Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 23:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe
-
Size
454KB
-
MD5
f2b11c4f394ea83ecdfef520530ba332
-
SHA1
db73e90f002b0bb57efd28c41e97518a70c33de9
-
SHA256
906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a
-
SHA512
3d1e311877f9bedc34158147aee13b3be7131addc77528d4f511fad1830aa5b372cf5b3618a952859c5764c1b4dd094044017c7d4e7b7d055bf462ec6c9a7b3f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeVn:q7Tc2NYHUrAwfMp3CD1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2992-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-106-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3028-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-138-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1952-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/816-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/300-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/680-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-295-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3040-299-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3040-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-310-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/3056-318-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2304-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-382-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2556-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-402-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/848-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/404-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-803-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1240-1027-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/292-1078-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2300-1315-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3048 e60684.exe 1800 486884.exe 1976 bbnnth.exe 2068 rrlflxr.exe 2180 1bbhnn.exe 2936 hbnthn.exe 2928 9dpdj.exe 2588 2644046.exe 2580 642200.exe 2724 rrlxrrx.exe 2624 6080886.exe 3028 hthbnn.exe 1136 dvvdp.exe 1952 828426.exe 2308 04402.exe 2540 tnhnbh.exe 2796 20224.exe 2892 xlflxfr.exe 2196 82628.exe 2980 6040228.exe 2172 7hbhtt.exe 2088 7vvvd.exe 296 4862846.exe 816 868068.exe 1736 426688.exe 300 llflrxl.exe 656 808848.exe 680 20288.exe 2524 jvjpv.exe 1244 2442840.exe 888 pjjvp.exe 3040 nhttnt.exe 1584 htnhhh.exe 3056 9lxxrrx.exe 348 3xrlrrx.exe 2460 86840.exe 2084 606622.exe 2304 264466.exe 2680 44620.exe 2692 4886460.exe 2120 9frrrrr.exe 2924 9xxxxfl.exe 2824 086240.exe 3036 9hthbh.exe 2556 s4664.exe 2724 8206846.exe 2372 hbtttt.exe 1096 9lfxrrx.exe 2600 vjddj.exe 2396 q02222.exe 1812 8022228.exe 848 frxrfrx.exe 1768 dvppd.exe 2856 482808.exe 1092 bnhnnt.exe 2892 nbtbbh.exe 2436 g8806.exe 3000 9vppd.exe 404 e02666.exe 2152 8060006.exe 2088 7dpjj.exe 988 3pdvp.exe 1492 vjvpp.exe 2160 fxxflll.exe -
resource yara_rule behavioral1/memory/2992-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-160-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2540-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-211-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/816-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/300-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-299-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3040-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/404-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-803-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3048-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-915-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-953-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-1027-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-1065-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-1078-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/572-1091-