Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 00:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe
-
Size
454KB
-
MD5
ddbb08113a08f4e24b27d944c03a9245
-
SHA1
e7b0d4617d16e760c72661a6c6e4d77e58bb7fc2
-
SHA256
81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6
-
SHA512
a7e756d20231933cbf8131bc238299c95a7f108db41565c5632cf15abdc55cad10daed9e7d9d7bef52e41175c0b2e48bc1107eb0b7c77027a47f918bdab1c2a5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT2:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2032-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-13-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-151-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2348-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-169-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2040-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-192-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1860-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/304-295-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2636-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-303-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2152-311-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/1964-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-353-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1380-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-451-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2040-464-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1996-490-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1996-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-510-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1816-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-545-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2400-570-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1724-593-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1788-602-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2728-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-701-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/268-772-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-963-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2036-997-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2580 7jjjv.exe 2592 rlxfflr.exe 2948 4640466.exe 2252 nbhtbh.exe 2932 22286.exe 2808 lxflrrr.exe 2904 rrllllx.exe 2872 xlxxllr.exe 2748 rfxfflr.exe 2760 3nbbhh.exe 2176 00224.exe 1480 lrfflxf.exe 3016 lxfxxrf.exe 1304 7fllfxr.exe 2972 jvjjj.exe 2348 6466606.exe 1540 o688402.exe 2040 dpvpp.exe 2540 hthnnn.exe 2180 a2002.exe 2136 lllrxxl.exe 1688 68668.exe 1604 46222.exe 1860 02880.exe 2012 lflrxfl.exe 1536 q08400.exe 2644 64666.exe 2288 00888.exe 2280 s4266.exe 2080 k28282.exe 2232 tnnbbt.exe 304 0866220.exe 2636 xrfxxfr.exe 2152 a0846.exe 1964 242682.exe 1576 w24444.exe 2952 7lrllfl.exe 2892 nbhhbt.exe 2836 5jpjp.exe 2932 20280.exe 2716 64444.exe 2988 3xlllfl.exe 2856 426822.exe 2696 nnhnbh.exe 1048 5rllrxf.exe 2548 6640842.exe 2728 20622.exe 1060 m6444.exe 1380 3llrffx.exe 2976 420062.exe 2956 rrflrxl.exe 2772 208460.exe 1220 xllxxxx.exe 2076 86820.exe 1908 vvpdv.exe 1540 1fxllrf.exe 2040 s2444.exe 2536 tnbhhh.exe 2616 pdvjj.exe 2180 82068.exe 1996 4622666.exe 380 7nnbnb.exe 1984 hhtbbb.exe 2640 3btbhn.exe -
