Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 03:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe
-
Size
453KB
-
MD5
c9594346b28443ea1b42c92b5a711c36
-
SHA1
09031f2bf3e1fb0b183f884b32b9727c120470ff
-
SHA256
ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d
-
SHA512
2ed33e1c35dfb5d7f342d0f4ccecdc9b463cf53c960b88f3200c2678070dca3a49cf4603321749253ab9a456f1b4b080bb7dfd2cb1a6264b8dd9abbb18af334a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 59 IoCs
resource yara_rule behavioral1/memory/692-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-45-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2780-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/920-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1416-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1416-154-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2968-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-185-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/656-194-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/656-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-204-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1296-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-214-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1800-227-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1720-236-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1460-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-251-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1524-303-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/936-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-322-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2392-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-342-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2760-341-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2664-349-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2688-368-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2684-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-392-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1944-445-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1944-464-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1452-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-632-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2908-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-646-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2348-722-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2012-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-829-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/900-848-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1764-923-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1764-925-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/792-1087-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-1161-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 692 82684.exe 1992 k86244.exe 2248 a0846.exe 2780 5lffllr.exe 2824 s0280.exe 2944 886840.exe 3056 xrffxrf.exe 2744 08246.exe 2672 vpjpj.exe 2240 fxlrxfr.exe 920 bbbhtb.exe 1416 9rlrflr.exe 2168 6026240.exe 3024 vpjpd.exe 2968 c646280.exe 3060 7nbhhb.exe 2080 5lrxrrx.exe 1852 dvjjp.exe 2584 frxrrrr.exe 656 bnhhnt.exe 1296 3pvpp.exe 2192 9tnnhn.exe 1800 bbtbbh.exe 1720 660486.exe 1460 2046282.exe 2132 826864.exe 588 nhtttb.exe 2712 ddvvd.exe 1964 lxflrrr.exe 1752 pdpdd.exe 1712 rlxxxfl.exe 1524 nbhhhh.exe 936 c460644.exe 2392 46800.exe 2772 jddvv.exe 2916 9jvpp.exe 2760 868804.exe 2664 64606.exe 2908 fflrxxf.exe 2952 fxxfllr.exe 2688 486626.exe 2684 802288.exe 2672 202244.exe 2680 646048.exe 2240 lxlflff.exe 920 bthbhb.exe 2992 264626.exe 2976 g8000.exe 2168 4244602.exe 2808 o822440.exe 2692 42884.exe 680 s6822.exe 1944 tnbttt.exe 1856 86488.exe 1652 046244.exe 2728 646622.exe 2584 bhnhth.exe 2044 5hhttb.exe 852 7thhnn.exe 1452 9jddd.exe 528 226666.exe 2668 dptnb.exe 2128 80406.exe 1664 2006666.exe -
