0530356a30239309de61348bdcc282adf7b5f7aaa24cc19653253c7b74753e81862a11ee0e70442b3d65ef0fee27a4a1fdac2aa65a43adbb9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRQ:q7Tc2NYHUrAwfMp3CDRQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2952-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-113-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1768-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-122-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-197-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1008-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-216-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/896-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1412-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-362-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/484-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1228-410-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3004-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1344-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1344-451-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2256-466-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2264-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-476-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1448-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/824-552-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2488-569-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1520-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-608-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2520-641-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2936-683-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1956-720-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1344-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-752-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2396-848-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1132-846-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2052-855-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2972 tnhnnn.exe 2632 08668.exe 2988 2000820.exe 2708 llflrrl.exe 2680 xrflrrf.exe 2500 tnnntb.exe 332 pdddd.exe 2344 86446.exe 2700 xrlrffx.exe 2400 btntnn.exe 1768 04400.exe 3004 9fffflx.exe 2568 nbhbbb.exe 2840 446228.exe 1440 rrlrffr.exe 1152 rlflxlr.exe 2452 826662.exe 2208 4206280.exe 2412 7pjjp.exe 1608 420628.exe 1008 dpdjp.exe 2004 g0286.exe 1952 4866884.exe 1444 s0280.exe 1912 bbnbnn.exe 896 5hhhhb.exe 696 3nhhtb.exe 1156 20840.exe 1884 4262408.exe 1960 460062.exe 1412 w08400.exe 1644 642666.exe 2948 086640.exe 2328 864626.exe 2248 60442.exe 2632 1jpjd.exe 2540 8200628.exe 2664 8688606.exe 2732 dvppv.exe 2196 7jpjj.exe 484 e26622.exe 1556 thtbhb.exe 1072 0862440.exe 2344 6400606.exe 2228 64668.exe 804 lxlrrxf.exe 1228 a2684.exe 2844 fxlxffl.exe 3004 thttbh.exe 3060 u806884.exe 2720 q08422.exe 1940 jvvvd.exe 1344 pdjjp.exe 2076 vpjjj.exe 2256 jdppv.exe 2264 08006.exe 2480 fxrxllx.exe 1688 202626.exe 1420 3frxflr.exe 1116 1vvdv.exe 2560 tnbhtb.exe 2004 dpjpd.exe 1460 hbnthn.exe 1448 5fxfllr.exe -
resource yara_rule behavioral1/memory/2952-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-250-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/896-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-410-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3004-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-466-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/2264-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-476-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1448-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-524-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/824-552-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