resource yara_rule behavioral1/memory/2032-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-311-0x0000000000530000-0x000000000055A000-memory.dmp upx behavioral1/memory/1964-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-820-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2912-888-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-939-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-965-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2068-985-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1092-1005-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q60406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k08804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2580 2032 81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe 30 PID 2032 wrote to memory of 2580 2032 81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe 30 PID 2032 wrote to memory of 2580 2032 81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe 30 PID 2032 wrote to memory of 2580 2032 81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe 30 PID 2580 wrote to memory of 2592 2580 7jjjv.exe 31 PID 2580 wrote to memory of 2592 2580 7jjjv.exe 31 PID 2580 wrote to memory of 2592 2580 7jjjv.exe 31 PID 2580 wrote to memory of 2592 2580 7jjjv.exe 31 PID 2592 wrote to memory of 2948 2592 rlxfflr.exe 32 PID 2592 wrote to memory of 2948 2592 rlxfflr.exe 32 PID 2592 wrote to memory of 2948 2592 rlxfflr.exe 32 PID 2592 wrote to memory of 2948 2592 rlxfflr.exe 32 PID 2948 wrote to memory of 2252 2948 4640466.exe 33 PID 2948 wrote to memory of 2252 2948 4640466.exe 33 PID 2948 wrote to memory of 2252 2948 4640466.exe 33 PID 2948 wrote to memory of 2252 2948 4640466.exe 33 PID 2252 wrote to memory of 2932 2252 nbhtbh.exe 34 PID 2252 wrote to memory of 2932 2252 nbhtbh.exe 34 PID 2252 wrote to memory of 2932 2252 nbhtbh.exe 34 PID 2252 wrote to memory of 2932 2252 nbhtbh.exe 34 PID 2932 wrote to memory of 2808 2932 22286.exe 35 PID 2932 wrote to memory of 2808 2932 22286.exe 35 PID 2932 wrote to memory of 2808 2932 22286.exe 35 PID 2932 wrote to memory of 2808 2932 22286.exe 35 PID 2808 wrote to memory of 2904 2808 lxflrrr.exe 36 PID 2808 wrote to memory of 2904 2808 lxflrrr.exe 36 PID 2808 wrote to memory of 2904 2808 lxflrrr.exe 36 PID 2808 wrote to memory of 2904 2808 lxflrrr.exe 36 PID 2904 wrote to memory of 2872 2904 rrllllx.exe 37 PID 2904 wrote to memory of 2872 2904 rrllllx.exe 37 PID 2904 wrote to memory of 2872 2904 rrllllx.exe 37 PID 2904 wrote to memory of 2872 2904 rrllllx.exe 37 PID 2872 wrote to memory of 2748 2872 xlxxllr.exe 38 PID 2872 wrote to memory of 2748 2872 xlxxllr.exe 38 PID 2872 wrote to memory of 2748 2872 xlxxllr.exe 38 PID 2872 wrote to memory of 2748 2872 xlxxllr.exe 38 PID 2748 wrote to memory of 2760 2748 rfxfflr.exe 39 PID 2748 wrote to memory of 2760 2748 rfxfflr.exe 39 PID 2748 wrote to memory of 2760 2748 rfxfflr.exe 39 PID 2748 wrote to memory of 2760 2748 rfxfflr.exe 39 PID 2760 wrote to memory of 2176 2760 3nbbhh.exe 40 PID 2760 wrote to memory of 2176 2760 3nbbhh.exe 40 PID 2760 wrote to memory of 2176 2760 3nbbhh.exe 40 PID 2760 wrote to memory of 2176 2760 3nbbhh.exe 40 PID 2176 wrote to memory of 1480 2176 00224.exe 41 PID 2176 wrote to memory of 1480 2176 00224.exe 41 PID 2176 wrote to memory of 1480 2176 00224.exe 41 PID 2176 wrote to memory of 1480 2176 00224.exe 41 PID 1480 wrote to memory of 3016 1480 lrfflxf.exe 42 PID 1480 wrote to memory of 3016 1480 lrfflxf.exe 42 PID 1480 wrote to memory of 3016 1480 lrfflxf.exe 42 PID 1480 wrote to memory of 3016 1480 lrfflxf.exe 42 PID 3016 wrote to memory of 1304 3016 lxfxxrf.exe 43 PID 3016 wrote to memory of 1304 3016 lxfxxrf.exe 43 PID 3016 wrote to memory of 1304 3016 lxfxxrf.exe 43 PID 3016 wrote to memory of 1304 3016 lxfxxrf.exe 43 PID 1304 wrote to memory of 2972 1304 7fllfxr.exe 44 PID 1304 wrote to memory of 2972 1304 7fllfxr.exe 44 PID 1304 wrote to memory of 2972 1304 7fllfxr.exe 44 PID 1304 wrote to memory of 2972 1304 7fllfxr.exe 44 PID 2972 wrote to memory of 2348 2972 jvjjj.exe 45 PID 2972 wrote to memory of 2348 2972 jvjjj.exe 45 PID 2972 wrote to memory of 2348 2972 jvjjj.exe 45 PID 2972 wrote to memory of 2348 2972 jvjjj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe"C:\Users\Admin\AppData\Local\Temp\81fbcdef13e98021f65872e9cc95a4a22cd754513de7eb687ea933143338a8c6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\7jjjv.exec:\7jjjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\rlxfflr.exec:\rlxfflr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\4640466.exec:\4640466.