Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
46ee281d7fbe89a366ca00818d6a37a622b75f732973bb1496b7cfbe6db912e8.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
46ee281d7fbe89a366ca00818d6a37a622b75f732973bb1496b7cfbe6db912e8.exe
-
Size
454KB
-
MD5
e20b07bb78a0c3a48d80d994695c1d4f
-
SHA1
0851e7d9a5206c32f45d01fae9ff4f5d0498aa8e
-
SHA256
46ee281d7fbe89a366ca00818d6a37a622b75f732973bb1496b7cfbe6db912e8
-
SHA512
8d0275e0a9b24424796ac7f36445f09714fa56e0786f35fb20a8c19414a80b66939cce365f3fb8b0ef8f534d0c6b384ba07daa1b6a17a3718f1a545720f3445f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2384-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-87-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-123-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1984-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-371-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2268-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-425-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/328-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-446-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2352-449-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2940-486-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-562-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2872-612-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2624-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-737-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2432-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1212-965-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2976-990-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2524 3vpdv.exe 2200 c868446.exe 2828 1pddj.exe 2016 tnhhtb.exe 2864 22046.exe 3008 rrflrlr.exe 2844 044028.exe 2636 fxrlrrl.exe 1656 flrxxfr.exe 2688 fxxxllf.exe 2208 rrfrxrf.exe 876 ffflxfx.exe 1984 xrfllrl.exe 1364 jdpjp.exe 1496 e24444.exe 1228 9ddjp.exe 800 jpdvd.exe 1516 lrlxrrx.exe 2984 044266.exe 2336 8622880.exe 2120 9nntnn.exe 276 6428664.exe 2672 6028402.exe 1708 xrrrxxf.exe 1980 28286.exe 936 0468406.exe 3000 rlxfrxx.exe 1484 7nbhnn.exe 1164 20224.exe 1972 82280.exe 1748 tnhntb.exe 1504 hhbntt.exe 2168 080688.exe 2692 864662.exe 2132 2684664.exe 2760 046244.exe 2300 rrrxllx.exe 2856 pjpvp.exe 2620 1tnbhn.exe 2804 g8286.exe 2812 7xrxflx.exe 2652 408626.exe 2608 jdvdp.exe 2268 0006886.exe 2376 tnhhnn.exe 2408 4480262.exe 1032 pjddv.exe 1248 2606802.exe 1100 0468400.exe 1984 hbtttt.exe 2352 3ppdd.exe 328 hhhntb.exe 1868 ddddd.exe 2892 042800.exe 1360 pjvdv.exe 2940 rllrxfr.exe 2156 ntnbhh.exe 1908 688682.exe 2420 8244006.exe 2504 8688406.exe 1916 nhtbhb.exe 1888 06242.exe 2184 lxxfllx.exe 1736 xrffrrf.exe -