2008-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-641-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2936-683-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1344-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-834-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0862244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k82404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8204626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6462002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8262024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2972 2952 23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe 30 PID 2952 wrote to memory of 2972 2952 23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe 30 PID 2952 wrote to memory of 2972 2952 23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe 30 PID 2952 wrote to memory of 2972 2952 23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe 30 PID 2972 wrote to memory of 2632 2972 tnhnnn.exe 31 PID 2972 wrote to memory of 2632 2972 tnhnnn.exe 31 PID 2972 wrote to memory of 2632 2972 tnhnnn.exe 31 PID 2972 wrote to memory of 2632 2972 tnhnnn.exe 31 PID 2632 wrote to memory of 2988 2632 08668.exe 32 PID 2632 wrote to memory of 2988 2632 08668.exe 32 PID 2632 wrote to memory of 2988 2632 08668.exe 32 PID 2632 wrote to memory of 2988 2632 08668.exe 32 PID 2988 wrote to memory of 2708 2988 2000820.exe 33 PID 2988 wrote to memory of 2708 2988 2000820.exe 33 PID 2988 wrote to memory of 2708 2988 2000820.exe 33 PID 2988 wrote to memory of 2708 2988 2000820.exe 33 PID 2708 wrote to memory of 2680 2708 llflrrl.exe 34 PID 2708 wrote to memory of 2680 2708 llflrrl.exe 34 PID 2708 wrote to memory of 2680 2708 llflrrl.exe 34 PID 2708 wrote to memory of 2680 2708 llflrrl.exe 34 PID 2680 wrote to memory of 2500 2680 xrflrrf.exe 35 PID 2680 wrote to memory of 2500 2680 xrflrrf.exe 35 PID 2680 wrote to memory of 2500 2680 xrflrrf.exe 35 PID 2680 wrote to memory of 2500 2680 xrflrrf.exe 35 PID 2500 wrote to memory of 332 2500 tnnntb.exe 36 PID 2500 wrote to memory of 332 2500 tnnntb.exe 36 PID 2500 wrote to memory of 332 2500 tnnntb.exe 36 PID 2500 wrote to memory of 332 2500 tnnntb.exe 36 PID 332 wrote to memory of 2344 332 pdddd.exe 37 PID 332 wrote to memory of 2344 332 pdddd.exe 37 PID 332 wrote to memory of 2344 332 pdddd.exe 37 PID 332 wrote to memory of 2344 332 pdddd.exe 37 PID 2344 wrote to memory of 2700 2344 86446.exe 38 PID 2344 wrote to memory of 2700 2344 86446.exe 38 PID 2344 wrote to memory of 2700 2344 86446.exe 38 PID 2344 wrote to memory of 2700 2344 86446.exe 38 PID 2700 wrote to memory of 2400 2700 xrlrffx.exe 39 PID 2700 wrote to memory of 2400 2700 xrlrffx.exe 39 PID 2700 wrote to memory of 2400 2700 xrlrffx.exe 39 PID 2700 wrote to memory of 2400 2700 xrlrffx.exe 39 PID 2400 wrote to memory of 1768 2400 btntnn.exe 40 PID 2400 wrote to memory of 1768 2400 btntnn.exe 40 PID 2400 wrote to memory of 1768 2400 btntnn.exe 40 PID 2400 wrote to memory of 1768 2400 btntnn.exe 40 PID 1768 wrote to memory of 3004 1768 04400.exe 41 PID 1768 wrote to memory of 3004 1768 04400.exe 41 PID 1768 wrote to memory of 3004 1768 04400.exe 41 PID 1768 wrote to memory of 3004 1768 04400.exe 41 PID 3004 wrote to memory of 2568 3004 9fffflx.exe 42 PID 3004 wrote to memory of 2568 3004 9fffflx.exe 42 PID 3004 wrote to memory of 2568 3004 9fffflx.exe 42 PID 3004 wrote to memory of 2568 3004 9fffflx.exe 42 PID 2568 wrote to memory of 2840 2568 nbhbbb.exe 43 PID 2568 wrote to memory of 2840 2568 nbhbbb.exe 43 PID 2568 wrote to memory of 2840 2568 nbhbbb.exe 43 PID 2568 wrote to memory of 2840 2568 nbhbbb.exe 43 PID 2840 wrote to memory of 1440 2840 446228.exe 44 PID 2840 wrote to memory of 