Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 18:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe
-
Size
453KB
-
MD5
49ffc5ddc1d5920cba2294df033f510a
-
SHA1
73504d05d9a44c5936a7d764ac09f43f33e05916
-
SHA256
0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a
-
SHA512
95ac284fc611f87a1a27ec564d729bef24e6e8f05d3e11342f22526f850f03f4e5d481f303575018d1cfee6642340c0ef14555fde3ad6ff1d91c6f8b52f4f96e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/1824-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1204-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/268-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-408-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2060-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-423-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1956-444-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2440-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-575-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1748-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1104-678-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1104-676-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2724-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-716-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1440-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-731-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/332-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-785-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2528-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-903-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-922-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/2248-1082-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2248-1081-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1376-1085-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/688-1110-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 584 rrrfrxl.exe 2900 u084268.exe 2120 7frlllr.exe 2868 88802.exe 2812 802288.exe 2668 vpddp.exe 2312 260062.exe 2848 tnbbhb.exe 328 7jddv.exe 1248 086248.exe 2336 426800.exe 1940 nbhnnh.exe 3032 42400.exe 2856 20262.exe 1040 jvjjd.exe 700 5jpvv.exe 1200 vjpjp.exe 996 26468.exe 2200 42006.exe 2432 42020.exe 2184 frxfxff.exe 2084 frxfrrr.exe 2480 3thhhb.exe 1204 64006.exe 268 428440.exe 1628 66620.exe 288 80288.exe 572 86822.exe 2592 5lffllx.exe 1592 btbhnn.exe 1988 08068.exe 2588 9xfflll.exe 2768 424460.exe 1600 k46662.exe 1572 08044.exe 584 jdpjp.exe 2888 fxlxffl.exe 2940 q80060.exe 2120 w24406.exe 2972 djvjd.exe 2696 bbbhhb.exe 2728 682844.exe 2128 lfrrrrx.exe 888 5ntbhh.exe 2844 0444840.exe 3024 pdjjp.exe 2148 xllflfl.exe 1796 hbnnbb.exe 2060 26662.exe 2744 a0222.exe 3028 thnntn.exe 2988 htntth.exe 668 k44844.exe 1956 4688440.exe 1916 fxfxxrx.exe 1760 o060600.exe 1148 04662.exe 2096 nbhbht.exe 2088 7hnbbt.exe 2468 7vjdd.exe 2440 20228.exe 1612 68400.exe 2556 bthhnn.exe 2448 jddvv.exe -
resource yara_rule behavioral1/memory/1824-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-408-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2744-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-676-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2724-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-903-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-929-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-955-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-1046-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-1085-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2082866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0044404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e42806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1824 