resource yara_rule behavioral1/memory/2384-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-449-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2504-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-922-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-1108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-1157-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2896-1158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-1263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-1313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-1320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-1327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-1352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-1365-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8688888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w02022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w64026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8688484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8884880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4262402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c082228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2640280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i684044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2524 2384 46ee281d7fbe89a366ca00818d6a37a622b75f732973bb1496b7cfbe6db912e8.exe 30 PID 2384 wrote to memory of 2524 2384 46ee281d7fbe89a366ca00818d6a37a622b75f732973bb1496b7cfbe6db912e8.exe 30 PID 2384 wrote to memory of 2524 2384 46ee281d7fbe89a366ca00818d6a37a622b75f732973bb1496b7cfbe6db912e8.exe 30 PID 2384 wrote to memory of 2524 2384 46ee281d7fbe89a366ca00818d6a37a622b75f732973bb1496b7cfbe6db912e8.exe 30 PID 2524 wrote to memory of 2200 2524 3vpdv.exe 31 PID 2524 wrote to memory of 2200 2524 3vpdv.exe 31 PID 2524 wrote to memory of 2200 2524 3vpdv.exe 31 PID 2524 wrote to memory of 2200 2524 3vpdv.exe 31 PID 2200 wrote to memory of 2828 2200 c868446.exe 32 PID 2200 wrote to memory of 2828 2200 c868446.exe 32 PID 2200 wrote to memory of 2828 2200 c868446.exe 32 PID 2200 wrote to memory of 2828 2200 c868446.exe 32 PID 2828 wrote to memory of 2016 2828 1pddj.exe 33 PID 2828 wrote to memory of 2016 2828 1pddj.exe 33 PID 2828 wrote to memory of 2016 2828 1pddj.exe 33 PID 2828 wrote to memory of 2016 2828 1pddj.exe 33 PID 2016 wrote to memory of 2864 2016 tnhhtb.exe 34 PID 2016 wrote to memory of 2864 2016 tnhhtb.exe 34 PID 2016 wrote to memory of 2864 2016 tnhhtb.exe 34 PID 2016 wrote to memory of 2864 2016 tnhhtb.exe 34 PID 2864 wrote to memory of 3008 2864 22046.exe 35 PID 2864 wrote to memory of 3008 2864 22046.exe 35 PID 2864 wrote to memory of 3008 2864 22046.exe 35 PID 2864 wrote to memory of 3008 2864 22046.exe 35 PID 3008 wrote to memory of 2844 3008 rrflrlr.exe 36 PID 3008 wrote to memory of 2844 3008 rrflrlr.exe 36 PID 3008 wrote to memory of 2844 3008 rrflrlr.exe 36 PID 3008 wrote to memory of 2844 3008 rrflrlr.exe 36 PID 2844 wrote to memory of 2636 2844 044028.exe 37 PID 2844 wrote to memory of 2636 2844 044028.exe 37 PID 2844 wrote to memory of 2636 2844 044028.exe 37 PID 2844 wrote to memory of 2636 2844 044028.exe 37 PID 2636 wrote to memory of 1656 2636 fxrlrrl.exe 38 PID 2636 wrote to