1440 2840 446228.exe 44 PID 2840 wrote to memory of 1440 2840 446228.exe 44 PID 2840 wrote to memory of 1440 2840 446228.exe 44 PID 1440 wrote to memory of 1152 1440 rrlrffr.exe 45 PID 1440 wrote to memory of 1152 1440 rrlrffr.exe 45 PID 1440 wrote to memory of 1152 1440 rrlrffr.exe 45 PID 1440 wrote to memory of 1152 1440 rrlrffr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe"C:\Users\Admin\AppData\Local\Temp\23fec9c5d20af942dd5fef1ae117a4c1dc8744df534852fdf3ce2d807a1d94a5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\tnhnnn.exec:\tnhnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\08668.exec:\08668.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\2000820.exec:\2000820.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\llflrrl.exec:\llflrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\xrflrrf.exec:\xrflrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\tnnntb.exec:\tnnntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\pdddd.exec:\pdddd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
\??\c:\86446.exec:\86446.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\xrlrffx.exec:\xrlrffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\btntnn.exec:\btntnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\04400.exec:\04400.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\9fffflx.exec:\9fffflx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\nbhbbb.exec:\nbhbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\446228.exec:\446228.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\rrlrffr.exec:\rrlrffr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\rlflxlr.exec:\rlflxlr.exe17⤵
- Executes dropped EXE
PID:1152 -
\??\c:\826662.exec:\826662.exe18⤵
- Executes dropped EXE
PID:2452 -
\??\c:\4206280.exec:\4206280.exe19⤵
- Executes dropped EXE
PID:2208 -
\??\c:\7pjjp.exec:\7pjjp.exe20⤵
- Executes dropped EXE
PID:2412 -
\??\c:\420628.exec:\420628.exe21⤵
- Executes dropped EXE
PID:1608 -
\??\c:\dpdjp.exec:\dpdjp.exe22⤵
- Executes dropped EXE
PID:1008 -
\??\c:\g0286.exec:\g0286.exe23⤵
- Executes dropped EXE
PID:2004 -
\??\c:\4866884.exec:\4866884.exe24⤵
- Executes dropped EXE
PID:1952 -
\??\c:\s0280.exec:\s0280.exe25⤵
- Executes dropped EXE
PID:1444 -
\??\c:\bbnbnn.exec:\bbnbnn.exe26⤵
- Executes dropped EXE
PID:1912 -
\??\c:\5hhhhb.exec:\5hhhhb.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896 -
\??\c:\3nhhtb.exec:\3nhhtb.exe28⤵
- Executes dropped EXE
PID:696 -
\??\c:\20840.exec:\20840.exe29⤵
- Executes dropped EXE
PID:1156 -
\??\c:\4262408.exec:\4262408.exe30⤵
- Executes dropped EXE
PID:1884 -
\??\c:\460062.exec:\460062.exe31⤵
- Executes dropped EXE
PID:1960 -
\??\c:\w08400.exec:\w08400.exe32⤵
- Executes dropped EXE
PID:1412 -
\??\c:\642666.exec:\642666.exe33⤵
- Executes dropped EXE
PID:1644 -
\??\c:\086640.exec:\086640.exe34⤵
- Executes dropped EXE
PID:2948 -
\??\c:\864626.exec:\864626.exe35⤵
- Executes dropped EXE
PID:2328 -
\??\c:\60442.exec:\60442.exe36⤵
- Executes dropped EXE
PID:2248 -
\??\c:\1jpjd.exec:\1jpjd.exe37⤵
- Executes dropped EXE
PID:2632 -
\??\c:\8200628.exec:\8200628.exe38⤵
- Executes dropped EXE
PID:2540 -
\??\c:\8688606.exec:\8688606.exe39⤵
- Executes dropped EXE
PID:2664 -
\??\c:\dvppv.exec:\dvppv.exe40⤵
- Executes dropped EXE
PID:2732 -
\??\c:\7jpjj.exec:\7jpjj.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196 -
\??\c:\e26622.exec:\e26622.exe42⤵
- Executes dropped EXE
PID:484 -
\??\c:\thtbhb.exec:\thtbhb.exe43⤵
- Executes dropped EXE
PID:1556 -
\??\c:\0862440.exec:\0862440.exe44⤵
- Executes dropped EXE
PID:1072 -
\??\c:\6400606.exec:\6400606.exe45⤵
- Executes dropped EXE
PID:2344 -
\??\c:\64668.exec:\64668.exe46⤵
- Executes dropped EXE
PID:2228 -
\??\c:\lxlrrxf.exec:\lxlrrxf.exe47⤵
- Executes dropped EXE
