Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 22:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
430172fab613bc1c2d64c4dc1453aa7c74f48d6209d91da1bbae0330921960a7.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
430172fab613bc1c2d64c4dc1453aa7c74f48d6209d91da1bbae0330921960a7.exe
-
Size
452KB
-
MD5
164431fb08b2464b7ea0d945fcadf177
-
SHA1
b71f8d1baf1290c144e8828446da026bd06ba393
-
SHA256
430172fab613bc1c2d64c4dc1453aa7c74f48d6209d91da1bbae0330921960a7
-
SHA512
7e9cd05094cd8fc19e6f81536daf4f5ad00622d21ffd1107dbc5071bef81c221a58a7e229b6f6c75b5a1bb8bafd4a6441bc979a899da31bb0009430c33c382d5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/1600-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-131-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1744-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-187-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/636-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1344-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-519-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1808-553-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3060-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-645-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1036-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-851-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2992-858-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-882-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2120-898-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-911-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2796-924-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1856-956-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2784 82602.exe 2928 lrflxfl.exe 2940 i866242.exe 2700 rlxxfxf.exe 2840 nttbbh.exe 2684 64884.exe 2732 4206286.exe 2320 5jddv.exe 2080 20806.exe 2056 bbtbhn.exe 768 lrllxfl.exe 1304 lfrrxfr.exe 2040 48620.exe 1956 1pjpd.exe 1744 8262208.exe 1260 nnhhnt.exe 996 g8646.exe 2212 4884242.exe 2208 04202.exe 2232 26644.exe 636 820206.exe 2448 7htbnb.exe 972 a0280.exe 1044 60284.exe 1344 rrlxflf.exe 2236 rrxxxfr.exe 1268 ppvvj.exe 2368 046684.exe 864 nnhnbn.exe 1988 lflfxxx.exe 1820 i822024.exe 1816 pvjvp.exe 2820 tbbthn.exe 2800 hhttbn.exe 1568 264646.exe 2916 k66206.exe 2984 bhbnhn.exe 1960 pvppd.exe 2868 4880406.exe 2692 ddvdv.exe 2688 044404.exe 2728 lrllxll.exe 2732 hbbthn.exe 2320 6046842.exe 648 u260684.exe 2260 xfxfxfr.exe 2360 bbhbnb.exe 2348 08680.exe 2948 26402.exe 2724 284286.exe 2164 86402.exe 1872 3dpvp.exe 1420 u402222.exe 1036 9xrrxfx.exe 2860 5bhhtt.exe 1480 224068.exe 2192 0428408.exe 2224 bntnnb.exe 2632 hhtnbt.exe 1672 7xlflfl.exe 624 bbtnbh.exe 2460 c688028.exe 1584 btntbh.exe 1060 pdpjj.exe -