memory of 1656 2636 fxrlrrl.exe 38 PID 2636 wrote to memory of 1656 2636 fxrlrrl.exe 38 PID 2636 wrote to memory of 1656 2636 fxrlrrl.exe 38 PID 1656 wrote to memory of 2688 1656 flrxxfr.exe 39 PID 1656 wrote to memory of 2688 1656 flrxxfr.exe 39 PID 1656 wrote to memory of 2688 1656 flrxxfr.exe 39 PID 1656 wrote to memory of 2688 1656 flrxxfr.exe 39 PID 2688 wrote to memory of 2208 2688 fxxxllf.exe 40 PID 2688 wrote to memory of 2208 2688 fxxxllf.exe 40 PID 2688 wrote to memory of 2208 2688 fxxxllf.exe 40 PID 2688 wrote to memory of 2208 2688 fxxxllf.exe 40 PID 2208 wrote to memory of 876 2208 rrfrxrf.exe 41 PID 2208 wrote to memory of 876 2208 rrfrxrf.exe 41 PID 2208 wrote to memory of 876 2208 rrfrxrf.exe 41 PID 2208 wrote to memory of 876 2208 rrfrxrf.exe 41 PID 876 wrote to memory of 1984 876 ffflxfx.exe 42 PID 876 wrote to memory of 1984 876 ffflxfx.exe 42 PID 876 wrote to memory of 1984 876 ffflxfx.exe 42 PID 876 wrote to memory of 1984 876 ffflxfx.exe 42 PID 1984 wrote to memory of 1364 1984 xrfllrl.exe 43 PID 1984 wrote to memory of 1364 1984 xrfllrl.exe 43 PID 1984 wrote to memory of 1364 1984 xrfllrl.exe 43 PID 1984 wrote to memory of 1364 1984 xrfllrl.exe 43 PID 1364 wrote to memory of 1496 1364 jdpjp.exe 44 PID 1364 wrote to memory of 1496 1364 jdpjp.exe 44 PID 1364 wrote to memory of 1496 1364 jdpjp.exe 44 PID 1364 wrote to memory of 1496 1364 jdpjp.exe 44 PID 1496 wrote to memory of 1228 1496 e24444.exe 45 PID 1496 wrote to memory of 1228 1496 e24444.exe 45 PID 1496 wrote to memory of 1228 1496 e24444.exe 45 PID 1496 wrote to memory of 1228 1496 e24444.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\46ee281d7fbe89a366ca00818d6a37a622b75f732973bb1496b7cfbe6db912e8.exe"C:\Users\Admin\AppData\Local\Temp\46ee281d7fbe89a366ca00818d6a37a622b75f732973bb1496b7cfbe6db912e8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\3vpdv.exec:\3vpdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\c868446.exec:\c868446.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\1pddj.exec:\1pddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\tnhhtb.exec:\tnhhtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\22046.exec:\22046.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\rrflrlr.exec:\rrflrlr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\044028.exec:\044028.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\fxrlrrl.exec:\fxrlrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\flrxxfr.exec:\flrxxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\fxxxllf.exec:\fxxxllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\rrfrxrf.exec:\rrfrxrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\ffflxfx.exec:\ffflxfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\xrfllrl.exec:\xrfllrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\jdpjp.exec:\jdpjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\e24444.exec:\e24444.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\9ddjp.exec:\9ddjp.exe17⤵
