Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 15:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe
-
Size
453KB
-
MD5
7b13c325b4816296c67343bead78647f
-
SHA1
36edad457e248e5f90af82b53f9d604dcf027eef
-
SHA256
e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f
-
SHA512
c1673e203329c17c9d19a942126538ce1e3d2d78eca523ea54596099337eaaf12912a251a785db966f862c28b2849302fb7717f4c0b82e45286b39c29ee5e647
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2032-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-102-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2908-109-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2908-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-134-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1520-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-143-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2136-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3004-170-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3004-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-197-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1088-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-247-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1728-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-570-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2000-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-610-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2912-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-690-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1672-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-805-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2544-854-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2644-943-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1816-980-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1700-999-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-1212-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1896 dvjpv.exe 2536 1jjvd.exe 2684 20026.exe 2920 04028.exe 2728 xfxrlrx.exe 3040 llfrfrl.exe 3028 6028002.exe 2832 4200282.exe 2772 24884.exe 2616 042022.exe 2908 5hnhtn.exe 580 nhbbtt.exe 1520 820200.exe 2136 lfxrxlf.exe 1528 xxrrflx.exe 1208 82406.exe 3004 8222446.exe 2444 bnhtbh.exe 2144 i688888.exe 1268 c084006.exe 1772 rlflxxx.exe 2008 nnhntn.exe 1088 08402.exe 672 hhbnbh.exe 1984 vvpvp.exe 1660 5llfrrf.exe 960 xlfrflx.exe 1880 220240.exe 1728 426622.exe 1000 486800.exe 1628 882866.exe 2372 ddvvj.exe 3036 nhnhbb.exe 2344 vdvjd.exe 2404 3djjj.exe 1960 648464.exe 2340 3bthth.exe 536 26624.exe 2804 44404.exe 2728 20200.exe 3040 fxrrllr.exe 2732 3vppd.exe 2640 1dvvd.exe 2648 xrrrrlr.exe 2600 20220.exe 2644 ttnbhh.exe 2616 thtbhn.exe 2720 rlxxfxl.exe 2688 04806.exe 1672 20846.exe 1616 3nbhnt.exe 1520 86884.exe 2868 2044000.exe 1700 jdvdv.exe 2964 48624.exe 2972 0866668.exe 2932 3thbhh.exe 2064 w68444.exe 2444 84088.exe 1168 i624680.exe 2540 i244480.exe 2076 9lxxffr.exe 1772 0608244.exe 1680 3lxflxx.exe -
resource yara_rule behavioral1/memory/2032-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-109-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2908-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-934-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-943-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2460-955-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-1036-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-1049-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-1086-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-1154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-1205-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4206680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fllrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6800622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q02226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1896 