resource yara_rule behavioral1/memory/1600-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-51-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2684-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-187-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/636-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-859-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-898-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-924-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2052-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-999-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxflllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2088480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4240286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xllfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pddj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2784 1600 430172fab613bc1c2d64c4dc1453aa7c74f48d6209d91da1bbae0330921960a7.exe 30 PID 1600 wrote to memory of 2784 1600 430172fab613bc1c2d64c4dc1453aa7c74f48d6209d91da1bbae0330921960a7.exe 30 PID 1600 wrote to memory of 2784 1600 430172fab613bc1c2d64c4dc1453aa7c74f48d6209d91da1bbae0330921960a7.exe 30 PID 1600 wrote to memory of 2784 1600 430172fab613bc1c2d64c4dc1453aa7c74f48d6209d91da1bbae0330921960a7.exe 30 PID 2784 wrote to memory of 2928 2784 82602.exe 31 PID 2784 wrote to memory of 2928 2784 82602.exe 31 PID 2784 wrote to memory of 2928 2784 82602.exe 31 PID 2784 wrote to memory of 2928 2784 82602.exe 31 PID 2928 wrote to memory of 2940 2928 lrflxfl.exe 32 PID 2928 wrote to memory of 2940 2928 lrflxfl.exe 32 PID 2928 wrote to memory of 2940 2928 lrflxfl.exe 32 PID 2928 wrote to memory of 2940 2928 lrflxfl.exe 32 PID 2940 wrote to memory of 2700 2940 i866242.exe 33 PID 2940 wrote to memory of 2700 2940 i866242.exe 33 PID 2940 wrote to memory of 2700 2940 i866242.exe 33 PID 2940 wrote to memory of 2700 2940 i866242.exe 33 PID 2700 wrote to memory of 2840 2700 rlxxfxf.exe 34 PID 2700 wrote to memory of 2840 2700 rlxxfxf.exe 34 PID 2700 wrote to memory of 2840 2700 rlxxfxf.exe 34 PID 2700 wrote to memory of 2840 2700 rlxxfxf.exe 34 PID 2840 wrote to memory of 2684 2840 nttbbh.exe 35 PID 2840 wrote to memory of 2684 2840 nttbbh.exe 35 PID 2840 wrote to memory of 2684 2840 nttbbh.exe 35 PID 2840 wrote to memory of 2684 2840 nttbbh.exe 35 PID 2684 wrote to memory of 2732 2684 64884.exe 36 PID 2684 wrote to memory of 2732 2684 64884.exe 36 PID 2684 wrote to memory of 2732 2684 64884.exe 36 PID 2684 wrote to memory of 2732 2684 64884.exe 36 PID 2732 wrote to memory of 2320 2732 4206286.exe 37 PID 2732 wrote to memory of 2320 2732 4206286.exe 37 PID 2732 wrote to memory of 2320 2732 4206286.exe 37 PID 2732 wrote to memory of 2320 2732 4206286.exe 37 PID 2320 wrote to memory of 2080 2320 5jddv.exe 38 PID 2320 wrote to memory of 2080 2320 5jddv.exe 38 PID 2320 wrote to memory of 2080 2320 5jddv.exe 38 PID 2320 wrote to memory of 2080 2320 5jddv.exe 38 PID 2080 wrote to memory of 2056 2080 