- Executes dropped EXE
PID:1228 -
\??\c:\jpdvd.exec:\jpdvd.exe18⤵
- Executes dropped EXE
PID:800 -
\??\c:\lrlxrrx.exec:\lrlxrrx.exe19⤵
- Executes dropped EXE
PID:1516 -
\??\c:\044266.exec:\044266.exe20⤵
- Executes dropped EXE
PID:2984 -
\??\c:\8622880.exec:\8622880.exe21⤵
- Executes dropped EXE
PID:2336 -
\??\c:\9nntnn.exec:\9nntnn.exe22⤵
- Executes dropped EXE
PID:2120 -
\??\c:\6428664.exec:\6428664.exe23⤵
- Executes dropped EXE
PID:276 -
\??\c:\6028402.exec:\6028402.exe24⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xrrrxxf.exec:\xrrrxxf.exe25⤵
- Executes dropped EXE
PID:1708 -
\??\c:\28286.exec:\28286.exe26⤵
- Executes dropped EXE
PID:1980 -
\??\c:\0468406.exec:\0468406.exe27⤵
- Executes dropped EXE
PID:936 -
\??\c:\rlxfrxx.exec:\rlxfrxx.exe28⤵
- Executes dropped EXE
PID:3000 -
\??\c:\7nbhnn.exec:\7nbhnn.exe29⤵
- Executes dropped EXE
PID:1484 -
\??\c:\20224.exec:\20224.exe30⤵
- Executes dropped EXE
PID:1164 -
\??\c:\82280.exec:\82280.exe31⤵
- Executes dropped EXE
PID:1972 -
\??\c:\tnhntb.exec:\tnhntb.exe32⤵
- Executes dropped EXE
PID:1748 -
\??\c:\hhbntt.exec:\hhbntt.exe33⤵
- Executes dropped EXE
PID:1504 -
\??\c:\080688.exec:\080688.exe34⤵
- Executes dropped EXE
PID:2168 -
\??\c:\864662.exec:\864662.exe35⤵
- Executes dropped EXE
PID:2692 -
\??\c:\2684664.exec:\2684664.exe36⤵
- Executes dropped EXE
PID:2132 -
\??\c:\046244.exec:\046244.exe37⤵
- Executes dropped EXE
PID:2760 -
\??\c:\rrrxllx.exec:\rrrxllx.exe38⤵
- Executes dropped EXE
PID:2300 -
\??\c:\pjpvp.exec:\pjpvp.exe39⤵
- Executes dropped EXE
PID:2856 -
\??\c:\1tnbhn.exec:\1tnbhn.exe40⤵
- Executes dropped EXE
PID:2620 -
\??\c:\g8286.exec:\g8286.exe41⤵
- Executes dropped EXE
PID:2804 -
\??\c:\7xrxflx.exec:\7xrxflx.exe42⤵
- Executes dropped EXE
PID:2812 -
\??\c:\408626.exec:\408626.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\jdvdp.exec:\jdvdp.exe44⤵
- Executes dropped EXE
PID:2608 -
\??\c:\0006886.exec:\0006886.exe45⤵
- Executes dropped EXE
PID:2268 -
\??\c:\tnhhnn.exec:\tnhhnn.exe46⤵
- Executes dropped EXE
PID:2376 -
\??\c:\4480262.exec:\4480262.exe47⤵
- Executes dropped EXE
PID:2408 -
\??\c:\pjddv.exec:\pjddv.exe48⤵
- Executes dropped EXE
PID:1032 -
\??\c:\2606802.exec:\2606802.exe49⤵
- Executes dropped EXE
PID:1248 -
\??\c:\0468400.exec:\0468400.exe50⤵
- Executes dropped EXE
PID:1100 -
\??\c:\hbtttt.exec:\hbtttt.exe51⤵
- Executes dropped EXE
PID:1984 -
\??\c:\3ppdd.exec:\3ppdd.exe52⤵
- Executes dropped EXE
PID:2352 -
\??\c:\hhhntb.exec:\hhhntb.exe53⤵
- Executes dropped EXE
PID:328 -
\??\c:\ddddd.exec:\ddddd.exe54⤵
- Executes dropped EXE
PID:1868 -
\??\c:\042800.exec:\042800.exe55⤵
- Executes dropped EXE
PID:2892 -
\??\c:\pjvdv.exec:\pjvdv.exe56⤵
- Executes dropped EXE
PID:1360 -
\??\c:\rllrxfr.exec:\rllrxfr.exe57⤵
- Executes dropped EXE
PID:2940 -
\??\c:\ntnbhh.exec:\ntnbhh.exe58⤵
- Executes dropped EXE
PID:2156 -
\??\c:\688682.exec:\688682.exe59⤵
- Executes dropped EXE
PID:1908 -
\??\c:\8244006.exec:\8244006.exe60⤵
- Executes dropped EXE
PID:2420 -
