Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe
-
Size
454KB
-
MD5
3e30647e9c2965c84324601a062a7fbd
-
SHA1
b6f24d9722d86d643c40ad76f8ab42f57d6dd639
-
SHA256
fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653
-
SHA512
ac3acd9128748f61ce4a13b075f0e9ef7d44c1a6995f750f48524f89078d49f378051992e6c29053eed659ff03e06817a6bd9b3d3e33465f6feb41a99f7efda4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2368-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-83-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2704-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/816-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-138-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2972-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-157-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2332-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/848-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-619-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2960-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-670-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1712-669-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-676-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1712-692-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1324-724-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2872-862-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2788-875-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-906-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2152-925-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2128-1384-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2408 u444668.exe 2368 hbthtb.exe 2592 1vjpj.exe 1668 rrflrrf.exe 1780 822264.exe 2912 vjvpv.exe 2808 60880.exe 2900 9jvpv.exe 2704 i200280.exe 2684 e40622.exe 816 pjvpp.exe 1552 xrlxxfl.exe 3036 482000.exe 2972 g6228.exe 3028 bthhtb.exe 1976 642888.exe 1972 i460066.exe 856 bnntbb.exe 1960 420206.exe 2332 o080224.exe 2156 vvvvd.exe 848 nhthtn.exe 1044 04224.exe 236 xlffflf.exe 2636 86846.exe 1696 vjdjv.exe 2656 5hbntb.exe 2564 606000.exe 2472 3fllllr.exe 1876 2680224.exe 2512 w22246.exe 1048 3bnnbh.exe 2368 26068.exe 2648 rrxlrrf.exe 1512 8204800.exe 2604 60884.exe 1020 pjdpv.exe 1664 lfrrrxf.exe 2888 pdjjp.exe 2932 9jjpv.exe 2248 btnttt.exe 2716 20280.exe 2364 rfxfrlx.exe 2924 8206222.exe 2692 42802.exe 2760 u428840.exe 2488 lfxlrfx.exe 1900 664688.exe 1968 ffrrrlr.exe 2908 0806446.exe 2984 046246.exe 2972 dpvdj.exe 636 hbtthh.exe 2372 vpjpj.exe 1568 fxllrrx.exe 2012 680084.exe 1948 246622.exe 1952 dvdpd.exe 2252 rrxxrlx.exe 1908 024022.exe 2444 2626822.exe 848 8602802.exe 1268 8646822.exe 1028 646688.exe -
resource yara_rule behavioral1/memory/2368-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-83-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2704-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-100-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/816-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-938-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-958-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-1014-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-1046-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-1066-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-1124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-1137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-1236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-1261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-1286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-1329-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2600000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4022002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4682222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2408 