Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 19:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db085ee1b7ea5c07b0da1366b5d3fa78183f0d32c67fd3823ae61ccf1af19089.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
db085ee1b7ea5c07b0da1366b5d3fa78183f0d32c67fd3823ae61ccf1af19089.exe
-
Size
454KB
-
MD5
0e4f6455c0aa2928e695707c6e334c41
-
SHA1
9361c77046d5a3dcf1daa931240f13adeb2b1749
-
SHA256
db085ee1b7ea5c07b0da1366b5d3fa78183f0d32c67fd3823ae61ccf1af19089
-
SHA512
a5eb3194d1d1c68c3d42076cc356d8a1f43102c8174f3c2933e4ed304c713f0aa5999cfc711cab8f4fbdc3cf4093ada222a8c544f76e457c9454a5cfca353849
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTi:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2136-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-253-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2368-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-277-0x0000000077340000-0x000000007743A000-memory.dmp family_blackmoon behavioral1/memory/2292-276-0x0000000077220000-0x000000007733F000-memory.dmp family_blackmoon behavioral1/memory/1980-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1348-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-419-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1808-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-447-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1740-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-614-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2908-647-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2400-724-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1756-757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-770-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/600-900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-907-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2252-921-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2244-970-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/784-1004-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2680-1137-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2744 60402.exe 2916 0484224.exe 2768 jdvvp.exe 2956 4688446.exe 2656 7lflflf.exe 1980 1xlrffr.exe 2684 ddjvv.exe 2948 nhhnnn.exe 2884 i086804.exe 2472 064062.exe 2392 xrrfrxr.exe 2280 nhbbnn.exe 2860 nnhbtb.exe 3004 08002.exe 676 1htbtn.exe 3028 44286.exe 1900 2824880.exe 1272 lrlrflf.exe 1984 thbhtt.exe 2208 82620.exe 1296 426640.exe 2400 ffxfxrl.exe 1056 48084.exe 784 g2024.exe 1628 ttnbtb.exe 1728 5ttbhn.exe 2564 tntttt.exe 1028 04468.exe 2368 bhbnbn.exe 1960 lxlfffl.exe 1768 60884.exe 2292 jdppd.exe 2744 jpppj.exe 2916 vpdvj.exe 2768 ddvdp.exe 2760 rxlxrrx.exe 2800 frxfxfr.exe 2808 rfxxrrx.exe 1980 lfrrrxx.exe 2372 jvdvd.exe 2044 086206.exe 2468 868284.exe 2664 a0284.exe 1348 w24448.exe 2692 c262464.exe 2900 8684440.exe 3020 220288.exe 2432 64222.exe 528 1lrrlll.exe 856 o644008.exe 2896 jdppj.exe 2616 bnhnbb.exe 2424 3llflfl.exe 2984 4862828.exe 1808 240066.exe 2244 nbtnth.exe 2512 a0806.exe 2308 q48462.exe 2332 xflrrrr.exe 1740 k86806.exe 1104 xlflxlf.exe 2196 04228.exe 2584 lfrrlxr.exe 1520 g8004.exe -
resource yara_rule behavioral1/memory/2136-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/528-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-647-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1360-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-900-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-958-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-1006-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-1145-0x00000000003C0000-0x00000000003EA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6046460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2606808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2744 2136 db085ee1b7ea5c07b0da1366b5d3fa78183f0d32c67fd3823ae61ccf1af19089.exe 64 PID 2136 wrote to memory of 2744 2136 db085ee1b7ea5c07b0da1366b5d3fa78183f0d32c67fd3823ae61ccf1af19089.exe 64 PID 2136 wrote to memory of 2744 2136 db085ee1b7ea5c07b0da1366b5d3fa78183f0d32c67fd3823ae61ccf1af19089.exe 64 PID 2136 wrote to memory of 2744 2136 db085ee1b7ea5c07b0da1366b5d3fa78183f0d32c67fd3823ae61ccf1af19089.exe 64 PID 2744 wrote to memory of 2916 2744 60402.exe 65 PID 2744 wrote to memory of 2916 2744 60402.exe 65 PID 2744 