2032 e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe 30 PID 2032 wrote to memory of 1896 2032 e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe 30 PID 2032 wrote to memory of 1896 2032 e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe 30 PID 2032 wrote to memory of 1896 2032 e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe 30 PID 1896 wrote to memory of 2536 1896 dvjpv.exe 31 PID 1896 wrote to memory of 2536 1896 dvjpv.exe 31 PID 1896 wrote to memory of 2536 1896 dvjpv.exe 31 PID 1896 wrote to memory of 2536 1896 dvjpv.exe 31 PID 2536 wrote to memory of 2684 2536 1jjvd.exe 32 PID 2536 wrote to memory of 2684 2536 1jjvd.exe 32 PID 2536 wrote to memory of 2684 2536 1jjvd.exe 32 PID 2536 wrote to memory of 2684 2536 1jjvd.exe 32 PID 2684 wrote to memory of 2920 2684 20026.exe 33 PID 2684 wrote to memory of 2920 2684 20026.exe 33 PID 2684 wrote to memory of 2920 2684 20026.exe 33 PID 2684 wrote to memory of 2920 2684 20026.exe 33 PID 2920 wrote to memory of 2728 2920 04028.exe 34 PID 2920 wrote to memory of 2728 2920 04028.exe 34 PID 2920 wrote to memory of 2728 2920 04028.exe 34 PID 2920 wrote to memory of 2728 2920 04028.exe 34 PID 2728 wrote to memory of 3040 2728 xfxrlrx.exe 35 PID 2728 wrote to memory of 3040 2728 xfxrlrx.exe 35 PID 2728 wrote to memory of 3040 2728 xfxrlrx.exe 35 PID 2728 wrote to memory of 3040 2728 xfxrlrx.exe 35 PID 3040 wrote to memory of 3028 3040 llfrfrl.exe 36 PID 3040 wrote to memory of 3028 3040 llfrfrl.exe 36 PID 3040 wrote to memory of 3028 3040 llfrfrl.exe 36 PID 3040 wrote to memory of 3028 3040 llfrfrl.exe 36 PID 3028 wrote to memory of 2832 3028 6028002.exe 37 PID 3028 wrote to memory of 2832 3028 6028002.exe 37 PID 3028 wrote to memory of 2832 3028 6028002.exe 37 PID 3028 wrote to memory of 2832 3028 6028002.exe 37 PID 2832 wrote to memory of 2772 2832 4200282.exe 38 PID 2832 wrote to memory of 2772 2832 4200282.exe 38 PID 2832 wrote to memory of 2772 2832 4200282.exe 38 PID 2832 wrote to memory of 2772 2832 4200282.exe 38 PID 2772 wrote to memory of 2616 2772 24884.exe 39 PID 2772 wrote to memory of 2616 2772 24884.exe 39 PID 2772 wrote to memory of 2616 2772 24884.exe 39 PID 2772 wrote to memory of 2616 2772 24884.exe 39 PID 2616 wrote to memory of 2908 2616 042022.exe 40 PID 2616 wrote to memory of 2908 2616 042022.exe 40 PID 2616 wrote to memory of 2908 2616 042022.exe 40 PID 2616 wrote to memory of 2908 2616 042022.exe 40 PID 2908 wrote to memory of 580 2908 5hnhtn.exe 41 PID 2908 wrote to memory of 580 2908 5hnhtn.exe 41 PID 2908 wrote to memory of 580 2908 5hnhtn.exe 41 PID 2908 wrote to memory of 580 2908 5hnhtn.exe 41 PID 580 wrote to memory of 1520 580 nhbbtt.exe 42 PID 580 wrote to memory of 1520 580 nhbbtt.exe 42 PID 580 wrote to memory of 1520 580 nhbbtt.exe 42 PID 580 wrote to memory of 1520 580 nhbbtt.exe 42 PID 1520 wrote to memory of 2136 1520 820200.exe 43 PID 1520 wrote to memory of 2136 1520 820200.exe 43 PID 1520 wrote to memory of 2136 1520 820200.exe 43 PID 1520 wrote to memory of 2136 1520 820200.exe 43 PID 2136 wrote to memory of 1528 2136 lfxrxlf.exe 44 PID 2136 wrote to memory of 1528 2136 lfxrxlf.exe 44 PID 2136 wrote to memory of 1528 2136 lfxrxlf.exe 44 PID 2136 wrote to memory of 1528 2136 lfxrxlf.exe 44 PID 1528 wrote to memory of 1208 1528 xxrrflx.exe 45 PID 1528 wrote to memory of 1208 1528 xxrrflx.exe 45 PID 1528 wrote to memory of 1208 1528 xxrrflx.exe 45 PID 1528 wrote to memory of 1208 1528 xxrrflx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe"C:\Users\Admin\AppData\Local\Temp\e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\dvjpv.exec:\dvjpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\1jjvd.exec:\1jjvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\20026.exec:\20026.