20806.exe 39 PID 2080 wrote to memory of 2056 2080 20806.exe 39 PID 2080 wrote to memory of 2056 2080 20806.exe 39 PID 2080 wrote to memory of 2056 2080 20806.exe 39 PID 2056 wrote to memory of 768 2056 bbtbhn.exe 40 PID 2056 wrote to memory of 768 2056 bbtbhn.exe 40 PID 2056 wrote to memory of 768 2056 bbtbhn.exe 40 PID 2056 wrote to memory of 768 2056 bbtbhn.exe 40 PID 768 wrote to memory of 1304 768 lrllxfl.exe 41 PID 768 wrote to memory of 1304 768 lrllxfl.exe 41 PID 768 wrote to memory of 1304 768 lrllxfl.exe 41 PID 768 wrote to memory of 1304 768 lrllxfl.exe 41 PID 1304 wrote to memory of 2040 1304 lfrrxfr.exe 42 PID 1304 wrote to memory of 2040 1304 lfrrxfr.exe 42 PID 1304 wrote to memory of 2040 1304 lfrrxfr.exe 42 PID 1304 wrote to memory of 2040 1304 lfrrxfr.exe 42 PID 2040 wrote to memory of 1956 2040 48620.exe 43 PID 2040 wrote to memory of 1956 2040 48620.exe 43 PID 2040 wrote to memory of 1956 2040 48620.exe 43 PID 2040 wrote to memory of 1956 2040 48620.exe 43 PID 1956 wrote to memory of 1744 1956 1pjpd.exe 44 PID 1956 wrote to memory of 1744 1956 1pjpd.exe 44 PID 1956 wrote to memory of 1744 1956 1pjpd.exe 44 PID 1956 wrote to memory of 1744 1956 1pjpd.exe 44 PID 1744 wrote to memory of 1260 1744 8262208.exe 45 PID 1744 wrote to memory of 1260 1744 8262208.exe 45 PID 1744 wrote to memory of 1260 1744 8262208.exe 45 PID 1744 wrote to memory of 1260 1744 8262208.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\430172fab613bc1c2d64c4dc1453aa7c74f48d6209d91da1bbae0330921960a7.exe"C:\Users\Admin\AppData\Local\Temp\430172fab613bc1c2d64c4dc1453aa7c74f48d6209d91da1bbae0330921960a7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\82602.exec:\82602.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\lrflxfl.exec:\lrflxfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\i866242.exec:\i866242.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\rlxxfxf.exec:\rlxxfxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\nttbbh.exec:\nttbbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\64884.exec:\64884.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\4206286.exec:\4206286.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\5jddv.exec:\5jddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\20806.exec:\20806.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\bbtbhn.exec:\bbtbhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\lrllxfl.exec:\lrllxfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\lfrrxfr.exec:\lfrrxfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\48620.exec:\48620.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\1pjpd.exec:\1pjpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\8262208.exec:\8262208.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\nnhhnt.exec:\nnhhnt.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260 -
\??\c:\g8646.exec:\g8646.exe18⤵
