Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 18:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe
-
Size
456KB
-
MD5
ec932e8e3ef108163b764c2b27819930
-
SHA1
d5014c39f319b83c0c00b2377799635c19c5cd1b
-
SHA256
3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854cc
-
SHA512
a29d2f6cca5dc0ec66bef4f5b8f6cec5ddcfd12fc1d5d0a13ea73587bd86d24c139c613ff005c8eea92b5bfe1abbfba902b7e762b57584a7ade62096090ca6c7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRj:q7Tc2NYHUrAwfMp3CDRj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/1488-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-71-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2708-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-122-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1464-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-181-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2392-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-201-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1672-213-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1720-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-300-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2096-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-395-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1216-421-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/852-434-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1624-442-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1624-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-446-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2400-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-534-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/316-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-585-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1588-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-652-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2740-653-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1972-686-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/408-749-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/840-780-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-894-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2896-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-915-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2096 8688668.exe 1588 e02428.exe 2280 dvdjv.exe 1604 rlrflrf.exe 2800 82008.exe 2748 c204046.exe 2844 046240.exe 2708 lxlrxlx.exe 2540 q08022.exe 3056 42002.exe 2588 vpdjp.exe 2368 lrrlllr.exe 2300 hbttnt.exe 2864 4206840.exe 1464 xxrrxfr.exe 2908 ddjvd.exe 2892 0462068.exe 2392 606282.exe 2148 rxxllxr.exe 1484 0822484.exe 1672 7vdjv.exe 1720 6040842.exe 912 1fxrrrr.exe 1984 64262.exe 1544 dpvvv.exe 2432 020060.exe 2948 7pdpp.exe 624 pvdjj.exe 996 3vppv.exe 1272 bnbhtb.exe 2944 42400.exe 2488 9nbntb.exe 2096 480628.exe 2780 3pdpd.exe 2128 0466228.exe 2136 4862446.exe 2788 hthhhh.exe 2808 604606.exe 2952 42020.exe 2888 a6446.exe 2568 o862006.exe 2712 2664024.exe 2560 48680.exe 2540 frffrrf.exe 2348 hbttbb.exe 1064 lrffllr.exe 1944 646628.exe 1184 48044.exe 1216 nhbbnn.exe 2868 nbtbnt.exe 852 lfxlrrf.exe 1624 48280.exe 1256 jddpd.exe 2640 fxrxxfr.exe 2400 tnbhbn.exe 2372 nhbnbb.exe 1036 660240.exe 2152 vvpvd.exe 1112 82068.exe 1628 nthhtb.exe 1752 m8228.exe 928 btnnbb.exe 1516 6422006.exe 1864 rrlxllx.exe -