wrote to memory of 584 1824 0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe 30 PID 1824 wrote to memory of 584 1824 0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe 30 PID 1824 wrote to memory of 584 1824 0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe 30 PID 1824 wrote to memory of 584 1824 0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe 30 PID 584 wrote to memory of 2900 584 rrrfrxl.exe 31 PID 584 wrote to memory of 2900 584 rrrfrxl.exe 31 PID 584 wrote to memory of 2900 584 rrrfrxl.exe 31 PID 584 wrote to memory of 2900 584 rrrfrxl.exe 31 PID 2900 wrote to memory of 2120 2900 u084268.exe 32 PID 2900 wrote to memory of 2120 2900 u084268.exe 32 PID 2900 wrote to memory of 2120 2900 u084268.exe 32 PID 2900 wrote to memory of 2120 2900 u084268.exe 32 PID 2120 wrote to memory of 2868 2120 7frlllr.exe 33 PID 2120 wrote to memory of 2868 2120 7frlllr.exe 33 PID 2120 wrote to memory of 2868 2120 7frlllr.exe 33 PID 2120 wrote to memory of 2868 2120 7frlllr.exe 33 PID 2868 wrote to memory of 2812 2868 88802.exe 34 PID 2868 wrote to memory of 2812 2868 88802.exe 34 PID 2868 wrote to memory of 2812 2868 88802.exe 34 PID 2868 wrote to memory of 2812 2868 88802.exe 34 PID 2812 wrote to memory of 2668 2812 802288.exe 35 PID 2812 wrote to memory of 2668 2812 802288.exe 35 PID 2812 wrote to memory of 2668 2812 802288.exe 35 PID 2812 wrote to memory of 2668 2812 802288.exe 35 PID 2668 wrote to memory of 2312 2668 vpddp.exe 36 PID 2668 wrote to memory of 2312 2668 vpddp.exe 36 PID 2668 wrote to memory of 2312 2668 vpddp.exe 36 PID 2668 wrote to memory of 2312 2668 vpddp.exe 36 PID 2312 wrote to memory of 2848 2312 260062.exe 37 PID 2312 wrote to memory of 2848 2312 260062.exe 37 PID 2312 wrote to memory of 2848 2312 260062.exe 37 PID 2312 wrote to memory of 2848 2312 260062.exe 37 PID 2848 wrote to memory of 328 2848 tnbbhb.exe 38 PID 2848 wrote to memory of 328 2848 tnbbhb.exe 38 PID 2848 wrote to memory of 328 2848 tnbbhb.exe 38 PID 2848 wrote to memory of 328 2848 tnbbhb.exe 38 PID 328 wrote to memory of 1248 328 7jddv.exe 39 PID 328 wrote to memory of 1248 328 7jddv.exe 39 PID 328 wrote to memory of 1248 328 7jddv.exe 39 PID 328 wrote to memory of 1248 328 7jddv.exe 39 PID 1248 wrote to memory of 2336 1248 086248.exe 40 PID 1248 wrote to memory of 2336 1248 086248.exe 40 PID 1248 wrote to memory of 2336 1248 086248.exe 40 PID 1248 wrote to memory of 2336 1248 086248.exe 40 PID 2336 wrote to memory of 1940 2336 426800.exe 41 PID 2336 wrote to memory of 1940 2336 426800.exe 41 PID 2336 wrote to memory of 1940 2336 426800.exe 41 PID 2336 wrote to memory of 1940 2336 426800.exe 41 PID 1940 wrote to memory of 3032 1940 nbhnnh.exe 42 PID 1940 wrote to memory of 3032 1940 nbhnnh.exe 42 PID 1940 wrote to memory of 3032 1940 nbhnnh.exe 42 PID 1940 wrote to memory of 3032 1940 nbhnnh.exe 42 PID 3032 wrote to memory of 2856 3032 42400.exe 43 PID 3032 wrote to memory of 2856 3032 42400.exe 43 PID 3032 wrote to memory of 2856 3032 42400.exe 43 PID 3032 wrote to memory of 2856 3032 42400.exe 43 PID 2856 wrote to memory of 1040 2856 20262.exe 44 PID 2856 wrote to memory of 1040 2856 20262.exe 44 PID 2856 wrote to memory of 1040 2856 20262.exe 44 PID 2856 wrote to memory of 1040 2856 20262.exe 44 PID 1040 wrote to memory of 700 1040 jvjjd.exe 45 PID 1040 wrote to memory of 700 1040 jvjjd.exe 45 PID 1040 wrote to memory of 700 1040 jvjjd.exe 45 PID 1040 wrote to memory of 700 1040 jvjjd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe"C:\Users\Admin\AppData\Local\Temp\0268e51090b6f67b95d7ebc17dd2aa8eb92895274b0ee834156d94ec1f0b114a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\rrrfrxl.exec:\rrrfrxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\u084268.exec:\u084268.