Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 03:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe
-
Size
454KB
-
MD5
e9a35cfdd7204ed6a64f13f710d18c7a
-
SHA1
d5c166db6c72a5bc04bbb60c2f4e220badffc973
-
SHA256
e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d
-
SHA512
ed17ab6f4eb52524a0a0e6e95d158ca13804a71842ca9960ad0b7f12e094809055456e0488d1674f733b206d5bc66a62403a87b232e16f16c0d16bf7965cb9dd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/2312-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-59-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2792-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1384-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-154-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1524-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-201-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1820-218-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1868-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-262-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1712-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-272-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/496-281-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/496-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-291-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1948-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-340-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/3040-351-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2260-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-371-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1204-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/272-403-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1616-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-442-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/316-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-457-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/888-464-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2516-609-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2716-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1136-756-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/1284-811-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2344-861-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2840-899-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2844-906-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-1022-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1104-1041-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2152-1055-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-1062-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/756-1112-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1312-1277-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1280 tnntbbt.exe 2080 jjddp.exe 1964 424482.exe 2732 lffxrfx.exe 2784 rxxlfrf.exe 2792 42062.exe 3024 hhtntn.exe 2928 08046.exe 2892 hbnntn.exe 2656 9thntt.exe 1480 640062.exe 1736 bnbbnt.exe 2940 jvjjv.exe 1824 ffrrffr.exe 1384 080066.exe 316 046848.exe 1524 042840.exe 3004 42068.exe 2100 868860.exe 2280 86666.exe 448 a2402.exe 1248 3hnbhh.exe 1820 60884.exe 1868 640688.exe 896 a2628.exe 2512 82824.exe 2620 7jppj.exe 1712 frlxxxf.exe 2592 3dpvd.exe 496 1lxxxxx.exe 2540 5xxrxxx.exe 2120 btnnhh.exe 2184 4284400.exe 2296 rxrllxl.exe 1948 0828446.exe 348 hbtbhh.exe 2140 882062.exe 2732 xlrrxxx.exe 3040 jjpdj.exe 2888 64228.exe 2260 5vdjj.exe 2832 2646242.exe 2804 m4846.exe 2812 jdvdd.exe 2760 446862.exe 1204 e48046.exe 272 bbnttt.exe 2068 bthntb.exe 1736 q60640.exe 2444 5djvj.exe 1616 3bthtb.exe 2980 xrlrxxf.exe 888 7ddpj.exe 316 3lxxlrf.exe 2968 hbthth.exe 2680 608488.exe 2572 djdpv.exe 2040 6084002.exe 408 u800604.exe 2456 606240.exe 1064 5xrxflr.exe 300 e04462.exe 2496 bthtnh.exe 3052 vjddj.exe -