resource yara_rule behavioral1/memory/692-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-105-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1416-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/656-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-204-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1296-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-236-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1460-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-251-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/936-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1452-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-938-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-1006-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-1055-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-1087-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-1148-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2006666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2606446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2006666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6084286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xllrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o248888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 692 1712 ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe 31 PID 1712 wrote to memory of 692 1712 ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe 31 PID 1712 wrote to memory of 692 1712 ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe 31 PID 1712 wrote to memory of 692 1712 ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe 31 PID 692 wrote to memory of 1992 692 82684.exe 32 PID 692 wrote to memory of 1992 692 82684.exe 32 PID 692 wrote to memory of 1992 692 82684.exe 32 PID 692 wrote to memory of 1992 692 82684.exe 32 PID 1992 wrote to memory of 2248 1992 k86244.exe 33 PID 1992 wrote to memory of 2248 1992 k86244.exe 33 PID 1992 wrote to memory of 2248 1992 k86244.exe 33 PID 1992 wrote to memory of 2248 1992 k86244.exe 33 PID 2248 wrote to memory of 2780 2248 a0846.exe 34 PID 2248 wrote to memory of 2780 2248 a0846.exe 34 PID 2248 wrote to memory of 2780 2248 a0846.exe 34 PID 2248 wrote to memory of 2780 2248 a0846.exe 34 PID 2780 wrote to memory of 2824 2780 5lffllr.exe 35 PID 2780 wrote to memory of 2824 2780 5lffllr.exe 35 PID 2780 wrote to memory of 2824 2780 5lffllr.exe 35 PID 2780 wrote to memory of 2824 2780 5lffllr.exe 35 PID 2824 wrote to memory of 2944 2824 s0280.exe 36 PID 2824 wrote to memory of 2944 2824 s0280.exe 36 PID 2824 wrote to memory of 2944 2824 s0280.exe 36 PID 2824 wrote to memory of 2944 2824 s0280.exe 36 PID 2944 wrote to memory of 3056 2944 886840.exe 37 PID 2944 wrote to memory of 3056 2944 886840.exe 37 PID 2944 wrote to memory of 3056 2944 886840.exe 37 PID 2944 wrote to memory of 3056 2944 886840.exe 37 PID 3056 wrote to memory of 2744 3056 xrffxrf.exe 38 PID 3056 wrote to memory of 2744 3056 xrffxrf.exe 38 PID 3056 wrote to memory of 2744 3056 xrffxrf.exe 38 PID 3056 wrote to memory of 2744 3056 xrffxrf.exe 38 PID 2744 wrote to memory of 2672 2744 08246.exe 39 PID 2744 wrote to memory of 2672 2744 08246.exe 39 PID 2744 wrote to memory of 2672 2744 08246.exe 39 PID 2744 wrote to memory of 2672 2744 08246.exe 39 PID 2672 wrote to memory of 2240 2672 vpjpj.exe 40 PID 2672 wrote to memory of 2240 2672 vpjpj.exe 40 PID 2672 wrote to memory of 2240 2672 vpjpj.exe 40 PID 2672 wrote to memory of 2240 2672 vpjpj.exe 40 PID 2240 wrote to memory of 920 2240 fxlrxfr.exe 41 PID 2240 wrote to memory of 920 2240 fxlrxfr.exe 41 PID 2240 wrote to memory of 920 2240 fxlrxfr.exe 41 PID 2240 wrote to memory of 920 2240 fxlrxfr.exe 41 PID 920 wrote to memory of 1416 920 bbbhtb.exe 42 PID 920 wrote to memory of 1416 920 bbbhtb.exe 42 PID 920 wrote to memory of 1416 920 bbbhtb.exe 42 PID 920 wrote to memory of 1416 920 bbbhtb.exe 42 PID 