- Executes dropped EXE
PID:996 -
\??\c:\4884242.exec:\4884242.exe19⤵
- Executes dropped EXE
PID:2212 -
\??\c:\04202.exec:\04202.exe20⤵
- Executes dropped EXE
PID:2208 -
\??\c:\26644.exec:\26644.exe21⤵
- Executes dropped EXE
PID:2232 -
\??\c:\820206.exec:\820206.exe22⤵
- Executes dropped EXE
PID:636 -
\??\c:\7htbnb.exec:\7htbnb.exe23⤵
- Executes dropped EXE
PID:2448 -
\??\c:\a0280.exec:\a0280.exe24⤵
- Executes dropped EXE
PID:972 -
\??\c:\60284.exec:\60284.exe25⤵
- Executes dropped EXE
PID:1044 -
\??\c:\rrlxflf.exec:\rrlxflf.exe26⤵
- Executes dropped EXE
PID:1344 -
\??\c:\rrxxxfr.exec:\rrxxxfr.exe27⤵
- Executes dropped EXE
PID:2236 -
\??\c:\ppvvj.exec:\ppvvj.exe28⤵
- Executes dropped EXE
PID:1268 -
\??\c:\046684.exec:\046684.exe29⤵
- Executes dropped EXE
PID:2368 -
\??\c:\nnhnbn.exec:\nnhnbn.exe30⤵
- Executes dropped EXE
PID:864 -
\??\c:\lflfxxx.exec:\lflfxxx.exe31⤵
- Executes dropped EXE
PID:1988 -
\??\c:\i822024.exec:\i822024.exe32⤵
- Executes dropped EXE
PID:1820 -
\??\c:\pvjvp.exec:\pvjvp.exe33⤵
- Executes dropped EXE
PID:1816 -
\??\c:\tbbthn.exec:\tbbthn.exe34⤵
- Executes dropped EXE
PID:2820 -
\??\c:\hhttbn.exec:\hhttbn.exe35⤵
- Executes dropped EXE
PID:2800 -
\??\c:\264646.exec:\264646.exe36⤵
- Executes dropped EXE
PID:1568 -
\??\c:\k66206.exec:\k66206.exe37⤵
- Executes dropped EXE
PID:2916 -
\??\c:\bhbnhn.exec:\bhbnhn.exe38⤵
- Executes dropped EXE
PID:2984 -
\??\c:\pvppd.exec:\pvppd.exe39⤵
- Executes dropped EXE
PID:1960 -
\??\c:\4880406.exec:\4880406.exe40⤵
- Executes dropped EXE
PID:2868 -
\??\c:\ddvdv.exec:\ddvdv.exe41⤵
- Executes dropped EXE
PID:2692 -
\??\c:\044404.exec:\044404.exe42⤵
- Executes dropped EXE
PID:2688 -
\??\c:\lrllxll.exec:\lrllxll.exe43⤵
- Executes dropped EXE
PID:2728 -
\??\c:\hbbthn.exec:\hbbthn.exe44⤵
- Executes dropped EXE
PID:2732 -
\??\c:\6046842.exec:\6046842.exe45⤵
- Executes dropped EXE
PID:2320 -
\??\c:\u260684.exec:\u260684.exe46⤵
- Executes dropped EXE
PID:648 -
\??\c:\xfxfxfr.exec:\xfxfxfr.exe47⤵
- Executes dropped EXE
PID:2260 -
\??\c:\bbhbnb.exec:\bbhbnb.exe48⤵
- Executes dropped EXE
PID:2360 -
\??\c:\08680.exec:\08680.exe49⤵
- Executes dropped EXE
PID:2348 -
\??\c:\26402.exec:\26402.exe50⤵
- Executes dropped EXE
PID:2948 -
\??\c:\284286.exec:\284286.exe51⤵
- Executes dropped EXE
PID:2724 -
\??\c:\86402.exec:\86402.exe52⤵
- Executes dropped EXE
PID:2164 -
\??\c:\3dpvp.exec:\3dpvp.exe53⤵
- Executes dropped EXE
PID:1872 -
\??\c:\u402222.exec:\u402222.exe54⤵
- Executes dropped EXE
PID:1420 -
\??\c:\9xrrxfx.exec:\9xrrxfx.exe55⤵
- Executes dropped EXE
PID:1036 -
\??\c:\5bhhtt.exec:\5bhhtt.exe56⤵
- Executes dropped EXE
PID:2860 -
\??\c:\224068.exec:\224068.exe57⤵
- Executes dropped EXE
PID:1480 -
\??\c:\0428408.exec:\0428408.exe58⤵
- Executes dropped EXE
PID:2192 -
\??\c:\bntnnb.exec:\bntnnb.exe59⤵
- Executes dropped EXE
PID:2224 -
\??\c:\hhtnbt.exec:\hhtnbt.exe60⤵
- Executes dropped EXE
PID:2632 -