resource yara_rule behavioral1/memory/2312-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-272-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/496-281-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/496-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-291-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1948-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-340-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2260-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/272-403-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1616-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/400-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-609-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2716-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-811-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2240-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-861-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2744-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-899-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3000-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-1023-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-1055-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-1062-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/756-1112-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2312-1125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-1205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-1218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-1243-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1952-1268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-1277-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o828068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c208002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1280 2312 e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe 31 PID 2312 wrote to memory of 1280 2312 e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe 31 PID 2312 wrote to memory of 1280 2312 e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe 31 PID 2312 wrote to memory of 1280 2312 e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe 31 PID 1280 wrote to memory of 2080 1280 tnntbbt.exe 32 PID 1280 wrote to memory of 2080 1280 tnntbbt.exe 32 PID 1280 wrote to memory of 2080 1280 tnntbbt.exe 32 PID 1280 wrote to memory of 2080 1280 tnntbbt.exe 32 PID 2080 wrote to memory of 1964 2080 jjddp.exe 33 PID 2080 wrote to memory of 1964 2080 jjddp.exe 33 PID 2080 wrote to memory of 1964 2080 jjddp.exe 33 PID 2080 wrote to memory of 1964 2080 jjddp.exe 33 PID 1964 wrote to memory of 2732 1964 424482.exe 34 PID 1964 wrote to memory of 2732 1964 424482.exe 34 PID 1964 wrote to memory of 2732 1964 424482.exe 34 PID 1964 wrote to memory of 2732 1964 424482.exe 34 PID 2732 wrote to memory of 2784 2732 lffxrfx.exe 35 PID 2732 wrote to memory of 2784 2732 lffxrfx.exe 35 PID 2732 wrote to memory of 2784 2732 lffxrfx.exe 35 PID 2732 wrote to memory of 2784 2732 lffxrfx.exe 35 PID 2784 wrote to memory of 2792 2784 rxxlfrf.exe 36 PID 2784 wrote to memory of 2792 2784 rxxlfrf.exe 36 PID 2784 wrote to memory of 2792 2784 rxxlfrf.exe 36 PID 2784 wrote to memory of 2792 2784 rxxlfrf.exe 36 PID 2792 wrote to memory of 3024 2792 42062.exe 37 PID 2792 wrote to memory of 3024 2792 42062.exe 37 PID 2792 wrote to memory of 3024 2792 42062.exe 37 PID 2792 wrote to memory of 3024 2792 42062.exe 37 PID 3024 wrote to memory of 2928 3024 hhtntn.exe 38 PID 3024 wrote to memory of 2928 3024 hhtntn.exe 38 PID 3024 wrote to memory of 2928 3024 hhtntn.exe 38 PID 3024 wrote to memory of 2928 3024 hhtntn.exe 38 PID 2928 wrote to memory of 2892 2928 08046.exe 39 PID 2928 wrote to memory of 2892 2928 08046.exe 39 PID 2928 wrote to memory of 2892 2928 08046.exe 39 PID 2928 wrote to memory of 2892 2928 08046.exe 39 PID 2892 wrote to memory of 2656 2892 hbnntn.exe 40 PID 2892 wrote to memory of 2656 2892 hbnntn.exe 40 PID 2892 wrote to memory of 2656 2892 hbnntn.exe 40 PID 2892 wrote to memory of 2656 2892 hbnntn.exe 40 PID 2656 wrote to memory of 1480 2656 9thntt.exe 41 PID 2656 wrote to memory of 1480 2656 9thntt.exe 41 PID 2656 wrote to memory of 1480 2656 9thntt.exe 41 PID 2656 wrote to