resource yara_rule behavioral1/memory/1488-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-213-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1720-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-283-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2944-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-395-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/852-434-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1624-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-749-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/840-780-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1804-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-908-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8240666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u266284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0800280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4688062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o844488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6422006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6084628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 2096 1488 3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe 31 PID 1488 wrote to memory of 2096 1488 3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe 31 PID 1488 wrote to memory of 2096 1488 3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe 31 PID 1488 wrote to memory of 2096 1488 3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe 31 PID 2096 wrote to memory of 1588 2096 8688668.exe 32 PID 2096 wrote to memory of 1588 2096 8688668.exe 32 PID 2096 wrote to memory of 1588 2096 8688668.exe 32 PID 2096 wrote to memory of 1588 2096 8688668.exe 32 PID 1588 wrote to memory of 2280 1588 e02428.exe 33 PID 1588 wrote to memory of 2280 1588 e02428.exe 33 PID 1588 wrote to memory of 2280 1588 e02428.exe 33 PID 1588 wrote to memory of 2280 1588 e02428.exe 33 PID 2280 wrote to memory of 1604 2280 dvdjv.exe 34 PID 2280 wrote to memory of 1604 2280 dvdjv.exe 34 PID 2280 wrote to memory of 1604 2280 dvdjv.exe 34 PID 2280 wrote to memory of 1604 2280 dvdjv.exe 34 PID 1604 wrote to memory of 2800 1604 rlrflrf.exe 35 PID 1604 wrote to memory of 2800 1604 rlrflrf.exe 35 PID 1604 wrote to memory of 2800 1604 rlrflrf.exe 35 PID 1604 wrote to memory of 2800 1604 rlrflrf.exe 35 PID 2800 wrote to memory of 2748 2800 82008.exe 36 PID 2800 wrote to memory of 2748 2800 82008.exe 36 PID 2800 wrote to memory of 2748 2800 82008.exe 36 PID 2800 wrote to memory of 2748 2800 82008.exe 36 PID 2748 wrote to memory of 2844 2748 c204046.exe 37 PID 2748 wrote to memory of 2844 2748 c204046.exe 37 PID 2748 wrote to memory of 2844 2748 c204046.exe 37 PID 2748 wrote to memory of 2844 2748 c204046.exe 37 PID 2844 wrote to memory of 2708 2844 046240.exe 38 PID 2844 wrote to memory of 2708 2844 046240.exe 38 PID 2844 wrote to memory of 2708 2844 046240.exe 38 PID 2844 wrote to memory of 2708 2844 046240.exe 38 PID 2708 wrote to memory of 2540 2708 lxlrxlx.exe 39 PID 2708 wrote to memory of 2540 2708 lxlrxlx.exe 39 PID 2708 wrote to memory of 2540 2708 lxlrxlx.exe 39 PID 2708 wrote to memory of 2540 2708 lxlrxlx.exe 39 PID 2540 wrote to memory of 3056 2540 q08022.exe 40 PID 2540 wrote to memory of 3056 2540 q08022.exe 40 PID 2540 wrote to memory of 3056 2540 q08022.exe 40 PID 2540 wrote to memory of 3056 2540 q08022.exe 40 PID 3056 wrote to memory of 2588 3056 42002.exe 41 PID 3056 wrote to memory of 2588 3056 42002.exe 41 PID 3056 wrote to memory of 2588 3056 42002.exe 41 PID 3056 wrote to memory of 2588 3056 42002.exe 41 PID 2588 wrote to memory of 2368 2588 vpdjp.exe 42 PID 2588 wrote to memory of 2368 2588 vpdjp.exe 42 PID 2588 wrote to memory of 2368 2588 vpdjp.exe 42 PID 2588 wrote to memory of 2368 2588 vpdjp.exe 42 PID 2368 wrote to memory of 2300 2368 lrrlllr.exe 43 PID 2368 wrote to memory of 2300 2368 lrrlllr.exe 43 PID 2368 wrote to memory of 2300 2368 lrrlllr.exe 43 PID 2368 wrote to memory of 2300 2368 lrrlllr.exe 43 PID 2300 wrote to memory of 2864 2300 hbttnt.exe 44 PID 2300 wrote to memory of 2864 2300 hbttnt.exe 44 PID 2300 wrote to memory of 2864 2300 hbttnt.exe 44 PID 2300 wrote to memory of 2864 2300 