2020 fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe 30 PID 2020 wrote to memory of 2408 2020 fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe 30 PID 2020 wrote to memory of 2408 2020 fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe 30 PID 2020 wrote to memory of 2408 2020 fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe 30 PID 2408 wrote to memory of 2368 2408 u444668.exe 31 PID 2408 wrote to memory of 2368 2408 u444668.exe 31 PID 2408 wrote to memory of 2368 2408 u444668.exe 31 PID 2408 wrote to memory of 2368 2408 u444668.exe 31 PID 2368 wrote to memory of 2592 2368 hbthtb.exe 32 PID 2368 wrote to memory of 2592 2368 hbthtb.exe 32 PID 2368 wrote to memory of 2592 2368 hbthtb.exe 32 PID 2368 wrote to memory of 2592 2368 hbthtb.exe 32 PID 2592 wrote to memory of 1668 2592 1vjpj.exe 33 PID 2592 wrote to memory of 1668 2592 1vjpj.exe 33 PID 2592 wrote to memory of 1668 2592 1vjpj.exe 33 PID 2592 wrote to memory of 1668 2592 1vjpj.exe 33 PID 1668 wrote to memory of 1780 1668 rrflrrf.exe 34 PID 1668 wrote to memory of 1780 1668 rrflrrf.exe 34 PID 1668 wrote to memory of 1780 1668 rrflrrf.exe 34 PID 1668 wrote to memory of 1780 1668 rrflrrf.exe 34 PID 1780 wrote to memory of 2912 1780 822264.exe 35 PID 1780 wrote to memory of 2912 1780 822264.exe 35 PID 1780 wrote to memory of 2912 1780 822264.exe 35 PID 1780 wrote to memory of 2912 1780 822264.exe 35 PID 2912 wrote to memory of 2808 2912 vjvpv.exe 36 PID 2912 wrote to memory of 2808 2912 vjvpv.exe 36 PID 2912 wrote to memory of 2808 2912 vjvpv.exe 36 PID 2912 wrote to memory of 2808 2912 vjvpv.exe 36 PID 2808 wrote to memory of 2900 2808 60880.exe 37 PID 2808 wrote to memory of 2900 2808 60880.exe 37 PID 2808 wrote to memory of 2900 2808 60880.exe 37 PID 2808 wrote to memory of 2900 2808 60880.exe 37 PID 2900 wrote to memory of 2704 2900 9jvpv.exe 38 PID 2900 wrote to memory of 2704 2900 9jvpv.exe 38 PID 2900 wrote to memory of 2704 2900 9jvpv.exe 38 PID 2900 wrote to memory of 2704 2900 9jvpv.exe 38 PID 2704 wrote to memory of 2684 2704 i200280.exe 40 PID 2704 wrote to memory of 2684 2704 i200280.exe 40 PID 2704 wrote to memory of 2684 2704 i200280.exe 40 PID 2704 wrote to memory of 2684 2704 i200280.exe 40 PID 2684 wrote to memory of 816 2684 e40622.exe 41 PID 2684 wrote to memory of 816 2684 e40622.exe 41 PID 2684 wrote to memory of 816 2684 e40622.exe 41 PID 2684 wrote to memory of 816 2684 e40622.exe 41 PID 816 wrote to memory of 1552 816 pjvpp.exe 42 PID 816 wrote to memory of 1552 816 pjvpp.exe 42 PID 816 wrote to memory of 1552 816 pjvpp.exe 42 PID 816 wrote to memory of 1552 816 pjvpp.exe 42 PID 1552 wrote to memory of 3036 1552 xrlxxfl.exe 43 PID 1552 wrote to memory of 3036 1552 xrlxxfl.exe 43 PID 1552 wrote to memory of 3036 1552 xrlxxfl.exe 43 PID 1552 wrote to memory of 3036 1552 xrlxxfl.exe 43 PID 3036 wrote to memory of 2972 3036 482000.exe 44 PID 3036 wrote to memory of 2972 3036 482000.exe 44 PID 3036 wrote to memory of 2972 3036 482000.exe 44 PID 3036 wrote to memory of 2972 3036 482000.exe 44 PID 2972 wrote to memory of 3028 2972 g6228.exe 45 PID 2972 wrote to memory of 3028 2972 g6228.exe 45 PID 2972 wrote to memory of 3028 2972 g6228.exe 45 PID 2972 wrote to memory of 3028 2972 g6228.exe 45 PID 3028 wrote to memory of 1976 3028 bthhtb.exe 46 PID 3028 wrote to memory of 1976 3028 bthhtb.exe 46 PID 3028 wrote to memory of 1976 3028 bthhtb.exe 46 PID 3028 wrote to memory of 1976 3028 bthhtb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe"C:\Users\Admin\AppData\Local\Temp\fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\u444668.exec:\u444668.