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-1122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-1154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-1167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-1192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-1271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-1278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-1315-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2792-1328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-1341-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6046880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w42288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tththt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c802846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428428.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2992 wrote to memory of 3048 2992 906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe 30 PID 2992 wrote to memory of 3048 2992 906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe 30 PID 2992 wrote to memory of 3048 2992 906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe 30 PID 2992 wrote to memory of 3048 2992 906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe 30 PID 3048 wrote to memory of 1800 3048 e60684.exe 31 PID 3048 wrote to memory of 1800 3048 e60684.exe 31 PID 3048 wrote to memory of 1800 3048 e60684.exe 31 PID 3048 wrote to memory of 1800 3048 e60684.exe 31 PID 1800 wrote to memory of 1976 1800 486884.exe 32 PID 1800 wrote to memory of 1976 1800 486884.exe 32 PID 1800 wrote to memory of 1976 1800 486884.exe 32 PID 1800 wrote to memory of 1976 1800 486884.exe 32 PID 1976 wrote to memory of 2068 1976 bbnnth.exe 33 PID 1976 wrote to memory of 2068 1976 bbnnth.exe 33 PID 1976 wrote to memory of 2068 1976 bbnnth.exe 33 PID 1976 wrote to memory of 2068 1976 bbnnth.exe 33 PID 2068 wrote to memory of 2180 2068 rrlflxr.exe 34 PID 2068 wrote to memory of 2180 2068 rrlflxr.exe 34 PID 2068 wrote to memory of 2180 2068 rrlflxr.exe 34 PID 2068 wrote to memory of 2180 2068 rrlflxr.exe 34 PID 2180 wrote to memory of 2936 2180 1bbhnn.exe 35 PID 2180 wrote to memory of 2936 2180 1bbhnn.exe 35 PID 2180 wrote to memory of 2936 2180 1bbhnn.exe 35 PID 2180 wrote to memory of 2936 2180 1bbhnn.exe 35 PID 2936 wrote to memory of 2928 2936 hbnthn.exe 36 PID 2936 wrote to memory of 2928 2936 hbnthn.exe 36 PID 2936 wrote to memory of 2928 2936 hbnthn.exe 36 PID 2936 wrote to memory of 2928 2936 hbnthn.exe 36 PID 2928 wrote to memory of 2588 2928 9dpdj.exe 37 PID 2928 wrote to memory of 2588 2928 9dpdj.exe 37 PID 2928 wrote to memory of 2588 2928 9dpdj.exe 37 PID 2928 wrote to memory of 2588 2928 9dpdj.exe 37 PID 2588 wrote to memory of 2580 2588 2644046.exe 38 PID 2588 wrote to memory of 2580 2588 2644046.exe 38 PID 2588 wrote to memory of 2580 2588 2644046.exe 38 PID 2588 wrote to memory of 2580 2588 2644046.exe 38 PID 2580 wrote to memory of 2724 2580 642200.exe 39 PID 2580 wrote to memory of 2724 2580 642200.exe 39 PID 2580 wrote to memory of 2724 2580 642200.exe 39 PID 2580 wrote to memory of 2724 2580 642200.exe 39 PID 2724 wrote to memory of 2624 2724 rrlxrrx.exe 40 PID 2724 wrote to memory of 2624 2724 rrlxrrx.exe 40 PID 2724 wrote to memory of 2624 2724 rrlxrrx.exe 40 PID 2724 wrote to memory of 2624 2724 rrlxrrx.exe 40 PID 2624 wrote to memory of 3028 2624 6080886.exe 41 PID 2624 wrote to memory of 3028 2624 6080886.exe 41 PID 2624 wrote to memory of 3028 2624 6080886.exe 41 PID 2624 wrote to memory of 3028 2624 6080886.exe 41 PID 3028 wrote to memory of 1136 3028 hthbnn.exe 42 PID 3028 wrote to memory of 1136 3028 hthbnn.exe 42 PID 3028 wrote to memory of 1136 3028 hthbnn.exe 42 PID 3028 wrote to memory of 1136 3028 hthbnn.exe 42 PID 1136 wrote to memory of 1952 1136 dvvdp.exe 43 PID 1136 wrote to memory of 1952 1136 dvvdp.exe 43 PID 1136 wrote to memory of 1952 1136 dvvdp.exe 43 PID 1136 wrote to memory of 1952 1136 dvvdp.exe 43 PID 1952 wrote to memory of 2308 1952 828426.exe 44 PID 1952 wrote to memory of 2308 1952 828426.exe 44 PID 1952 wrote to memory of 2308 1952 828426.exe 44 PID 1952 wrote to memory of 2308 1952 828426.exe 44 PID 2308 wrote to memory of 2540 2308 04402.exe 45 PID 2308 wrote to memory of 2540 2308 04402.exe 45 PID 2308 wrote to memory of 2540 2308 04402.exe 45 PID 2308 wrote to memory of 2540 2308 04402.