1416 wrote to memory of 2168 1416 9rlrflr.exe 43 PID 1416 wrote to memory of 2168 1416 9rlrflr.exe 43 PID 1416 wrote to memory of 2168 1416 9rlrflr.exe 43 PID 1416 wrote to memory of 2168 1416 9rlrflr.exe 43 PID 2168 wrote to memory of 3024 2168 6026240.exe 44 PID 2168 wrote to memory of 3024 2168 6026240.exe 44 PID 2168 wrote to memory of 3024 2168 6026240.exe 44 PID 2168 wrote to memory of 3024 2168 6026240.exe 44 PID 3024 wrote to memory of 2968 3024 vpjpd.exe 45 PID 3024 wrote to memory of 2968 3024 vpjpd.exe 45 PID 3024 wrote to memory of 2968 3024 vpjpd.exe 45 PID 3024 wrote to memory of 2968 3024 vpjpd.exe 45 PID 2968 wrote to memory of 3060 2968 c646280.exe 46 PID 2968 wrote to memory of 3060 2968 c646280.exe 46 PID 2968 wrote to memory of 3060 2968 c646280.exe 46 PID 2968 wrote to memory of 3060 2968 c646280.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe"C:\Users\Admin\AppData\Local\Temp\ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\82684.exec:\82684.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\k86244.exec:\k86244.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\a0846.exec:\a0846.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\5lffllr.exec:\5lffllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\s0280.exec:\s0280.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\886840.exec:\886840.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\xrffxrf.exec:\xrffxrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\08246.exec:\08246.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\vpjpj.exec:\vpjpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\fxlrxfr.exec:\fxlrxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\bbbhtb.exec:\bbbhtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\9rlrflr.exec:\9rlrflr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\6026240.exec:\6026240.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\vpjpd.exec:\vpjpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\c646280.exec:\c646280.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\7nbhhb.exec:\7nbhhb.exe17⤵
- Executes dropped EXE
PID:3060 -
\??\c:\5lrxrrx.exec:\5lrxrrx.exe18⤵
- Executes dropped EXE
PID:2080 -
\??\c:\dvjjp.exec:\dvjjp.exe19⤵
- Executes dropped EXE
PID:1852 -
\??\c:\frxrrrr.exec:\frxrrrr.exe20⤵
- Executes dropped EXE
PID:2584 -
\??\c:\bnhhnt.exec:\bnhhnt.exe21⤵
- Executes dropped EXE
PID:656 -
\??\c:\3pvpp.exec:\3pvpp.exe22⤵
- Executes dropped EXE
PID:1296 -
\??\c:\9tnnhn.exec:\9tnnhn.exe23⤵
- Executes dropped EXE
PID:2192 -
\??\c:\bbtbbh.exec:\bbtbbh.exe24⤵
- Executes dropped EXE
PID:1800 -
\??\c:\660486.exec:\660486.exe25⤵
- Executes dropped EXE
PID:1720 -
\??\c:\2046282.exec:\2046282.exe26⤵
- Executes dropped EXE
PID:1460 -
\??\c:\826864.exec:\826864.exe27⤵
- Executes dropped EXE
PID:2132 -
\??\c:\nhtttb.exec:\nhtttb.exe28⤵
- Executes dropped EXE
PID:588 -
\??\c:\ddvvd.exec:\ddvvd.exe29⤵
- Executes dropped EXE
PID:2712 -
\??\c:\lxflrrr.exec:\lxflrrr.exe30⤵
- Executes dropped EXE
PID:1964 -
\??\c:\pdpdd.exec:\pdpdd.exe31⤵
- Executes dropped EXE
PID:1752 -
\??\c:\rlxxxfl.exec:\rlxxxfl.exe32⤵
- Executes dropped EXE
PID:1712 -
\??\c:\nbhhhh.exec:\nbhhhh.exe33⤵
- Executes dropped EXE
PID:1524 -
\??\c:\c460644.exec:\c460644.exe34⤵
- Executes dropped EXE
PID:936 -
\??\c:\46800.exec:\46800.exe35⤵
- Executes dropped EXE
PID:2392 -
\??\c:\jddvv.exec:\jddvv.exe36⤵
- Executes dropped EXE
PID:2772 -
\??\c:\9jvpp.exec:\9jvpp.exe37⤵
- Executes dropped EXE
PID:2916 -
\??\c:\868804.exec:\868804.exe38⤵
- Executes dropped EXE
PID:2760 -
\??\c:\64606.exec:\64606.exe39⤵
- Executes dropped EXE
PID:2664 -
\??\c:\fflrxxf.exec:\fflrxxf.exe40⤵
- Executes dropped EXE
PID:2908 -
\??\c:\fxxfllr.exec:\fxxfllr.exe41⤵
- Executes dropped EXE
PID:2952 -
\??\c:\486626.exec:\486626.exe42⤵
- Executes dropped EXE
PID:2688 -
\??\c:\802288.exec:\802288.exe43⤵
- Executes dropped EXE
PID:2684 -
\??\c:\202244.exec:\202244.exe44⤵
- Executes dropped EXE
PID:2672 -