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\hbthtb.exec:\hbthtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\1vjpj.exec:\1vjpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\rrflrrf.exec:\rrflrrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\822264.exec:\822264.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\vjvpv.exec:\vjvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\60880.exec:\60880.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\9jvpv.exec:\9jvpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\i200280.exec:\i200280.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\e40622.exec:\e40622.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\pjvpp.exec:\pjvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\xrlxxfl.exec:\xrlxxfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\482000.exec:\482000.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\g6228.exec:\g6228.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\bthhtb.exec:\bthhtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\642888.exec:\642888.exe17⤵
- Executes dropped EXE
PID:1976 -
\??\c:\i460066.exec:\i460066.exe18⤵
- Executes dropped EXE
PID:1972 -
\??\c:\bnntbb.exec:\bnntbb.exe19⤵
- Executes dropped EXE
PID:856 -
\??\c:\420206.exec:\420206.exe20⤵
- Executes dropped EXE
PID:1960 -
\??\c:\o080224.exec:\o080224.exe21⤵
- Executes dropped EXE
PID:2332 -
\??\c:\vvvvd.exec:\vvvvd.exe22⤵
- Executes dropped EXE
PID:2156 -
\??\c:\nhthtn.exec:\nhthtn.exe23⤵
- Executes dropped EXE
PID:848 -
\??\c:\04224.exec:\04224.exe24⤵
- Executes dropped EXE
PID:1044 -
\??\c:\xlffflf.exec:\xlffflf.exe25⤵
- Executes dropped EXE
PID:236 -
\??\c:\86846.exec:\86846.exe26⤵
- Executes dropped EXE
PID:2636 -
\??\c:\vjdjv.exec:\vjdjv.exe27⤵
- Executes dropped EXE
PID:1696 -
\??\c:\5hbntb.exec:\5hbntb.exe28⤵
- Executes dropped EXE
PID:2656 -
\??\c:\606000.exec:\606000.exe29⤵
- Executes dropped EXE
PID:2564 -
\??\c:\3fllllr.exec:\3fllllr.exe30⤵
- Executes dropped EXE
PID:2472 -
\??\c:\2680224.exec:\2680224.exe31⤵
- Executes dropped EXE
PID:1876 -
\??\c:\w22246.exec:\w22246.exe32⤵
- Executes dropped EXE
PID:2512 -
\??\c:\3bnnbh.exec:\3bnnbh.exe33⤵
- Executes dropped EXE
PID:1048 -
\??\c:\26068.exec:\26068.exe34⤵
- Executes dropped EXE
PID:2368 -
\??\c:\rrxlrrf.exec:\rrxlrrf.exe35⤵
- Executes dropped EXE
PID:2648 -
\??\c:\8204800.exec:\8204800.exe36⤵
- Executes dropped EXE
PID:1512 -
\??\c:\60884.exec:\60884.exe37⤵
- Executes dropped EXE
PID:2604 -
\??\c:\pjdpv.exec:\pjdpv.exe38⤵
- Executes dropped EXE
PID:1020 -
\??\c:\lfrrrxf.exec:\lfrrrxf.exe39⤵
- Executes dropped EXE
PID:1664 -
\??\c:\pdjjp.exec:\pdjjp.exe40⤵
- Executes dropped EXE
PID:2888 -
\??\c:\9jjpv.exec:\9jjpv.exe41⤵
- Executes dropped EXE
PID:2932 -
\??\c:\btnttt.exec:\btnttt.exe42⤵
- Executes dropped EXE
PID:2248 -
\??\c:\20280.exec:\20280.exe43⤵
- Executes dropped EXE
PID:2716 -
\??\c:\rfxfrlx.exec:\rfxfrlx.exe44⤵
- Executes dropped EXE
PID:2364 -
\??\c:\8206222.exec:\8206222.exe45⤵
- Executes dropped EXE
PID:2924 -
\??\c:\42802.exec:\42802.exe46⤵
- Executes dropped EXE
PID:2692 -
\??\c:\u428840.exec:\u428840.exe47⤵
- Executes dropped EXE
PID:2760 -
\??\c:\lfxlrfx.exec:\lfxlrfx.exe48⤵
- Executes dropped EXE
PID:2488 -
\??\c:\664688.exec:\664688.exe49⤵
- Executes dropped EXE
PID:1900 -
\??\c:\ffrrrlr.exec:\ffrrrlr.exe50⤵