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\7frlllr.exec:\7frlllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\88802.exec:\88802.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\802288.exec:\802288.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\vpddp.exec:\vpddp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\260062.exec:\260062.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\tnbbhb.exec:\tnbbhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\7jddv.exec:\7jddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:328 -
\??\c:\086248.exec:\086248.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\426800.exec:\426800.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\nbhnnh.exec:\nbhnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\42400.exec:\42400.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\20262.exec:\20262.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\jvjjd.exec:\jvjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\5jpvv.exec:\5jpvv.exe17⤵
- Executes dropped EXE
PID:700 -
\??\c:\vjpjp.exec:\vjpjp.exe18⤵
- Executes dropped EXE
PID:1200 -
\??\c:\26468.exec:\26468.exe19⤵
- Executes dropped EXE
PID:996 -
\??\c:\42006.exec:\42006.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
\??\c:\42020.exec:\42020.exe21⤵
- Executes dropped EXE
PID:2432 -
\??\c:\frxfxff.exec:\frxfxff.exe22⤵
- Executes dropped EXE
PID:2184 -
\??\c:\frxfrrr.exec:\frxfrrr.exe23⤵
- Executes dropped EXE
PID:2084 -
\??\c:\3thhhb.exec:\3thhhb.exe24⤵
- Executes dropped EXE
PID:2480 -
\??\c:\64006.exec:\64006.exe25⤵
- Executes dropped EXE
PID:1204 -
\??\c:\428440.exec:\428440.exe26⤵
- Executes dropped EXE
PID:268 -
\??\c:\66620.exec:\66620.exe27⤵
- Executes dropped EXE
PID:1628 -
\??\c:\80288.exec:\80288.exe28⤵
- Executes dropped EXE
PID:288 -
\??\c:\86822.exec:\86822.exe29⤵
- Executes dropped EXE
PID:572 -
\??\c:\5lffllx.exec:\5lffllx.exe30⤵
- Executes dropped EXE
PID:2592 -
\??\c:\btbhnn.exec:\btbhnn.exe31⤵
- Executes dropped EXE
PID:1592 -
\??\c:\08068.exec:\08068.exe32⤵
- Executes dropped EXE
PID:1988 -
\??\c:\9xfflll.exec:\9xfflll.exe33⤵
- Executes dropped EXE
PID:2588 -
\??\c:\424460.exec:\424460.exe34⤵
- Executes dropped EXE
PID:2768 -
\??\c:\k46662.exec:\k46662.exe35⤵
- Executes dropped EXE
PID:1600 -
\??\c:\08044.exec:\08044.exe36⤵
- Executes dropped EXE
PID:1572 -
\??\c:\jdpjp.exec:\jdpjp.exe37⤵
- Executes dropped EXE
PID:584 -
\??\c:\fxlxffl.exec:\fxlxffl.exe38⤵
- Executes dropped EXE
PID:2888 -
\??\c:\q80060.exec:\q80060.exe39⤵
- Executes dropped EXE
PID:2940 -
\??\c:\w24406.exec:\w24406.exe40⤵
- Executes dropped EXE
PID:2120 -
\??\c:\djvjd.exec:\djvjd.exe41⤵
- Executes dropped EXE
PID:2972 -
\??\c:\bbbhhb.exec:\bbbhhb.exe42⤵
- Executes dropped EXE
PID:2696 -
\??\c:\682844.exec:\682844.exe43⤵
- Executes dropped EXE
PID:2728 -
\??\c:\lfrrrrx.exec:\lfrrrrx.exe44⤵
- Executes dropped EXE
PID:2128 -
\??\c:\5ntbhh.exec:\5ntbhh.exe45⤵
- Executes dropped EXE
PID:888 -
\??\c:\0444840.exec:\0444840.exe46⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pdjjp.exec:\pdjjp.exe47⤵
- Executes dropped EXE
PID:3024 -
\??\c:\xllflfl.exec:\xllflfl.exe48⤵
- Executes dropped EXE
PID:2148 -
\??\c:\hbnnbb.exec:\hbnnbb.exe49⤵
- Executes dropped EXE
PID:1796 -
\??\c:\26662.exec:\26662.exe50⤵
- Executes dropped EXE