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe"C:\Users\Admin\AppData\Local\Temp\906f5395ae7eda534b53aa5536773a3c4e29c06058589e6316f4ae698a902a1a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\e60684.exec:\e60684.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\486884.exec:\486884.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\bbnnth.exec:\bbnnth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\rrlflxr.exec:\rrlflxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\1bbhnn.exec:\1bbhnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\hbnthn.exec:\hbnthn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\9dpdj.exec:\9dpdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\2644046.exec:\2644046.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\642200.exec:\642200.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\rrlxrrx.exec:\rrlxrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\6080886.exec:\6080886.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\hthbnn.exec:\hthbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\dvvdp.exec:\dvvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\828426.exec:\828426.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\04402.exec:\04402.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\tnhnbh.exec:\tnhnbh.exe17⤵
- Executes dropped EXE
PID:2540 -
\??\c:\20224.exec:\20224.exe18⤵
- Executes dropped EXE
PID:2796 -
\??\c:\xlflxfr.exec:\xlflxfr.exe19⤵
- Executes dropped EXE
PID:2892 -
\??\c:\82628.exec:\82628.exe20⤵
- Executes dropped EXE
PID:2196 -
\??\c:\6040228.exec:\6040228.exe21⤵
- Executes dropped EXE
PID:2980 -
\??\c:\7hbhtt.exec:\7hbhtt.exe22⤵
- Executes dropped EXE
PID:2172 -
\??\c:\7vvvd.exec:\7vvvd.exe23⤵
- Executes dropped EXE
PID:2088 -
\??\c:\4862846.exec:\4862846.exe24⤵
- Executes dropped EXE
PID:296 -
\??\c:\868068.exec:\868068.exe25⤵
- Executes dropped EXE
PID:816 -
\??\c:\426688.exec:\426688.exe26⤵
- Executes dropped EXE
PID:1736 -
\??\c:\llflrxl.exec:\llflrxl.exe27⤵
- Executes dropped EXE
PID:300 -
\??\c:\808848.exec:\808848.exe28⤵
- Executes dropped EXE
PID:656 -
\??\c:\20288.exec:\20288.exe29⤵
- Executes dropped EXE
PID:680 -
\??\c:\jvjpv.exec:\jvjpv.exe30⤵
- Executes dropped EXE
PID:2524 -
\??\c:\2442840.exec:\2442840.exe31⤵
- Executes dropped EXE
PID:1244 -
\??\c:\pjjvp.exec:\pjjvp.exe32⤵
- Executes dropped EXE
PID:888 -
\??\c:\nhttnt.exec:\nhttnt.exe33⤵
- Executes dropped EXE
PID:3040 -
\??\c:\htnhhh.exec:\htnhhh.exe34⤵
- Executes dropped EXE
PID:1584 -
\??\c:\9lxxrrx.exec:\9lxxrrx.exe35⤵
- Executes dropped EXE
PID:3056 -
\??\c:\3xrlrrx.exec:\3xrlrrx.exe36⤵
- Executes dropped EXE
PID:348 -
\??\c:\86840.exec:\86840.exe37⤵
- Executes dropped EXE
PID:2460 -
\??\c:\606622.exec:\606622.exe38⤵
- Executes dropped EXE
PID:2084 -
\??\c:\264466.exec:\264466.exe39⤵
- Executes dropped EXE
PID:2304 -
\??\c:\44620.exec:\44620.exe40⤵
- Executes dropped EXE
PID:2680 -
\??\c:\4886460.exec:\4886460.exe41⤵
- Executes dropped EXE
PID:2692 -
\??\c:\9frrrrr.exec:\9frrrrr.exe42⤵
- Executes dropped EXE
PID:2120 -
\??\c:\9xxxxfl.exec:\9xxxxfl.exe43⤵
- Executes dropped EXE
PID:2924 -
\??\c:\086240.exec:\086240.exe44⤵
- Executes dropped EXE
PID:2824 -
\??\c:\9hthbh.exec:\9hthbh.exe45⤵
- Executes dropped EXE
PID:3036 -
\??\c:\s4664.exec:\s4664.exe46⤵
- Executes dropped EXE
PID:2556 -
\??\c:\8206846.exec:\8206846.exe47⤵
- Executes dropped EXE
PID:2724 -