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\04028.exec:\04028.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\xfxrlrx.exec:\xfxrlrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\llfrfrl.exec:\llfrfrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\6028002.exec:\6028002.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\4200282.exec:\4200282.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\24884.exec:\24884.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\042022.exec:\042022.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\5hnhtn.exec:\5hnhtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\nhbbtt.exec:\nhbbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\820200.exec:\820200.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\lfxrxlf.exec:\lfxrxlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\xxrrflx.exec:\xxrrflx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\82406.exec:\82406.exe17⤵
- Executes dropped EXE
PID:1208 -
\??\c:\8222446.exec:\8222446.exe18⤵
- Executes dropped EXE
PID:3004 -
\??\c:\bnhtbh.exec:\bnhtbh.exe19⤵
- Executes dropped EXE
PID:2444 -
\??\c:\i688888.exec:\i688888.exe20⤵
- Executes dropped EXE
PID:2144 -
\??\c:\c084006.exec:\c084006.exe21⤵
- Executes dropped EXE
PID:1268 -
\??\c:\rlflxxx.exec:\rlflxxx.exe22⤵
- Executes dropped EXE
PID:1772 -
\??\c:\nnhntn.exec:\nnhntn.exe23⤵
- Executes dropped EXE
PID:2008 -
\??\c:\08402.exec:\08402.exe24⤵
- Executes dropped EXE
PID:1088 -
\??\c:\hhbnbh.exec:\hhbnbh.exe25⤵
- Executes dropped EXE
PID:672 -
\??\c:\vvpvp.exec:\vvpvp.exe26⤵
- Executes dropped EXE
PID:1984 -
\??\c:\5llfrrf.exec:\5llfrrf.exe27⤵
- Executes dropped EXE
PID:1660 -
\??\c:\xlfrflx.exec:\xlfrflx.exe28⤵
- Executes dropped EXE
PID:960 -
\??\c:\220240.exec:\220240.exe29⤵
- Executes dropped EXE
PID:1880 -
\??\c:\426622.exec:\426622.exe30⤵
- Executes dropped EXE
PID:1728 -
\??\c:\486800.exec:\486800.exe31⤵
- Executes dropped EXE
PID:1000 -
\??\c:\882866.exec:\882866.exe32⤵
- Executes dropped EXE
PID:1628 -
\??\c:\ddvvj.exec:\ddvvj.exe33⤵
- Executes dropped EXE
PID:2372 -
\??\c:\nhnhbb.exec:\nhnhbb.exe34⤵
- Executes dropped EXE
PID:3036 -
\??\c:\vdvjd.exec:\vdvjd.exe35⤵
- Executes dropped EXE
PID:2344 -
\??\c:\3djjj.exec:\3djjj.exe36⤵
- Executes dropped EXE
PID:2404 -
\??\c:\648464.exec:\648464.exe37⤵
- Executes dropped EXE
PID:1960 -
\??\c:\3bthth.exec:\3bthth.exe38⤵
- Executes dropped EXE
PID:2340 -
\??\c:\26624.exec:\26624.exe39⤵
- Executes dropped EXE
PID:536 -
\??\c:\44404.exec:\44404.exe40⤵
- Executes dropped EXE
PID:2804 -
\??\c:\20200.exec:\20200.exe41⤵
- Executes dropped EXE
PID:2728 -
\??\c:\fxrrllr.exec:\fxrrllr.exe42⤵
- Executes dropped EXE
PID:3040 -
\??\c:\3vppd.exec:\3vppd.exe43⤵
- Executes dropped EXE
PID:2732 -
\??\c:\1dvvd.exec:\1dvvd.exe44⤵
- Executes dropped EXE
PID:2640 -
\??\c:\xrrrrlr.exec:\xrrrrlr.exe45⤵
- Executes dropped EXE
PID:2648 -
\??\c:\20220.exec:\20220.exe46⤵
- Executes dropped EXE
PID:2600 -
\??\c:\ttnbhh.exec:\ttnbhh.exe47⤵
- Executes dropped EXE
PID:2644 -
\??\c:\thtbhn.exec:\thtbhn.exe48⤵
- Executes dropped EXE
PID:2616 -
\??\c:\rlxxfxl.exec:\rlxxfxl.exe49⤵
- Executes dropped EXE
PID:2720 -
\??\c:\04806.exec:\04806.exe50⤵
- Executes dropped EXE