\??\c:\8688406.exec:\8688406.exe61⤵
- Executes dropped EXE
PID:2504 -
\??\c:\nhtbhb.exec:\nhtbhb.exe62⤵
- Executes dropped EXE
PID:1916 -
\??\c:\06242.exec:\06242.exe63⤵
- Executes dropped EXE
PID:1888 -
\??\c:\lxxfllx.exec:\lxxfllx.exe64⤵
- Executes dropped EXE
PID:2184 -
\??\c:\xrffrrf.exec:\xrffrrf.exe65⤵
- Executes dropped EXE
PID:1736 -
\??\c:\btttbh.exec:\btttbh.exe66⤵PID:908
-
\??\c:\ttnbhb.exec:\ttnbhb.exe67⤵PID:2424
-
\??\c:\0428028.exec:\0428028.exe68⤵PID:2552
-
\??\c:\ttntht.exec:\ttntht.exe69⤵PID:2140
-
\??\c:\fxxfxlr.exec:\fxxfxlr.exe70⤵PID:1972
-
\??\c:\hhbthn.exec:\hhbthn.exe71⤵PID:2548
-
\??\c:\264406.exec:\264406.exe72⤵PID:2416
-
\??\c:\hbtbtn.exec:\hbtbtn.exe73⤵PID:3068
-
\??\c:\822462.exec:\822462.exe74⤵PID:1536
-
\??\c:\a4846.exec:\a4846.exe75⤵PID:2176
-
\??\c:\0866886.exec:\0866886.exe76⤵PID:2192
-
\??\c:\42668.exec:\42668.exe77⤵PID:2160
-
\??\c:\7lfrxxl.exec:\7lfrxxl.exe78⤵PID:2704
-
\??\c:\4268446.exec:\4268446.exe79⤵PID:2772
-
\??\c:\a4222.exec:\a4222.exe80⤵PID:2852
-
\??\c:\u862846.exec:\u862846.exe81⤵PID:2872
-
\??\c:\820026.exec:\820026.exe82⤵PID:2732
-
\??\c:\642666.exec:\642666.exe83⤵PID:2896
-
\??\c:\bttnhb.exec:\bttnhb.exe84⤵PID:2788
-
\??\c:\vvjjj.exec:\vvjjj.exe85⤵PID:2588
-
\??\c:\btbttn.exec:\btbttn.exe86⤵PID:2624
-
\??\c:\0400668.exec:\0400668.exe87⤵PID:2676
-
\??\c:\g4202.exec:\g4202.exe88⤵PID:916
-
\??\c:\048406.exec:\048406.exe89⤵PID:636
-
\??\c:\k20268.exec:\k20268.exe90⤵PID:2968
-
\??\c:\vppvj.exec:\vppvj.exe91⤵PID:2960
-
\??\c:\8606668.exec:\8606668.exe92⤵PID:792
-
\??\c:\6406262.exec:\6406262.exe93⤵PID:1448
-
\??\c:\1nnnbb.exec:\1nnnbb.exe94⤵PID:1648
-
\??\c:\llffflr.exec:\llffflr.exe95⤵PID:2904
-
\??\c:\3pvjj.exec:\3pvjj.exe96⤵PID:1612
-
\??\c:\8268002.exec:\8268002.exe97⤵PID:1868
-
\??\c:\4840624.exec:\4840624.exe98⤵PID:1012
-
\??\c:\dvvjv.exec:\dvvjv.exe99⤵PID:1076
-
\??\c:\7thtbh.exec:\7thtbh.exe100⤵
- System Location Discovery: System Language Discovery
PID:2712 -
\??\c:\k20066.exec:\k20066.exe101⤵PID:2916
-
\??\c:\hthnbt.exec:\hthnbt.exe102⤵PID:1780
-
\??\c:\tnthbb.exec:\tnthbb.exe103⤵PID:2432
-
\??\c:\602804.exec:\602804.exe104⤵PID:1792
-
\??\c:\btntnn.exec:\btntnn.exe105⤵PID:1588
-
\??\c:\5xlrrxf.exec:\5xlrrxf.exe106⤵PID:2280
-
\??\c:\vppvj.exec:\vppvj.exe107⤵PID:1932
-
\??\c:\0460668.exec:\0460668.exe108⤵PID:1488
-
\??\c:\e44888.exec:\e44888.exe109⤵PID:236
-
\??\c:\4868064.exec:\4868064.exe110⤵PID:3048
-
\??\c:\44224.exec:\44224.exe111⤵PID:2532
-
\??\c:\2642406.exec:\2642406.exe112⤵PID:1288
-
\??\c:\028882.exec:\028882.exe113⤵PID:1944
-
\??\c:\vpppv.exec:\vpppv.exe114⤵PID:2360
-
\??\c:\5rfllrr.exec:\5rfllrr.exe115⤵PID:2384
-
\??\c:\dvpdj.exec:\dvpdj.exe116⤵
- System Location Discovery: System Language Discovery
PID:348 -
\??\c:\202840.exec:\202840.exe117⤵PID:2356
-
\??\c:\e60644.exec:\e60644.exe118⤵PID:2028
-
\??\c:\m0806.exec:\m0806.exe119⤵PID:2972
-
\??\c:\60842.exec:\60842.exe120⤵PID:2692
-
\??\c:\c428846.exec:\c428846.exe121⤵PID:2132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-