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\nbhtbh.exec:\nbhtbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\22286.exec:\22286.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\lxflrrr.exec:\lxflrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\rrllllx.exec:\rrllllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\xlxxllr.exec:\xlxxllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\rfxfflr.exec:\rfxfflr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\3nbbhh.exec:\3nbbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\00224.exec:\00224.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\lrfflxf.exec:\lrfflxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\lxfxxrf.exec:\lxfxxrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\7fllfxr.exec:\7fllfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\jvjjj.exec:\jvjjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\6466606.exec:\6466606.exe17⤵
- Executes dropped EXE
PID:2348 -
\??\c:\o688402.exec:\o688402.exe18⤵
- Executes dropped EXE
PID:1540 -
\??\c:\dpvpp.exec:\dpvpp.exe19⤵
- Executes dropped EXE
PID:2040 -
\??\c:\hthnnn.exec:\hthnnn.exe20⤵
- Executes dropped EXE
PID:2540 -
\??\c:\a2002.exec:\a2002.exe21⤵
- Executes dropped EXE
PID:2180 -
\??\c:\lllrxxl.exec:\lllrxxl.exe22⤵
- Executes dropped EXE
PID:2136 -
\??\c:\68668.exec:\68668.exe23⤵
- Executes dropped EXE
PID:1688 -
\??\c:\46222.exec:\46222.exe24⤵
- Executes dropped EXE
PID:1604 -
\??\c:\02880.exec:\02880.exe25⤵
- Executes dropped EXE
PID:1860 -
\??\c:\lflrxfl.exec:\lflrxfl.exe26⤵
- Executes dropped EXE
PID:2012 -
\??\c:\q08400.exec:\q08400.exe27⤵
- Executes dropped EXE
PID:1536 -
\??\c:\64666.exec:\64666.exe28⤵
- Executes dropped EXE
PID:2644 -
\??\c:\00888.exec:\00888.exe29⤵
- Executes dropped EXE
PID:2288 -
\??\c:\s4266.exec:\s4266.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\k28282.exec:\k28282.exe31⤵
- Executes dropped EXE
PID:2080 -
\??\c:\tnnbbt.exec:\tnnbbt.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
\??\c:\0866220.exec:\0866220.exe33⤵
- Executes dropped EXE
PID:304 -
\??\c:\xrfxxfr.exec:\xrfxxfr.exe34⤵
- Executes dropped EXE
PID:2636 -
\??\c:\a0846.exec:\a0846.exe35⤵
- Executes dropped EXE
PID:2152 -
\??\c:\242682.exec:\242682.exe36⤵
- Executes dropped EXE
PID:1964 -
\??\c:\w24444.exec:\w24444.exe37⤵
- Executes dropped EXE
PID:1576 -
\??\c:\7lrllfl.exec:\7lrllfl.exe38⤵
- Executes dropped EXE
PID:2952 -
\??\c:\nbhhbt.exec:\nbhhbt.exe39⤵
- Executes dropped EXE
PID:2892 -
\??\c:\5jpjp.exec:\5jpjp.exe40⤵
- Executes dropped EXE
PID:2836 -
\??\c:\20280.exec:\20280.exe41⤵
- Executes dropped EXE
PID:2932 -
\??\c:\64444.exec:\64444.exe42⤵
- Executes dropped EXE
PID:2716 -
\??\c:\3xlllfl.exec:\3xlllfl.exe43⤵
- Executes dropped EXE
PID:2988 -
\??\c:\426822.exec:\426822.exe44⤵
- Executes dropped EXE
PID:2856 -
\??\c:\nnhnbh.exec:\nnhnbh.exe45⤵
- Executes dropped EXE
PID:2696 -
\??\c:\5rllrxf.exec:\5rllrxf.exe46⤵
- Executes dropped EXE
PID:1048 -
\??\c:\6640842.exec:\6640842.exe47⤵
- Executes dropped EXE
PID:2548 -
\??\c:\20622.exec:\20622.exe48⤵
- Executes dropped EXE
PID:2728 -
\??\c:\m6444.exec:\m6444.exe49⤵
- Executes dropped EXE
PID:1060 -