hbttnt.exe 44 PID 2864 wrote to memory of 1464 2864 4206840.exe 45 PID 2864 wrote to memory of 1464 2864 4206840.exe 45 PID 2864 wrote to memory of 1464 2864 4206840.exe 45 PID 2864 wrote to memory of 1464 2864 4206840.exe 45 PID 1464 wrote to memory of 2908 1464 xxrrxfr.exe 46 PID 1464 wrote to memory of 2908 1464 xxrrxfr.exe 46 PID 1464 wrote to memory of 2908 1464 xxrrxfr.exe 46 PID 1464 wrote to memory of 2908 1464 xxrrxfr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe"C:\Users\Admin\AppData\Local\Temp\3f18c0bfbbdc16db504a05545898f6ad603132fc70de5589c65cfc07661854ccN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\8688668.exec:\8688668.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\e02428.exec:\e02428.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\dvdjv.exec:\dvdjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\rlrflrf.exec:\rlrflrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\82008.exec:\82008.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\c204046.exec:\c204046.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\046240.exec:\046240.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\lxlrxlx.exec:\lxlrxlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\q08022.exec:\q08022.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\42002.exec:\42002.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\vpdjp.exec:\vpdjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\lrrlllr.exec:\lrrlllr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\hbttnt.exec:\hbttnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\4206840.exec:\4206840.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\xxrrxfr.exec:\xxrrxfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\ddjvd.exec:\ddjvd.exe17⤵
- Executes dropped EXE
PID:2908 -
\??\c:\0462068.exec:\0462068.exe18⤵
- Executes dropped EXE
PID:2892 -
\??\c:\606282.exec:\606282.exe19⤵
- Executes dropped EXE
PID:2392 -
\??\c:\rxxllxr.exec:\rxxllxr.exe20⤵
- Executes dropped EXE
PID:2148 -
\??\c:\0822484.exec:\0822484.exe21⤵
- Executes dropped EXE
PID:1484 -
\??\c:\7vdjv.exec:\7vdjv.exe22⤵
- Executes dropped EXE
PID:1672 -
\??\c:\6040842.exec:\6040842.exe23⤵
- Executes dropped EXE
PID:1720 -
\??\c:\1fxrrrr.exec:\1fxrrrr.exe24⤵
- Executes dropped EXE
PID:912 -
\??\c:\64262.exec:\64262.exe25⤵
- Executes dropped EXE
PID:1984 -
\??\c:\dpvvv.exec:\dpvvv.exe26⤵
- Executes dropped EXE
PID:1544 -
\??\c:\020060.exec:\020060.exe27⤵
- Executes dropped EXE
PID:2432 -
\??\c:\7pdpp.exec:\7pdpp.exe28⤵
- Executes dropped EXE
PID:2948 -
\??\c:\pvdjj.exec:\pvdjj.exe29⤵
- Executes dropped EXE
PID:624 -
\??\c:\3vppv.exec:\3vppv.exe30⤵
- Executes dropped EXE
PID:996 -
\??\c:\bnbhtb.exec:\bnbhtb.exe31⤵
- Executes dropped EXE
PID:1272 -
\??\c:\42400.exec:\42400.exe32⤵
- Executes dropped EXE
PID:2944 -
\??\c:\9nbntb.exec:\9nbntb.exe33⤵
- Executes dropped EXE
PID:2488 -
\??\c:\480628.exec:\480628.exe34⤵
- Executes dropped EXE
PID:2096 -
\??\c:\3pdpd.exec:\3pdpd.exe35⤵
- Executes dropped EXE
PID:2780 -
\??\c:\0466228.exec:\0466228.exe36⤵
- Executes dropped EXE
PID:2128 -
\??\c:\4862446.exec:\4862446.exe37⤵
- Executes dropped EXE
PID:2136 -
\??\c:\hthhhh.exec:\hthhhh.exe38⤵
- Executes dropped EXE
PID:2788 -
\??\c:\604606.exec:\604606.exe39⤵
- Executes dropped EXE
PID:2808 -
\??\c:\42020.exec:\42020.exe40⤵
- Executes dropped EXE
PID:2952 -
\??\c:\a6446.exec:\a6446.exe41⤵
- Executes dropped EXE
PID:2888 -
\??\c:\o862006.exec:\o862006.exe42⤵
- Executes dropped EXE
PID:2568 -
\??\c:\2664024.exec:\2664024.exe43⤵
- Executes dropped EXE
PID:2712 -
\??\c:\48680.exec:\48680.exe44⤵
- Executes dropped EXE
PID:2560 -
\??\c:\frffrrf.exec:\frffrrf.exe45⤵
- Executes dropped EXE
PID:2540 -
\??\c:\hbttbb.exec:\hbttbb.exe46⤵
- Executes dropped EXE
PID:2348 -
\??\c:\lrffllr.exec:\lrffllr.exe47⤵