PID:804 -
\??\c:\a2684.exec:\a2684.exe48⤵
- Executes dropped EXE
PID:1228 -
\??\c:\fxlxffl.exec:\fxlxffl.exe49⤵
- Executes dropped EXE
PID:2844 -
\??\c:\thttbh.exec:\thttbh.exe50⤵
- Executes dropped EXE
PID:3004 -
\??\c:\u806884.exec:\u806884.exe51⤵
- Executes dropped EXE
PID:3060 -
\??\c:\q08422.exec:\q08422.exe52⤵
- Executes dropped EXE
PID:2720 -
\??\c:\jvvvd.exec:\jvvvd.exe53⤵
- Executes dropped EXE
PID:1940 -
\??\c:\pdjjp.exec:\pdjjp.exe54⤵
- Executes dropped EXE
PID:1344 -
\??\c:\vpjjj.exec:\vpjjj.exe55⤵
- Executes dropped EXE
PID:2076 -
\??\c:\jdppv.exec:\jdppv.exe56⤵
- Executes dropped EXE
PID:2256 -
\??\c:\08006.exec:\08006.exe57⤵
- Executes dropped EXE
PID:2264 -
\??\c:\fxrxllx.exec:\fxrxllx.exe58⤵
- Executes dropped EXE
PID:2480 -
\??\c:\202626.exec:\202626.exe59⤵
- Executes dropped EXE
PID:1688 -
\??\c:\3frxflr.exec:\3frxflr.exe60⤵
- Executes dropped EXE
PID:1420 -
\??\c:\1vvdv.exec:\1vvdv.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
\??\c:\tnbhtb.exec:\tnbhtb.exe62⤵
- Executes dropped EXE
PID:2560 -
\??\c:\dpjpd.exec:\dpjpd.exe63⤵
- Executes dropped EXE
PID:2004 -
\??\c:\hbnthn.exec:\hbnthn.exe64⤵
- Executes dropped EXE
PID:1460 -
\??\c:\5fxfllr.exec:\5fxfllr.exe65⤵
- Executes dropped EXE
PID:1448 -
\??\c:\vpddp.exec:\vpddp.exe66⤵PID:2296
-
\??\c:\ddppv.exec:\ddppv.exe67⤵PID:1912
-
\??\c:\m0846.exec:\m0846.exe68⤵PID:656
-
\??\c:\tnhhnn.exec:\tnhhnn.exe69⤵PID:2488
-
\??\c:\a4668.exec:\a4668.exe70⤵PID:824
-
\??\c:\246404.exec:\246404.exe71⤵PID:2576
-
\??\c:\hnhtnh.exec:\hnhtnh.exe72⤵PID:1972
-
\??\c:\64228.exec:\64228.exe73⤵PID:1924
-
\??\c:\646682.exec:\646682.exe74⤵PID:2008
-
\??\c:\8606802.exec:\8606802.exe75⤵PID:2968
-
\??\c:\64004.exec:\64004.exe76⤵PID:1520
-
\??\c:\868882.exec:\868882.exe77⤵PID:2392
-
\??\c:\5hnnbb.exec:\5hnnbb.exe78⤵PID:2768
-
\??\c:\s0222.exec:\s0222.exe79⤵PID:2024
-
\??\c:\3nhnbn.exec:\3nhnbn.exe80⤵PID:948
-
\??\c:\826284.exec:\826284.exe81⤵PID:2976
-
\??\c:\3jvpj.exec:\3jvpj.exe82⤵PID:2672
-
\??\c:\i466884.exec:\i466884.exe83⤵PID:112
-
\??\c:\nnbbnt.exec:\nnbbnt.exe84⤵PID:2520
-
\??\c:\0844046.exec:\0844046.exe85⤵PID:2196
-
\??\c:\lxrrffr.exec:\lxrrffr.exe86⤵PID:692
-
\??\c:\9dpdd.exec:\9dpdd.exe87⤵PID:1760
-
\??\c:\xlflffl.exec:\xlflffl.exe88⤵PID:2304
-
\??\c:\9nbbtn.exec:\9nbbtn.exe89⤵PID:1872
-
\??\c:\7httbt.exec:\7httbt.exe90⤵PID:2936
-
\??\c:\k24440.exec:\k24440.exe91⤵PID:2400
-
\??\c:\rlllrrr.exec:\rlllrrr.exe92⤵PID:2984
-
\??\c:\20088.exec:\20088.exe93⤵PID:1640
-
\??\c:\m0228.exec:\m0228.exe94⤵PID:1776
-
\??\c:\424404.exec:\424404.exe95⤵PID:1956
-
\??\c:\pdpvv.exec:\pdpvv.exe96⤵PID:2720
-
\??\c:\rrrlrlr.exec:\rrrlrlr.exe97⤵PID:1340
-
\??\c:\jdvvd.exec:\jdvvd.exe98⤵PID:1344
-
\??\c:\i084202.exec:\i084202.exe99⤵PID:1844
-
\??\c:\k86244.exec:\k86244.exe100⤵PID:2484
-
\??\c:\8264006.exec:\8264006.exe101⤵PID:2284
-
\??\c:\tnntnh.exec:\tnntnh.exe102⤵PID:2412
-
\??\c:\4284622.exec:\4284622.exe103⤵PID:2176
-
\??\c:\tbhhhb.exec:\tbhhhb.exe104⤵PID:448
-
\??\c:\680066.exec:\680066.exe105⤵PID:2440
-
\??\c:\pjpvd.exec:\pjpvd.exe106⤵PID:1568
-
\??\c:\u262480.exec:\u262480.exe107⤵PID:1300
-
\??\c:\jvdvv.exec:\jvdvv.exe108⤵PID:2060
-
\??\c:\208840.exec:\208840.exe109⤵PID:2464
-
\??\c:\w26248.exec:\w26248.exe110⤵PID:608
-
\??\c:\9pjpj.exec:\9pjpj.exe111⤵PID:1888
-
\??\c:\tbbnnt.exec:\tbbnnt.exe112⤵PID:1132
-
\??\c:\hbhntb.exec:\hbhntb.exe113⤵PID:1900
-
\??\c:\bbnbnn.exec:\bbnbnn.exe114⤵PID:1552
-
\??\c:\lxllllr.exec:\lxllllr.exe115⤵PID:2396
-
\??\c:\608024.exec:\608024.exe116⤵PID:2052
-
\??\c:\862282.exec:\862282.exe117⤵PID:1960
-
\??\c:\hbntnt.exec:\hbntnt.exe118⤵PID:2916
-
\??\c:\g4668.exec:\g4668.exe119⤵PID:1512
-
\??\c:\vpjvv.exec:\vpjvv.exe120⤵PID:2816
-
\??\c:\tthhnt.exec:\tthhnt.exe121⤵PID:2964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-