\??\c:\7xlflfl.exec:\7xlflfl.exe61⤵
- Executes dropped EXE
PID:1672 -
\??\c:\bbtnbh.exec:\bbtnbh.exe62⤵
- Executes dropped EXE
PID:624 -
\??\c:\c688028.exec:\c688028.exe63⤵
- Executes dropped EXE
PID:2460 -
\??\c:\btntbh.exec:\btntbh.exe64⤵
- Executes dropped EXE
PID:1584 -
\??\c:\pdpjj.exec:\pdpjj.exe65⤵
- Executes dropped EXE
PID:1060 -
\??\c:\tnttnt.exec:\tnttnt.exe66⤵PID:1868
-
\??\c:\htnnbn.exec:\htnnbn.exe67⤵PID:1772
-
\??\c:\fxlrxfl.exec:\fxlrxfl.exe68⤵PID:896
-
\??\c:\20884.exec:\20884.exe69⤵PID:2068
-
\??\c:\9xllrfl.exec:\9xllrfl.exe70⤵PID:2592
-
\??\c:\w42284.exec:\w42284.exe71⤵PID:1808
-
\??\c:\9lrrrrr.exec:\9lrrrrr.exe72⤵PID:2408
-
\??\c:\c088840.exec:\c088840.exe73⤵PID:1832
-
\??\c:\2066880.exec:\2066880.exe74⤵PID:1800
-
\??\c:\4868808.exec:\4868808.exe75⤵PID:2588
-
\??\c:\frflxxf.exec:\frflxxf.exe76⤵PID:1992
-
\??\c:\0862288.exec:\0862288.exe77⤵PID:2816
-
\??\c:\w26866.exec:\w26866.exe78⤵PID:1572
-
\??\c:\u466204.exec:\u466204.exe79⤵PID:2888
-
\??\c:\w20604.exec:\w20604.exe80⤵PID:3060
-
\??\c:\4802402.exec:\4802402.exe81⤵PID:2648
-
\??\c:\8022406.exec:\8022406.exe82⤵PID:2736
-
\??\c:\dvdjv.exec:\dvdjv.exe83⤵PID:2972
-
\??\c:\xrflllx.exec:\xrflllx.exe84⤵PID:2748
-
\??\c:\3nhhhb.exec:\3nhhhb.exe85⤵PID:2204
-
\??\c:\i006406.exec:\i006406.exe86⤵PID:2064
-
\??\c:\3btttt.exec:\3btttt.exe87⤵PID:2908
-
\??\c:\ffxrxfl.exec:\ffxrxfl.exe88⤵PID:1496
-
\??\c:\826204.exec:\826204.exe89⤵PID:2080
-
\??\c:\nbhhnn.exec:\nbhhnn.exe90⤵PID:1448
-
\??\c:\5lffxff.exec:\5lffxff.exe91⤵PID:2580
-
\??\c:\tnbttb.exec:\tnbttb.exe92⤵PID:768
-
\??\c:\pjjjv.exec:\pjjjv.exe93⤵PID:2348
-
\??\c:\646648.exec:\646648.exe94⤵PID:2032
-
\??\c:\btbnbb.exec:\btbnbb.exe95⤵PID:2956
-
\??\c:\dvdpv.exec:\dvdpv.exe96⤵PID:2852
-
\??\c:\082800.exec:\082800.exe97⤵PID:1492
-
\??\c:\jvpvd.exec:\jvpvd.exe98⤵PID:332
-
\??\c:\tnbhtb.exec:\tnbhtb.exe99⤵PID:1036
-
\??\c:\1bntnn.exec:\1bntnn.exe100⤵PID:2860
-
\??\c:\fllxlrf.exec:\fllxlrf.exe101⤵PID:2516
-
\??\c:\bbntbb.exec:\bbntbb.exe102⤵PID:2468
-
\??\c:\xxfxllr.exec:\xxfxllr.exe103⤵PID:2224
-
\??\c:\3pdjd.exec:\3pdjd.exe104⤵PID:2632
-
\??\c:\hhbttn.exec:\hhbttn.exe105⤵PID:2084
-
\??\c:\s8208.exec:\s8208.exe106⤵PID:1620
-
\??\c:\6884006.exec:\6884006.exe107⤵PID:2460
-
\??\c:\868080.exec:\868080.exe108⤵PID:680
-
\??\c:\20426.exec:\20426.exe109⤵PID:1060
-
\??\c:\00402.exec:\00402.exe110⤵PID:1868
-
\??\c:\jppvp.exec:\jppvp.exe111⤵PID:288
-
\??\c:\486468.exec:\486468.exe112⤵PID:1664
-
\??\c:\o606820.exec:\o606820.exe113⤵PID:2068
-
\??\c:\4228024.exec:\4228024.exe114⤵PID:2592
-
\??\c:\0446880.exec:\0446880.exe115⤵PID:1808
-
\??\c:\bnhnbb.exec:\bnhnbb.exe116⤵PID:2408
-
\??\c:\llrxrrx.exec:\llrxrrx.exe117⤵PID:1748
-
\??\c:\dvjvd.exec:\dvjvd.exe118⤵PID:2992
-
\??\c:\vddjj.exec:\vddjj.exe119⤵PID:1740
-
\??\c:\rrrfrff.exec:\rrrfrff.exe120⤵PID:1688
-
\??\c:\jdpvv.exec:\jdpvv.exe121⤵PID:1564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-