- Executes dropped EXE
PID:1064 -
\??\c:\646628.exec:\646628.exe48⤵
- Executes dropped EXE
PID:1944 -
\??\c:\48044.exec:\48044.exe49⤵
- Executes dropped EXE
PID:1184 -
\??\c:\nhbbnn.exec:\nhbbnn.exe50⤵
- Executes dropped EXE
PID:1216 -
\??\c:\nbtbnt.exec:\nbtbnt.exe51⤵
- Executes dropped EXE
PID:2868 -
\??\c:\lfxlrrf.exec:\lfxlrrf.exe52⤵
- Executes dropped EXE
PID:852 -
\??\c:\48280.exec:\48280.exe53⤵
- Executes dropped EXE
PID:1624 -
\??\c:\jddpd.exec:\jddpd.exe54⤵
- Executes dropped EXE
PID:1256 -
\??\c:\fxrxxfr.exec:\fxrxxfr.exe55⤵
- Executes dropped EXE
PID:2640 -
\??\c:\tnbhbn.exec:\tnbhbn.exe56⤵
- Executes dropped EXE
PID:2400 -
\??\c:\nhbnbb.exec:\nhbnbb.exe57⤵
- Executes dropped EXE
PID:2372 -
\??\c:\660240.exec:\660240.exe58⤵
- Executes dropped EXE
PID:1036 -
\??\c:\vvpvd.exec:\vvpvd.exe59⤵
- Executes dropped EXE
PID:2152 -
\??\c:\82068.exec:\82068.exe60⤵
- Executes dropped EXE
PID:1112 -
\??\c:\nthhtb.exec:\nthhtb.exe61⤵
- Executes dropped EXE
PID:1628 -
\??\c:\m8228.exec:\m8228.exe62⤵
- Executes dropped EXE
PID:1752 -
\??\c:\btnnbb.exec:\btnnbb.exe63⤵
- Executes dropped EXE
PID:928 -
\??\c:\6422006.exec:\6422006.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516 -
\??\c:\rrlxllx.exec:\rrlxllx.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
\??\c:\8268006.exec:\8268006.exe66⤵PID:1352
-
\??\c:\0868040.exec:\0868040.exe67⤵PID:1544
-
\??\c:\6002406.exec:\6002406.exe68⤵PID:2992
-
\??\c:\64840.exec:\64840.exe69⤵PID:2204
-
\??\c:\7hthhn.exec:\7hthhn.exe70⤵PID:1060
-
\??\c:\266628.exec:\266628.exe71⤵PID:624
-
\??\c:\rrlrflx.exec:\rrlrflx.exe72⤵PID:760
-
\??\c:\2644606.exec:\2644606.exe73⤵PID:316
-
\??\c:\228602.exec:\228602.exe74⤵PID:1620
-
\??\c:\dpddd.exec:\dpddd.exe75⤵PID:2016
-
\??\c:\6862884.exec:\6862884.exe76⤵PID:2488
-
\??\c:\tnbhtb.exec:\tnbhtb.exe77⤵PID:1588
-
\??\c:\fxlxlrx.exec:\fxlxlrx.exe78⤵PID:2280
-
\??\c:\20266.exec:\20266.exe79⤵PID:2276
-
\??\c:\s6062.exec:\s6062.exe80⤵PID:2968
-
\??\c:\xrlxxxx.exec:\xrlxxxx.exe81⤵PID:2676
-
\??\c:\60840.exec:\60840.exe82⤵PID:2740
-
\??\c:\7httnt.exec:\7httnt.exe83⤵PID:2660
-
\??\c:\42402.exec:\42402.exe84⤵PID:2888
-
\??\c:\rrrxrxr.exec:\rrrxrxr.exe85⤵PID:2568
-
\??\c:\llflrfr.exec:\llflrfr.exe86⤵PID:2712
-
\??\c:\608462.exec:\608462.exe87⤵PID:2832
-
\??\c:\jjdvj.exec:\jjdvj.exe88⤵PID:3056
-
\??\c:\8862420.exec:\8862420.exe89⤵PID:2588
-
\??\c:\jjvdj.exec:\jjvdj.exe90⤵PID:1972
-
\??\c:\dvjvd.exec:\dvjvd.exe91⤵PID:1240
-
\??\c:\5lflrxf.exec:\5lflrxf.exe92⤵PID:2836
-
\??\c:\208462.exec:\208462.exe93⤵PID:1824
-
\??\c:\04402.exec:\04402.exe94⤵PID:1500
-
\??\c:\082844.exec:\082844.exe95⤵PID:2912
-
\??\c:\8226228.exec:\8226228.exe96⤵PID:3028
-
\??\c:\jdvdj.exec:\jdvdj.exe97⤵PID:1716
-
\??\c:\6226464.exec:\6226464.exe98⤵PID:2512
-
\??\c:\6040246.exec:\6040246.exe99⤵PID:2248
-
\??\c:\9lllflx.exec:\9lllflx.exe100⤵PID:408
-
\??\c:\2644624.exec:\2644624.exe101⤵PID:1812
-
\??\c:\2080442.exec:\2080442.exe102⤵PID:840
-
\??\c:\pjvdd.exec:\pjvdd.exe103⤵PID:328
-
\??\c:\26468.exec:\26468.exe104⤵PID:712
-
\??\c:\9vppj.exec:\9vppj.exe105⤵PID:2180
-
\??\c:\c262620.exec:\c262620.exe106⤵PID:1740
-
\??\c:\rfrxlrx.exec:\rfrxlrx.exe107⤵PID:1548
-
\??\c:\24002.exec:\24002.exe108⤵PID:1804
-
\??\c:\o286600.exec:\o286600.exe109⤵PID:892
-
\??\c:\0828002.exec:\0828002.exe110⤵PID:2120
-
\??\c:\6086848.exec:\6086848.exe111⤵PID:1284
-
\??\c:\nnhthh.exec:\nnhthh.exe112⤵PID:2188
-
\??\c:\008088.exec:\008088.exe113⤵PID:1496
-
\??\c:\jvjjp.exec:\jvjjp.exe114⤵PID:1512
-
\??\c:\86028.exec:\86028.exe115⤵PID:1288
-
\??\c:\bhttbb.exec:\bhttbb.exe116⤵PID:1724
-
\??\c:\04662.exec:\04662.exe117⤵PID:2460
-
\??\c:\5lxfflf.exec:\5lxfflf.exe118⤵PID:1976
-
\??\c:\ppjpd.exec:\ppjpd.exe119⤵PID:2016
-
\??\c:\lrlxrrx.exec:\lrlxrrx.exe120⤵PID:3060
-
\??\c:\606244.exec:\606244.exe121⤵PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-