memory of 1480 2656 9thntt.exe 41 PID 1480 wrote to memory of 1736 1480 640062.exe 42 PID 1480 wrote to memory of 1736 1480 640062.exe 42 PID 1480 wrote to memory of 1736 1480 640062.exe 42 PID 1480 wrote to memory of 1736 1480 640062.exe 42 PID 1736 wrote to memory of 2940 1736 bnbbnt.exe 43 PID 1736 wrote to memory of 2940 1736 bnbbnt.exe 43 PID 1736 wrote to memory of 2940 1736 bnbbnt.exe 43 PID 1736 wrote to memory of 2940 1736 bnbbnt.exe 43 PID 2940 wrote to memory of 1824 2940 jvjjv.exe 44 PID 2940 wrote to memory of 1824 2940 jvjjv.exe 44 PID 2940 wrote to memory of 1824 2940 jvjjv.exe 44 PID 2940 wrote to memory of 1824 2940 jvjjv.exe 44 PID 1824 wrote to memory of 1384 1824 ffrrffr.exe 45 PID 1824 wrote to memory of 1384 1824 ffrrffr.exe 45 PID 1824 wrote to memory of 1384 1824 ffrrffr.exe 45 PID 1824 wrote to memory of 1384 1824 ffrrffr.exe 45 PID 1384 wrote to memory of 316 1384 080066.exe 46 PID 1384 wrote to memory of 316 1384 080066.exe 46 PID 1384 wrote to memory of 316 1384 080066.exe 46 PID 1384 wrote to memory of 316 1384 080066.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe"C:\Users\Admin\AppData\Local\Temp\e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\tnntbbt.exec:\tnntbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\jjddp.exec:\jjddp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\424482.exec:\424482.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\lffxrfx.exec:\lffxrfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\rxxlfrf.exec:\rxxlfrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\42062.exec:\42062.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\hhtntn.exec:\hhtntn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\08046.exec:\08046.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\hbnntn.exec:\hbnntn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\9thntt.exec:\9thntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\640062.exec:\640062.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\bnbbnt.exec:\bnbbnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\jvjjv.exec:\jvjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\ffrrffr.exec:\ffrrffr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\080066.exec:\080066.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\046848.exec:\046848.exe17⤵
- Executes dropped EXE
PID:316 -
\??\c:\042840.exec:\042840.exe18⤵
- Executes dropped EXE
PID:1524 -
\??\c:\42068.exec:\42068.exe19⤵
- Executes dropped EXE
PID:3004 -
\??\c:\868860.exec:\868860.exe20⤵
- Executes dropped EXE
PID:2100 -
\??\c:\86666.exec:\86666.exe21⤵
- Executes dropped EXE
PID:2280 -
\??\c:\a2402.exec:\a2402.exe22⤵
- Executes dropped EXE
PID:448 -
\??\c:\3hnbhh.exec:\3hnbhh.exe23⤵
- Executes dropped EXE
PID:1248 -
\??\c:\60884.exec:\60884.exe24⤵
- Executes dropped EXE
PID:1820 -
\??\c:\640688.exec:\640688.exe25⤵
- Executes dropped EXE
PID:1868 -
\??\c:\a2628.exec:\a2628.exe26⤵
- Executes dropped EXE
PID:896 -
\??\c:\82824.exec:\82824.exe27⤵
- Executes dropped EXE
PID:2512 -
\??\c:\7jppj.exec:\7jppj.exe28⤵
- Executes dropped EXE
PID:2620 -
\??\c:\frlxxxf.exec:\frlxxxf.exe29⤵
- Executes dropped EXE
PID:1712 -
\??\c:\3dpvd.exec:\3dpvd.exe30⤵
- Executes dropped EXE
PID:2592 -
\??\c:\1lxxxxx.exec:\1lxxxxx.exe31⤵
- Executes dropped EXE
PID:496 -
\??\c:\5xxrxxx.exec:\5xxrxxx.exe32⤵
- Executes dropped EXE
PID:2540 -
\??\c:\btnnhh.exec:\btnnhh.exe33⤵
- Executes dropped EXE
PID:2120 -
\??\c:\4284400.exec:\4284400.exe34⤵
- Executes dropped EXE
PID:2184 -
\??\c:\rxrllxl.exec:\rxrllxl.exe35⤵
- Executes dropped EXE
PID:2296 -
\??\c:\0828446.exec:\0828446.exe36⤵
- Executes dropped EXE
PID:1948 -
\??\c:\hbtbhh.exec:\hbtbhh.exe37⤵
- Executes dropped EXE
PID:348 -
\??\c:\882062.exec:\882062.exe38⤵
- Executes dropped EXE
PID:2140 -
\??\c:\xlrrxxx.exec:\xlrrxxx.exe39⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jjpdj.exec:\jjpdj.exe40⤵
- Executes dropped EXE
PID:3040 -
\??\c:\64228.exec:\64228.exe41⤵
- Executes dropped EXE
PID:2888 -
\??\c:\5vdjj.exec:\5vdjj.exe42⤵
- Executes dropped EXE
PID:2260 -