\??\c:\hbtttt.exec:\hbtttt.exe48⤵
- Executes dropped EXE
PID:2372 -
\??\c:\9lfxrrx.exec:\9lfxrrx.exe49⤵
- Executes dropped EXE
PID:1096 -
\??\c:\vjddj.exec:\vjddj.exe50⤵
- Executes dropped EXE
PID:2600 -
\??\c:\q02222.exec:\q02222.exe51⤵
- Executes dropped EXE
PID:2396 -
\??\c:\8022228.exec:\8022228.exe52⤵
- Executes dropped EXE
PID:1812 -
\??\c:\frxrfrx.exec:\frxrfrx.exe53⤵
- Executes dropped EXE
PID:848 -
\??\c:\dvppd.exec:\dvppd.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768 -
\??\c:\482808.exec:\482808.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
\??\c:\bnhnnt.exec:\bnhnnt.exe56⤵
- Executes dropped EXE
PID:1092 -
\??\c:\nbtbbh.exec:\nbtbbh.exe57⤵
- Executes dropped EXE
PID:2892 -
\??\c:\g8806.exec:\g8806.exe58⤵
- Executes dropped EXE
PID:2436 -
\??\c:\9vppd.exec:\9vppd.exe59⤵
- Executes dropped EXE
PID:3000 -
\??\c:\e02666.exec:\e02666.exe60⤵
- Executes dropped EXE
PID:404 -
\??\c:\8060006.exec:\8060006.exe61⤵
- Executes dropped EXE
PID:2152 -
\??\c:\7dpjj.exec:\7dpjj.exe62⤵
- Executes dropped EXE
PID:2088 -
\??\c:\3pdvp.exec:\3pdvp.exe63⤵
- Executes dropped EXE
PID:988 -
\??\c:\vjvpp.exec:\vjvpp.exe64⤵
- Executes dropped EXE
PID:1492 -
\??\c:\fxxflll.exec:\fxxflll.exe65⤵
- Executes dropped EXE
PID:2160 -
\??\c:\s8006.exec:\s8006.exe66⤵PID:1792
-
\??\c:\480688.exec:\480688.exe67⤵PID:928
-
\??\c:\vpdvd.exec:\vpdvd.exe68⤵PID:804
-
\??\c:\lfrrxfx.exec:\lfrrxfx.exe69⤵PID:2292
-
\??\c:\q24448.exec:\q24448.exe70⤵PID:760
-
\??\c:\868022.exec:\868022.exe71⤵PID:536
-
\??\c:\9pdpv.exec:\9pdpv.exe72⤵PID:572
-
\??\c:\64066.exec:\64066.exe73⤵PID:1244
-
\??\c:\u006846.exec:\u006846.exe74⤵PID:2432
-
\??\c:\c006446.exec:\c006446.exe75⤵PID:2516
-
\??\c:\02484.exec:\02484.exe76⤵PID:1716
-
\??\c:\6088006.exec:\6088006.exe77⤵PID:1608
-
\??\c:\8620066.exec:\8620066.exe78⤵PID:2500
-
\??\c:\rlrfrrl.exec:\rlrfrrl.exe79⤵PID:2484
-
\??\c:\04688.exec:\04688.exe80⤵PID:2360
-
\??\c:\c660488.exec:\c660488.exe81⤵PID:2408
-
\??\c:\bnhbbb.exec:\bnhbbb.exe82⤵PID:2748
-
\??\c:\48846.exec:\48846.exe83⤵PID:2704
-
\??\c:\9btbnh.exec:\9btbnh.exe84⤵PID:2772
-
\??\c:\2022840.exec:\2022840.exe85⤵PID:2660
-
\??\c:\vpdjj.exec:\vpdjj.exe86⤵
- System Location Discovery: System Language Discovery
PID:2712 -
\??\c:\8688004.exec:\8688004.exe87⤵PID:2888
-
\??\c:\jdjpp.exec:\jdjpp.exe88⤵PID:2716
-
\??\c:\86822.exec:\86822.exe89⤵PID:2816
-
\??\c:\1tnntb.exec:\1tnntb.exe90⤵PID:2720
-
\??\c:\9nbbhh.exec:\9nbbhh.exe91⤵PID:2024
-
\??\c:\vpppd.exec:\vpppd.exe92⤵PID:3008
-
\??\c:\1nhhnt.exec:\1nhhnt.exe93⤵PID:1808
-
\??\c:\9llfrlx.exec:\9llfrlx.exe94⤵PID:1728
-
\??\c:\9xrrxfr.exec:\9xrrxfr.exe95⤵PID:2396
-
\??\c:\djdvv.exec:\djdvv.exe96⤵PID:1444
-
\??\c:\rrrxrxr.exec:\rrrxrxr.exe97⤵PID:848
-
\??\c:\86662.exec:\86662.exe98⤵PID:2860
-
\??\c:\9nhntb.exec:\9nhntb.exe99⤵PID:2872
-
\??\c:\rrrlflx.exec:\rrrlflx.exe100⤵PID:2156
-
\??\c:\5nnbhn.exec:\5nnbhn.exe101⤵PID:2892
-
\??\c:\xrfllrf.exec:\xrfllrf.exe102⤵PID:1864
-
\??\c:\080022.exec:\080022.exe103⤵PID:1124
-
\??\c:\hthhbh.exec:\hthhbh.exe104⤵PID:1832
-
\??\c:\lxrllfr.exec:\lxrllfr.exe105⤵PID:2868
-
\??\c:\i646806.exec:\i646806.exe106⤵PID:296
-
\??\c:\6048008.exec:\6048008.exe107⤵PID:828
-
\??\c:\rlxfrrf.exec:\rlxfrrf.exe108⤵PID:1376
-
\??\c:\9rllxfr.exec:\9rllxfr.exe109⤵PID:1492
-
\??\c:\5jdjp.exec:\5jdjp.exe110⤵PID:1684
-
\??\c:\hbnntt.exec:\hbnntt.exe111⤵PID:1548
-
\??\c:\ppvvd.exec:\ppvvd.exe112⤵PID:2380
-
\??\c:\k68800.exec:\k68800.exe113⤵PID:1328
-
\??\c:\424062.exec:\424062.exe114⤵PID:1764
-
\??\c:\k00602.exec:\k00602.exe115⤵PID:2116
-
\??\c:\xrxxlxf.exec:\xrxxlxf.exe116⤵PID:1776
-
\??\c:\82020.exec:\82020.exe117⤵PID:2204
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe118⤵PID:2972
-
\??\c:\206448.exec:\206448.exe119⤵PID:880
-
\??\c:\2084064.exec:\2084064.exe120⤵PID:2832
-
\??\c:\6426426.exec:\6426426.exe121⤵PID:3048
-
\??\c:\602800.exec:\602800.exe122⤵PID:2456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-