\??\c:\646048.exec:\646048.exe45⤵
- Executes dropped EXE
PID:2680 -
\??\c:\lxlflff.exec:\lxlflff.exe46⤵
- Executes dropped EXE
PID:2240 -
\??\c:\bthbhb.exec:\bthbhb.exe47⤵
- Executes dropped EXE
PID:920 -
\??\c:\264626.exec:\264626.exe48⤵
- Executes dropped EXE
PID:2992 -
\??\c:\g8000.exec:\g8000.exe49⤵
- Executes dropped EXE
PID:2976 -
\??\c:\4244602.exec:\4244602.exe50⤵
- Executes dropped EXE
PID:2168 -
\??\c:\o822440.exec:\o822440.exe51⤵
- Executes dropped EXE
PID:2808 -
\??\c:\42884.exec:\42884.exe52⤵
- Executes dropped EXE
PID:2692 -
\??\c:\s6822.exec:\s6822.exe53⤵
- Executes dropped EXE
PID:680 -
\??\c:\tnbttt.exec:\tnbttt.exe54⤵
- Executes dropped EXE
PID:1944 -
\??\c:\86488.exec:\86488.exe55⤵
- Executes dropped EXE
PID:1856 -
\??\c:\046244.exec:\046244.exe56⤵
- Executes dropped EXE
PID:1652 -
\??\c:\646622.exec:\646622.exe57⤵
- Executes dropped EXE
PID:2728 -
\??\c:\bhnhth.exec:\bhnhth.exe58⤵
- Executes dropped EXE
PID:2584 -
\??\c:\5hhttb.exec:\5hhttb.exe59⤵
- Executes dropped EXE
PID:2044 -
\??\c:\7thhnn.exec:\7thhnn.exe60⤵
- Executes dropped EXE
PID:852 -
\??\c:\9jddd.exec:\9jddd.exe61⤵
- Executes dropped EXE
PID:1452 -
\??\c:\226666.exec:\226666.exe62⤵
- Executes dropped EXE
PID:528 -
\??\c:\dptnb.exec:\dptnb.exe63⤵
- Executes dropped EXE
PID:2668 -
\??\c:\80406.exec:\80406.exe64⤵
- Executes dropped EXE
PID:2128 -
\??\c:\2006666.exec:\2006666.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664 -
\??\c:\c466662.exec:\c466662.exe66⤵PID:2012
-
\??\c:\1nhnhh.exec:\1nhnhh.exe67⤵PID:1940
-
\??\c:\9dpjj.exec:\9dpjj.exe68⤵PID:1792
-
\??\c:\a6288.exec:\a6288.exe69⤵PID:1020
-
\??\c:\9pjjj.exec:\9pjjj.exe70⤵PID:1968
-
\??\c:\4226262.exec:\4226262.exe71⤵PID:1964
-
\??\c:\24600.exec:\24600.exe72⤵PID:1680
-
\??\c:\206666.exec:\206666.exe73⤵PID:484
-
\??\c:\vjpjp.exec:\vjpjp.exe74⤵PID:2360
-
\??\c:\7vvdv.exec:\7vvdv.exe75⤵PID:584
-
\??\c:\0208444.exec:\0208444.exe76⤵PID:1748
-
\??\c:\xfrllxl.exec:\xfrllxl.exe77⤵PID:2736
-
\??\c:\9pvjd.exec:\9pvjd.exe78⤵PID:1900
-
\??\c:\86222.exec:\86222.exe79⤵PID:2780
-
\??\c:\jvdpp.exec:\jvdpp.exe80⤵PID:2304
-
\??\c:\6466640.exec:\6466640.exe81⤵PID:2876
-
\??\c:\hbnntn.exec:\hbnntn.exe82⤵PID:2944
-
\??\c:\thttbb.exec:\thttbb.exe83⤵PID:2908
-
\??\c:\6020606.exec:\6020606.exe84⤵PID:2800
-
\??\c:\q60066.exec:\q60066.exe85⤵PID:2704
-
\??\c:\xlfflfl.exec:\xlfflfl.exe86⤵PID:2524
-
\??\c:\bttntt.exec:\bttntt.exe87⤵PID:272
-
\??\c:\644882.exec:\644882.exe88⤵PID:2848
-
\??\c:\bthttt.exec:\bthttt.exe89⤵PID:2008
-
\??\c:\a8006.exec:\a8006.exe90⤵PID:2880
-
\??\c:\jvddj.exec:\jvddj.exe91⤵PID:1480
-
\??\c:\5xlffrf.exec:\5xlffrf.exe92⤵PID:2888
-
\??\c:\vjjdj.exec:\vjjdj.exe93⤵PID:2864
-
\??\c:\6464444.exec:\6464444.exe94⤵PID:3036
-
\??\c:\htbtnh.exec:\htbtnh.exe95⤵PID:2872
-
\??\c:\646288.exec:\646288.exe96⤵PID:2544
-
\??\c:\3fxrlrx.exec:\3fxrlrx.exe97⤵PID:2348
-
\??\c:\tbttbh.exec:\tbttbh.exe98⤵PID:408
-
\??\c:\3jvvd.exec:\3jvvd.exe99⤵PID:444
-
\??\c:\bnhhnn.exec:\bnhhnn.exe100⤵PID:1248
-
\??\c:\pdjpv.exec:\pdjpv.exe101⤵PID:848
-
\??\c:\o248440.exec:\o248440.exe102⤵PID:2228
-
\??\c:\tnttbt.exec:\tnttbt.exe103⤵PID:1536
-
\??\c:\dvjjp.exec:\dvjjp.exe104⤵PID:2416
-
\??\c:\djjjv.exec:\djjjv.exe105⤵PID:284
-
\??\c:\vpvvv.exec:\vpvvv.exe106⤵PID:1732
-
\??\c:\rlfxrlr.exec:\rlfxrlr.exe107⤵PID:2128
-
\??\c:\vjvvd.exec:\vjvvd.exe108⤵PID:1664
-
\??\c:\frxrrlr.exec:\frxrrlr.exe109⤵PID:2012
-
\??\c:\4628484.exec:\4628484.exe110⤵PID:1940
-
\??\c:\g2480.exec:\g2480.exe111⤵PID:1976
-
\??\c:\4800640.exec:\4800640.exe112⤵PID:1020
-
\??\c:\3hnhnn.exec:\3hnhnn.exe113⤵PID:1640
-
\??\c:\7vjdv.exec:\7vjdv.exe114⤵PID:900
-
\??\c:\o800006.exec:\o800006.exe115⤵PID:1680
-
\??\c:\vjppp.exec:\vjppp.exe116⤵PID:484
-
\??\c:\20200.exec:\20200.exe117⤵PID:1644
-
\??\c:\rlrxrlf.exec:\rlrxrlf.exe118⤵PID:584
-
\??\c:\c422204.exec:\c422204.exe119⤵PID:2836
-
\??\c:\9jdvv.exec:\9jdvv.exe120⤵PID:2852
-
\??\c:\jvjjj.exec:\jvjjj.exe121⤵PID:2936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-