\??\c:\3llrffx.exec:\3llrffx.exe50⤵
- Executes dropped EXE
PID:1380 -
\??\c:\420062.exec:\420062.exe51⤵
- Executes dropped EXE
PID:2976 -
\??\c:\rrflrxl.exec:\rrflrxl.exe52⤵
- Executes dropped EXE
PID:2956 -
\??\c:\208460.exec:\208460.exe53⤵
- Executes dropped EXE
PID:2772 -
\??\c:\xllxxxx.exec:\xllxxxx.exe54⤵
- Executes dropped EXE
PID:1220 -
\??\c:\86820.exec:\86820.exe55⤵
- Executes dropped EXE
PID:2076 -
\??\c:\vvpdv.exec:\vvpdv.exe56⤵
- Executes dropped EXE
PID:1908 -
\??\c:\1fxllrf.exec:\1fxllrf.exe57⤵
- Executes dropped EXE
PID:1540 -
\??\c:\s2444.exec:\s2444.exe58⤵
- Executes dropped EXE
PID:2040 -
\??\c:\tnbhhh.exec:\tnbhhh.exe59⤵
- Executes dropped EXE
PID:2536 -
\??\c:\pdvjj.exec:\pdvjj.exe60⤵
- Executes dropped EXE
PID:2616 -
\??\c:\82068.exec:\82068.exe61⤵
- Executes dropped EXE
PID:2180 -
\??\c:\4622666.exec:\4622666.exe62⤵
- Executes dropped EXE
PID:1996 -
\??\c:\7nnbnb.exec:\7nnbnb.exe63⤵
- Executes dropped EXE
PID:380 -
\??\c:\hhtbbb.exec:\hhtbbb.exe64⤵
- Executes dropped EXE
PID:1984 -
\??\c:\3btbhn.exec:\3btbhn.exe65⤵
- Executes dropped EXE
PID:2640 -
\??\c:\860066.exec:\860066.exe66⤵PID:1816
-
\??\c:\xlxxxff.exec:\xlxxxff.exe67⤵PID:1768
-
\??\c:\602806.exec:\602806.exe68⤵PID:2408
-
\??\c:\ppjpd.exec:\ppjpd.exe69⤵PID:896
-
\??\c:\42228.exec:\42228.exe70⤵PID:2288
-
\??\c:\1rxrrxf.exec:\1rxrrxf.exe71⤵PID:2204
-
\??\c:\82002.exec:\82002.exe72⤵PID:1616
-
\??\c:\8206280.exec:\8206280.exe73⤵PID:1748
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe74⤵PID:2400
-
\??\c:\jddvp.exec:\jddvp.exe75⤵PID:1788
-
\??\c:\g2028.exec:\g2028.exe76⤵PID:2228
-
\??\c:\flxlxfx.exec:\flxlxfx.exe77⤵PID:1724
-
\??\c:\482428.exec:\482428.exe78⤵PID:2116
-
\??\c:\8202446.exec:\8202446.exe79⤵PID:2144
-
\??\c:\862842.exec:\862842.exe80⤵PID:2824
-
\??\c:\ttnbnt.exec:\ttnbnt.exe81⤵PID:1740
-
\??\c:\hnthnt.exec:\hnthnt.exe82⤵PID:2404
-
\??\c:\tbhhhh.exec:\tbhhhh.exe83⤵PID:2240
-
\??\c:\46222.exec:\46222.exe84⤵PID:2716
-
\??\c:\xrxrxxr.exec:\xrxrxxr.exe85⤵PID:2884
-
\??\c:\c682880.exec:\c682880.exe86⤵PID:2872
-
\??\c:\pjdpp.exec:\pjdpp.exe87⤵PID:2856
-
\??\c:\i428488.exec:\i428488.exe88⤵PID:2700
-
\??\c:\nhhntb.exec:\nhhntb.exe89⤵PID:2296
-
\??\c:\jvjjj.exec:\jvjjj.exe90⤵PID:2756
-
\??\c:\tnhntt.exec:\tnhntt.exe91⤵
- System Location Discovery: System Language Discovery
PID:2728 -
\??\c:\hhtbnn.exec:\hhtbnn.exe92⤵PID:844
-
\??\c:\26024.exec:\26024.exe93⤵PID:1844
-
\??\c:\xlflxxf.exec:\xlflxxf.exe94⤵PID:2976
-
\??\c:\c084002.exec:\c084002.exe95⤵PID:3016
-
\??\c:\264404.exec:\264404.exe96⤵PID:2772
-
\??\c:\1rffffr.exec:\1rffffr.exe97⤵PID:2476
-
\??\c:\9bnnnn.exec:\9bnnnn.exe98⤵PID:2076
-
\??\c:\604044.exec:\604044.exe99⤵PID:1124
-
\??\c:\lrxrxxx.exec:\lrxrxxx.exe100⤵PID:1440
-
\??\c:\66440.exec:\66440.exe101⤵PID:3040
-
\??\c:\1lfxffr.exec:\1lfxffr.exe102⤵PID:3024
-
\??\c:\rxxrflx.exec:\rxxrflx.exe103⤵PID:2504
-
\??\c:\2022484.exec:\2022484.exe104⤵PID:1152
-
\??\c:\jdpvv.exec:\jdpvv.exe105⤵PID:268
-
\??\c:\2688002.exec:\2688002.exe106⤵PID:1756
-
\??\c:\60846.exec:\60846.exe107⤵PID:1628
-
\??\c:\4244484.exec:\4244484.exe108⤵PID:2012
-
\??\c:\vvpdp.exec:\vvpdp.exe109⤵PID:1816
-
\??\c:\bnbbbt.exec:\bnbbbt.exe110⤵PID:1648
-
\??\c:\044606.exec:\044606.exe111⤵PID:1856
-
\??\c:\48028.exec:\48028.exe112⤵PID:2312
-
\??\c:\lfxlxfr.exec:\lfxlxfr.exe113⤵PID:2280
-
\??\c:\xxxlfxf.exec:\xxxlfxf.exe114⤵PID:2316
-
\??\c:\bbttnn.exec:\bbttnn.exe115⤵PID:2112
-
\??\c:\48680.exec:\48680.exe116⤵PID:2232
-
\??\c:\dvjvv.exec:\dvjvv.exe117⤵PID:1956
-
\??\c:\htntbb.exec:\htntbb.exe118⤵PID:2384
-
\??\c:\c024268.exec:\c024268.exe119⤵PID:2580
-
\??\c:\btbbhh.exec:\btbbhh.exe120⤵PID:2608
-
\??\c:\7dppv.exec:\7dppv.exe121⤵PID:1992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-