PID:2688 -
\??\c:\20846.exec:\20846.exe51⤵
- Executes dropped EXE
PID:1672 -
\??\c:\3nbhnt.exec:\3nbhnt.exe52⤵
- Executes dropped EXE
PID:1616 -
\??\c:\86884.exec:\86884.exe53⤵
- Executes dropped EXE
PID:1520 -
\??\c:\2044000.exec:\2044000.exe54⤵
- Executes dropped EXE
PID:2868 -
\??\c:\jdvdv.exec:\jdvdv.exe55⤵
- Executes dropped EXE
PID:1700 -
\??\c:\48624.exec:\48624.exe56⤵
- Executes dropped EXE
PID:2964 -
\??\c:\0866668.exec:\0866668.exe57⤵
- Executes dropped EXE
PID:2972 -
\??\c:\3thbhh.exec:\3thbhh.exe58⤵
- Executes dropped EXE
PID:2932 -
\??\c:\w68444.exec:\w68444.exe59⤵
- Executes dropped EXE
PID:2064 -
\??\c:\84088.exec:\84088.exe60⤵
- Executes dropped EXE
PID:2444 -
\??\c:\i624680.exec:\i624680.exe61⤵
- Executes dropped EXE
PID:1168 -
\??\c:\i244480.exec:\i244480.exe62⤵
- Executes dropped EXE
PID:2540 -
\??\c:\9lxxffr.exec:\9lxxffr.exe63⤵
- Executes dropped EXE
PID:2076 -
\??\c:\0608244.exec:\0608244.exe64⤵
- Executes dropped EXE
PID:1772 -
\??\c:\3lxflxx.exec:\3lxflxx.exe65⤵
- Executes dropped EXE
PID:1680 -
\??\c:\fxlrxxl.exec:\fxlrxxl.exe66⤵PID:1688
-
\??\c:\64628.exec:\64628.exe67⤵PID:872
-
\??\c:\xlxxfff.exec:\xlxxfff.exe68⤵PID:1008
-
\??\c:\nbtbtn.exec:\nbtbtn.exe69⤵PID:1696
-
\??\c:\8600280.exec:\8600280.exe70⤵PID:3064
-
\??\c:\nnhnbh.exec:\nnhnbh.exe71⤵PID:788
-
\??\c:\fxfrrrx.exec:\fxfrrrx.exe72⤵PID:2388
-
\??\c:\862240.exec:\862240.exe73⤵PID:784
-
\??\c:\lflrxxf.exec:\lflrxxf.exe74⤵PID:1728
-
\??\c:\hnbhnt.exec:\hnbhnt.exe75⤵PID:2208
-
\??\c:\dpvvd.exec:\dpvvd.exe76⤵PID:2228
-
\??\c:\482426.exec:\482426.exe77⤵PID:2372
-
\??\c:\0802400.exec:\0802400.exe78⤵PID:2000
-
\??\c:\m6484.exec:\m6484.exe79⤵PID:1584
-
\??\c:\04246.exec:\04246.exe80⤵PID:328
-
\??\c:\9nnnbn.exec:\9nnnbn.exe81⤵PID:1300
-
\??\c:\7lxlrfl.exec:\7lxlrfl.exe82⤵PID:1864
-
\??\c:\202024.exec:\202024.exe83⤵PID:2796
-
\??\c:\o640840.exec:\o640840.exe84⤵PID:2704
-
\??\c:\o046224.exec:\o046224.exe85⤵PID:2880
-
\??\c:\4006642.exec:\4006642.exe86⤵PID:2912
-
\??\c:\3lfxflr.exec:\3lfxflr.exe87⤵PID:2192
-
\??\c:\2202468.exec:\2202468.exe88⤵PID:2768
-
\??\c:\ppvpp.exec:\ppvpp.exe89⤵
- System Location Discovery: System Language Discovery
PID:2656 -
\??\c:\jpjvj.exec:\jpjvj.exe90⤵PID:2664
-
\??\c:\dvdjv.exec:\dvdjv.exe91⤵PID:2620
-
\??\c:\6646886.exec:\6646886.exe92⤵PID:2460
-
\??\c:\08824.exec:\08824.exe93⤵PID:2720
-
\??\c:\u646846.exec:\u646846.exe94⤵PID:2844
-
\??\c:\k26862.exec:\k26862.exe95⤵PID:1672
-
\??\c:\bthntt.exec:\bthntt.exe96⤵PID:1860
-
\??\c:\w08066.exec:\w08066.exe97⤵PID:2992
-
\??\c:\i262064.exec:\i262064.exe98⤵PID:712
-
\??\c:\426684.exec:\426684.exe99⤵PID:2028
-
\??\c:\7lrfrrf.exec:\7lrfrrf.exe100⤵PID:2944
-
\??\c:\5lxxfrx.exec:\5lxxfrx.exe101⤵PID:1752
-
\??\c:\880240.exec:\880240.exe102⤵PID:1408
-
\??\c:\e20062.exec:\e20062.exe103⤵PID:2064
-
\??\c:\xrlfrxl.exec:\xrlfrxl.exe104⤵PID:2444
-
\??\c:\i846446.exec:\i846446.exe105⤵PID:1168
-
\??\c:\fflrlrx.exec:\fflrlrx.exe106⤵PID:1704
-
\??\c:\vpvpd.exec:\vpvpd.exe107⤵PID:968
-
\??\c:\1pdjp.exec:\1pdjp.exe108⤵PID:1792
-
\??\c:\pddvj.exec:\pddvj.exe109⤵PID:1252
-
\??\c:\9ttbbh.exec:\9ttbbh.exe110⤵PID:1688
-
\??\c:\vjvvv.exec:\vjvvv.exe111⤵PID:1316
-
\??\c:\c240440.exec:\c240440.exe112⤵PID:1008
-
\??\c:\rlxllfl.exec:\rlxllfl.exe113⤵PID:704
-
\??\c:\jpdjp.exec:\jpdjp.exe114⤵PID:3064
-
\??\c:\004640.exec:\004640.exe115⤵PID:2516
-
\??\c:\8640686.exec:\8640686.exe116⤵PID:2388
-
\??\c:\040466.exec:\040466.exe117⤵PID:1488
-
\??\c:\042200.exec:\042200.exe118⤵PID:1684
-
\??\c:\040844.exec:\040844.exe119⤵PID:2544
-
\??\c:\fxlrrxx.exec:\fxlrrxx.exe120⤵PID:1324
-
\??\c:\0240000.exec:\0240000.exe121⤵PID:3020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-