- Executes dropped EXE
PID:1968 -
\??\c:\0806446.exec:\0806446.exe51⤵
- Executes dropped EXE
PID:2908 -
\??\c:\046246.exec:\046246.exe52⤵
- Executes dropped EXE
PID:2984 -
\??\c:\dpvdj.exec:\dpvdj.exe53⤵
- Executes dropped EXE
PID:2972 -
\??\c:\hbtthh.exec:\hbtthh.exe54⤵
- Executes dropped EXE
PID:636 -
\??\c:\vpjpj.exec:\vpjpj.exe55⤵
- Executes dropped EXE
PID:2372 -
\??\c:\fxllrrx.exec:\fxllrrx.exe56⤵
- Executes dropped EXE
PID:1568 -
\??\c:\680084.exec:\680084.exe57⤵
- Executes dropped EXE
PID:2012 -
\??\c:\246622.exec:\246622.exe58⤵
- Executes dropped EXE
PID:1948 -
\??\c:\dvdpd.exec:\dvdpd.exe59⤵
- Executes dropped EXE
PID:1952 -
\??\c:\rrxxrlx.exec:\rrxxrlx.exe60⤵
- Executes dropped EXE
PID:2252 -
\??\c:\024022.exec:\024022.exe61⤵
- Executes dropped EXE
PID:1908 -
\??\c:\2626822.exec:\2626822.exe62⤵
- Executes dropped EXE
PID:2444 -
\??\c:\8602802.exec:\8602802.exe63⤵
- Executes dropped EXE
PID:848 -
\??\c:\8646822.exec:\8646822.exe64⤵
- Executes dropped EXE
PID:1268 -
\??\c:\646688.exec:\646688.exe65⤵
- Executes dropped EXE
PID:1028 -
\??\c:\820066.exec:\820066.exe66⤵PID:1588
-
\??\c:\g6888.exec:\g6888.exe67⤵PID:1488
-
\??\c:\08482.exec:\08482.exe68⤵PID:2556
-
\??\c:\800066.exec:\800066.exe69⤵PID:2580
-
\??\c:\3pdpv.exec:\3pdpv.exe70⤵PID:2656
-
\??\c:\42840.exec:\42840.exe71⤵PID:564
-
\??\c:\dvjpd.exec:\dvjpd.exe72⤵PID:2768
-
\??\c:\vjpjv.exec:\vjpjv.exe73⤵PID:1868
-
\??\c:\jvjjv.exec:\jvjjv.exe74⤵PID:1852
-
\??\c:\xlrlrlr.exec:\xlrlrlr.exe75⤵PID:2512
-
\??\c:\9ffrlll.exec:\9ffrlll.exe76⤵PID:2208
-
\??\c:\xrllrrx.exec:\xrllrrx.exe77⤵PID:1880
-
\??\c:\64006.exec:\64006.exe78⤵PID:1472
-
\??\c:\5djvv.exec:\5djvv.exe79⤵PID:2648
-
\??\c:\7jdvv.exec:\7jdvv.exe80⤵PID:1584
-
\??\c:\1pjjp.exec:\1pjjp.exe81⤵PID:2604
-
\??\c:\2666426.exec:\2666426.exe82⤵PID:2812
-
\??\c:\80222.exec:\80222.exe83⤵PID:2532
-
\??\c:\rfxllll.exec:\rfxllll.exe84⤵PID:2880
-
\??\c:\3nbbhh.exec:\3nbbhh.exe85⤵PID:2808
-
\??\c:\46882.exec:\46882.exe86⤵PID:2800
-
\??\c:\5fxfflr.exec:\5fxfflr.exe87⤵PID:2836
-
\??\c:\hhnnbh.exec:\hhnnbh.exe88⤵PID:2960
-
\??\c:\q40682.exec:\q40682.exe89⤵PID:2152
-
\??\c:\c802040.exec:\c802040.exe90⤵PID:440
-
\??\c:\4622266.exec:\4622266.exe91⤵PID:816
-
\??\c:\02440.exec:\02440.exe92⤵PID:1712
-
\??\c:\24820.exec:\24820.exe93⤵PID:2504
-
\??\c:\xrflxxx.exec:\xrflxxx.exe94⤵PID:3036
-
\??\c:\86464.exec:\86464.exe95⤵PID:2984
-
\??\c:\xxflxxr.exec:\xxflxxr.exe96⤵PID:2972
-
\??\c:\xrflrxr.exec:\xrflrxr.exe97⤵PID:2168
-
\??\c:\26284.exec:\26284.exe98⤵PID:2008
-
\??\c:\nhbbnb.exec:\nhbbnb.exe99⤵PID:2276
-
\??\c:\xlffxfl.exec:\xlffxfl.exe100⤵PID:1324
-
\??\c:\046622.exec:\046622.exe101⤵PID:1948
-
\??\c:\lxrrffx.exec:\lxrrffx.exe102⤵PID:1084
-
\??\c:\1lrrxrf.exec:\1lrrxrf.exe103⤵PID:2324
-
\??\c:\1jddp.exec:\1jddp.exe104⤵PID:1296
-
\??\c:\i066280.exec:\i066280.exe105⤵PID:1788
-
\??\c:\7thntt.exec:\7thntt.exe106⤵PID:1792
-
\??\c:\w68860.exec:\w68860.exe107⤵PID:912
-
\??\c:\m6024.exec:\m6024.exe108⤵PID:236
-
\??\c:\5rrlrxf.exec:\5rrlrxf.exe109⤵PID:544
-
\??\c:\26840.exec:\26840.exe110⤵PID:1696
-
\??\c:\66280.exec:\66280.exe111⤵PID:708
-
\??\c:\64880.exec:\64880.exe112⤵PID:2656
-
\??\c:\080022.exec:\080022.exe113⤵PID:2288
-
\??\c:\60402.exec:\60402.exe114⤵PID:2860
-
\??\c:\lxllrrx.exec:\lxllrrx.exe115⤵PID:2196
-
\??\c:\o200628.exec:\o200628.exe116⤵PID:2020
-
\??\c:\frlrxrx.exec:\frlrxrx.exe117⤵PID:1212
-
\??\c:\4860884.exec:\4860884.exe118⤵PID:1648
-
\??\c:\602866.exec:\602866.exe119⤵PID:2396
-
\??\c:\dvjjv.exec:\dvjjv.exe120⤵PID:2100
-
\??\c:\i088002.exec:\i088002.exe121⤵PID:2640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-