PID:2060 -
\??\c:\a0222.exec:\a0222.exe51⤵
- Executes dropped EXE
PID:2744 -
\??\c:\thnntn.exec:\thnntn.exe52⤵
- Executes dropped EXE
PID:3028 -
\??\c:\htntth.exec:\htntth.exe53⤵
- Executes dropped EXE
PID:2988 -
\??\c:\k44844.exec:\k44844.exe54⤵
- Executes dropped EXE
PID:668 -
\??\c:\4688440.exec:\4688440.exe55⤵
- Executes dropped EXE
PID:1956 -
\??\c:\fxfxxrx.exec:\fxfxxrx.exe56⤵
- Executes dropped EXE
PID:1916 -
\??\c:\o060600.exec:\o060600.exe57⤵
- Executes dropped EXE
PID:1760 -
\??\c:\04662.exec:\04662.exe58⤵
- Executes dropped EXE
PID:1148 -
\??\c:\nbhbht.exec:\nbhbht.exe59⤵
- Executes dropped EXE
PID:2096 -
\??\c:\7hnbbt.exec:\7hnbbt.exe60⤵
- Executes dropped EXE
PID:2088 -
\??\c:\7vjdd.exec:\7vjdd.exe61⤵
- Executes dropped EXE
PID:2468 -
\??\c:\20228.exec:\20228.exe62⤵
- Executes dropped EXE
PID:2440 -
\??\c:\68400.exec:\68400.exe63⤵
- Executes dropped EXE
PID:1612 -
\??\c:\bthhnn.exec:\bthhnn.exe64⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jddvv.exec:\jddvv.exe65⤵
- Executes dropped EXE
PID:2448 -
\??\c:\7xllllf.exec:\7xllllf.exe66⤵PID:904
-
\??\c:\o806444.exec:\o806444.exe67⤵PID:1752
-
\??\c:\82400.exec:\82400.exe68⤵PID:1964
-
\??\c:\048846.exec:\048846.exe69⤵PID:896
-
\??\c:\26064.exec:\26064.exe70⤵PID:924
-
\??\c:\0428440.exec:\0428440.exe71⤵PID:1944
-
\??\c:\pjdjv.exec:\pjdjv.exe72⤵PID:1952
-
\??\c:\e40626.exec:\e40626.exe73⤵PID:2592
-
\??\c:\7jvvv.exec:\7jvvv.exe74⤵PID:1592
-
\??\c:\9dpjd.exec:\9dpjd.exe75⤵PID:2340
-
\??\c:\c640266.exec:\c640266.exe76⤵PID:1748
-
\??\c:\ttntbt.exec:\ttntbt.exe77⤵PID:1720
-
\??\c:\66828.exec:\66828.exe78⤵PID:2768
-
\??\c:\080022.exec:\080022.exe79⤵PID:1564
-
\??\c:\w80448.exec:\w80448.exe80⤵PID:1572
-
\??\c:\6062884.exec:\6062884.exe81⤵PID:2800
-
\??\c:\ppppd.exec:\ppppd.exe82⤵PID:2916
-
\??\c:\llxflxf.exec:\llxflxf.exe83⤵PID:3000
-
\??\c:\pjvvd.exec:\pjvvd.exe84⤵PID:1960
-
\??\c:\btbhhh.exec:\btbhhh.exe85⤵PID:2688
-
\??\c:\5dvjj.exec:\5dvjj.exe86⤵PID:2932
-
\??\c:\88264.exec:\88264.exe87⤵PID:2728
-
\??\c:\nnbnth.exec:\nnbnth.exe88⤵PID:2320
-
\??\c:\jvjjv.exec:\jvjjv.exe89⤵PID:2324
-
\??\c:\820240.exec:\820240.exe90⤵PID:2908
-
\??\c:\860026.exec:\860026.exe91⤵PID:1104
-
\??\c:\264064.exec:\264064.exe92⤵PID:2364
-
\??\c:\642406.exec:\642406.exe93⤵PID:2076
-
\??\c:\22628.exec:\22628.exe94⤵PID:2724
-
\??\c:\04648.exec:\04648.exe95⤵PID:2968
-
\??\c:\ddvdp.exec:\ddvdp.exe96⤵PID:1864
-
\??\c:\pdvdd.exec:\pdvdd.exe97⤵PID:3028
-
\??\c:\m6024.exec:\m6024.exe98⤵PID:2988
-
\??\c:\0440004.exec:\0440004.exe99⤵PID:1440
-
\??\c:\jdvvp.exec:\jdvvp.exe100⤵PID:332
-
\??\c:\608066.exec:\608066.exe101⤵PID:1156
-
\??\c:\006246.exec:\006246.exe102⤵PID:564
-
\??\c:\464848.exec:\464848.exe103⤵PID:2416
-
\??\c:\nnhthb.exec:\nnhthb.exe104⤵PID:2124
-
\??\c:\60880.exec:\60880.exe105⤵PID:2632
-
\??\c:\djdjv.exec:\djdjv.exe106⤵PID:448
-
\??\c:\86828.exec:\86828.exe107⤵PID:1672
-
\??\c:\7tttbn.exec:\7tttbn.exe108⤵PID:1612
-
\??\c:\0884440.exec:\0884440.exe109⤵PID:2248
-
\??\c:\xxrfxlf.exec:\xxrfxlf.exe110⤵PID:2480
-
\??\c:\rxflffx.exec:\rxflffx.exe111⤵
- System Location Discovery: System Language Discovery
PID:1044 -
\??\c:\04664.exec:\04664.exe112⤵PID:1536
-
\??\c:\20286.exec:\20286.exe113⤵PID:2236
-
\??\c:\o806228.exec:\o806228.exe114⤵PID:896
-
\??\c:\2262800.exec:\2262800.exe115⤵PID:2528
-
\??\c:\7dvvd.exec:\7dvvd.exe116⤵PID:1944
-
\??\c:\q80404.exec:\q80404.exe117⤵PID:1952
-
\??\c:\88620.exec:\88620.exe118⤵PID:2424
-
\??\c:\00840.exec:\00840.exe119⤵PID:2388
-
\??\c:\5nthnb.exec:\5nthnb.exe120⤵PID:1780
-
\??\c:\tttthn.exec:\tttthn.exe121⤵PID:2004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-