\??\c:\2646242.exec:\2646242.exe43⤵
- Executes dropped EXE
PID:2832 -
\??\c:\m4846.exec:\m4846.exe44⤵
- Executes dropped EXE
PID:2804 -
\??\c:\jdvdd.exec:\jdvdd.exe45⤵
- Executes dropped EXE
PID:2812 -
\??\c:\446862.exec:\446862.exe46⤵
- Executes dropped EXE
PID:2760 -
\??\c:\e48046.exec:\e48046.exe47⤵
- Executes dropped EXE
PID:1204 -
\??\c:\bbnttt.exec:\bbnttt.exe48⤵
- Executes dropped EXE
PID:272 -
\??\c:\bthntb.exec:\bthntb.exe49⤵
- Executes dropped EXE
PID:2068 -
\??\c:\q60640.exec:\q60640.exe50⤵
- Executes dropped EXE
PID:1736 -
\??\c:\5djvj.exec:\5djvj.exe51⤵
- Executes dropped EXE
PID:2444 -
\??\c:\3bthtb.exec:\3bthtb.exe52⤵
- Executes dropped EXE
PID:1616 -
\??\c:\xrlrxxf.exec:\xrlrxxf.exe53⤵
- Executes dropped EXE
PID:2980 -
\??\c:\7ddpj.exec:\7ddpj.exe54⤵
- Executes dropped EXE
PID:888 -
\??\c:\3lxxlrf.exec:\3lxxlrf.exe55⤵
- Executes dropped EXE
PID:316 -
\??\c:\hbthth.exec:\hbthth.exe56⤵
- Executes dropped EXE
PID:2968 -
\??\c:\608488.exec:\608488.exe57⤵
- Executes dropped EXE
PID:2680 -
\??\c:\djdpv.exec:\djdpv.exe58⤵
- Executes dropped EXE
PID:2572 -
\??\c:\6084002.exec:\6084002.exe59⤵
- Executes dropped EXE
PID:2040 -
\??\c:\u800604.exec:\u800604.exe60⤵
- Executes dropped EXE
PID:408 -
\??\c:\606240.exec:\606240.exe61⤵
- Executes dropped EXE
PID:2456 -
\??\c:\5xrxflr.exec:\5xrxflr.exe62⤵
- Executes dropped EXE
PID:1064 -
\??\c:\e04462.exec:\e04462.exe63⤵
- Executes dropped EXE
PID:300 -
\??\c:\bthtnh.exec:\bthtnh.exe64⤵
- Executes dropped EXE
PID:2496 -
\??\c:\vjddj.exec:\vjddj.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
\??\c:\nhttbt.exec:\nhttbt.exe66⤵PID:676
-
\??\c:\nnbnth.exec:\nnbnth.exe67⤵PID:1656
-
\??\c:\lxllfxf.exec:\lxllfxf.exe68⤵PID:1716
-
\??\c:\42062.exec:\42062.exe69⤵PID:3060
-
\??\c:\66688.exec:\66688.exe70⤵PID:2608
-
\??\c:\60820.exec:\60820.exe71⤵PID:1712
-
\??\c:\02826.exec:\02826.exe72⤵PID:1956
-
\??\c:\lfrrxrx.exec:\lfrrxrx.exe73⤵PID:400
-
\??\c:\08480.exec:\08480.exe74⤵PID:1700
-
\??\c:\1rlrxfl.exec:\1rlrxfl.exe75⤵PID:876
-
\??\c:\1bbbhh.exec:\1bbbhh.exe76⤵PID:1708
-
\??\c:\jpdjd.exec:\jpdjd.exe77⤵PID:2304
-
\??\c:\llfrxrf.exec:\llfrxrf.exe78⤵PID:2376
-
\??\c:\vjvdj.exec:\vjvdj.exe79⤵PID:1440
-
\??\c:\042806.exec:\042806.exe80⤵PID:2516
-
\??\c:\820206.exec:\820206.exe81⤵PID:2780
-
\??\c:\4428666.exec:\4428666.exe82⤵PID:2852
-
\??\c:\vppvp.exec:\vppvp.exe83⤵PID:2884
-
\??\c:\tnbbbb.exec:\tnbbbb.exe84⤵PID:2236
-
\??\c:\a6406.exec:\a6406.exe85⤵PID:2460
-
\??\c:\s2002.exec:\s2002.exe86⤵PID:2900
-
\??\c:\tbntbt.exec:\tbntbt.exe87⤵PID:2944
-
\??\c:\08006.exec:\08006.exe88⤵PID:2808
-
\??\c:\7bhbtn.exec:\7bhbtn.exe89⤵PID:2716
-
\??\c:\ttntnn.exec:\ttntnn.exe90⤵PID:2688
-
\??\c:\frfrxrx.exec:\frfrxrx.exe91⤵PID:704
-
\??\c:\rfxxxxx.exec:\rfxxxxx.exe92⤵PID:340
-
\??\c:\frrxlll.exec:\frrxlll.exe93⤵PID:2948
-
\??\c:\thtntn.exec:\thtntn.exe94⤵PID:1356
-
\??\c:\828400.exec:\828400.exe95⤵PID:1272
-
\??\c:\1pdvj.exec:\1pdvj.exe96⤵PID:1996
-
\??\c:\hbhtnn.exec:\hbhtnn.exe97⤵PID:1988
-
\??\c:\pdjpj.exec:\pdjpj.exe98⤵PID:2972
-
\??\c:\htthnn.exec:\htthnn.exe99⤵PID:3000
-
\??\c:\frxxffl.exec:\frxxffl.exe100⤵PID:2300
-
\??\c:\ntnbhb.exec:\ntnbhb.exe101⤵PID:2596
-
\??\c:\hbnnnh.exec:\hbnnnh.exe102⤵PID:1904
-
\??\c:\04620.exec:\04620.exe103⤵PID:2292
-
\??\c:\k62288.exec:\k62288.exe104⤵PID:1136
-
\??\c:\jdpjj.exec:\jdpjj.exe105⤵PID:1592
-
\??\c:\9lxxffl.exec:\9lxxffl.exe106⤵PID:2456
-
\??\c:\02044.exec:\02044.exe107⤵PID:1636
-
\??\c:\86402.exec:\86402.exe108⤵PID:1684
-
\??\c:\dpdvj.exec:\dpdvj.exe109⤵PID:908
-
\??\c:\5nbttb.exec:\5nbttb.exe110⤵PID:912
-
\??\c:\nhbbnh.exec:\nhbbnh.exe111⤵PID:1388
-
\??\c:\4244602.exec:\4244602.exe112⤵PID:1284
-
\??\c:\46888.exec:\46888.exe113⤵PID:3020
-
\??\c:\u206884.exec:\u206884.exe114⤵PID:2612
-
\??\c:\20884.exec:\20884.exe115⤵PID:2240
-
\??\c:\s2006.exec:\s2006.exe116⤵PID:1760
-
\??\c:\2406602.exec:\2406602.exe117⤵PID:1884
-
\??\c:\622622.exec:\622622.exe118⤵PID:1160
-
\??\c:\llxflll.exec:\llxflll.exe119⤵PID:3068
-
\??\c:\862288.exec:\862288.exe120⤵PID:2344
-
\??\c:\08668.exec:\08668.exe121⤵PID:768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-