wrote to memory of 2916 2744 60402.exe 65 PID 2744 wrote to memory of 2916 2744 60402.exe 65 PID 2916 wrote to memory of 2768 2916 0484224.exe 66 PID 2916 wrote to memory of 2768 2916 0484224.exe 66 PID 2916 wrote to memory of 2768 2916 0484224.exe 66 PID 2916 wrote to memory of 2768 2916 0484224.exe 66 PID 2768 wrote to memory of 2956 2768 jdvvp.exe 34 PID 2768 wrote to memory of 2956 2768 jdvvp.exe 34 PID 2768 wrote to memory of 2956 2768 jdvvp.exe 34 PID 2768 wrote to memory of 2956 2768 jdvvp.exe 34 PID 2956 wrote to memory of 2656 2956 4688446.exe 35 PID 2956 wrote to memory of 2656 2956 4688446.exe 35 PID 2956 wrote to memory of 2656 2956 4688446.exe 35 PID 2956 wrote to memory of 2656 2956 4688446.exe 35 PID 2656 wrote to memory of 1980 2656 7lflflf.exe 70 PID 2656 wrote to memory of 1980 2656 7lflflf.exe 70 PID 2656 wrote to memory of 1980 2656 7lflflf.exe 70 PID 2656 wrote to memory of 1980 2656 7lflflf.exe 70 PID 1980 wrote to memory of 2684 1980 1xlrffr.exe 37 PID 1980 wrote to memory of 2684 1980 1xlrffr.exe 37 PID 1980 wrote to memory of 2684 1980 1xlrffr.exe 37 PID 1980 wrote to memory of 2684 1980 1xlrffr.exe 37 PID 2684 wrote to memory of 2948 2684 ddjvv.exe 38 PID 2684 wrote to memory of 2948 2684 ddjvv.exe 38 PID 2684 wrote to memory of 2948 2684 ddjvv.exe 38 PID 2684 wrote to memory of 2948 2684 ddjvv.exe 38 PID 2948 wrote to memory of 2884 2948 nhhnnn.exe 39 PID 2948 wrote to memory of 2884 2948 nhhnnn.exe 39 PID 2948 wrote to memory of 2884 2948 nhhnnn.exe 39 PID 2948 wrote to memory of 2884 2948 nhhnnn.exe 39 PID 2884 wrote to memory of 2472 2884 i086804.exe 40 PID 2884 wrote to memory of 2472 2884 i086804.exe 40 PID 2884 wrote to memory of 2472 2884 i086804.exe 40 PID 2884 wrote to memory of 2472 2884 i086804.exe 40 PID 2472 wrote to memory of 2392 2472 064062.exe 41 PID 2472 wrote to memory of 2392 2472 064062.exe 41 PID 2472 wrote to memory of 2392 2472 064062.exe 41 PID 2472 wrote to memory of 2392 2472 064062.exe 41 PID 2392 wrote to memory of 2280 2392 xrrfrxr.exe 42 PID 2392 wrote to memory of 2280 2392 xrrfrxr.exe 42 PID 2392 wrote to memory of 2280 2392 xrrfrxr.exe 42 PID 2392 wrote to memory of 2280 2392 xrrfrxr.exe 42 PID 2280 wrote to memory of 2860 2280 nhbbnn.exe 43 PID 2280 wrote to memory of 2860 2280 nhbbnn.exe 43 PID 2280 wrote to memory of 2860 2280 nhbbnn.exe 43 PID 2280 wrote to memory of 2860 2280 nhbbnn.exe 43 PID 2860 wrote to memory of 3004 2860 nnhbtb.exe 44 PID 2860 wrote to memory of 3004 2860 nnhbtb.exe 44 PID 2860 wrote to memory of 3004 2860 nnhbtb.exe 44 PID 2860 wrote to memory of 3004 2860 nnhbtb.exe 44 PID 3004 wrote to memory of 676 3004 08002.exe 45 PID 3004 wrote to memory of 676 3004 08002.exe 45 PID 3004 wrote to memory of 676 3004 08002.exe 45 PID 3004 wrote to memory of 676 3004 08002.exe 45 PID 676 wrote to memory of 3028 676 1htbtn.exe 46 PID 676 wrote to memory of 3028 676 1htbtn.exe 46 PID 676 wrote to memory of 3028 676 1htbtn.exe 46 PID 676 wrote to memory of 3028 676 1htbtn.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\db085ee1b7ea5c07b0da1366b5d3fa78183f0d32c67fd3823ae61ccf1af19089.exe"C:\Users\Admin\AppData\Local\Temp\db085ee1b7ea5c07b0da1366b5d3fa78183f0d32c67fd3823ae61ccf1af19089.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\60402.exec:\60402.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\0484224.exec:\0484224.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\jdvvp.exec:\jdvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\4688446.exec:\4688446.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\7lflflf.exec:\7lflflf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\1xlrffr.exec:\1xlrffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\ddjvv.exec:\ddjvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\nhhnnn.exec:\nhhnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\i086804.exec:\i086804.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\064062.exec:\064062.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\xrrfrxr.exec:\xrrfrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\nhbbnn.exec:\nhbbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\nnhbtb.exec:\nnhbtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\08002.exec:\08002.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\1htbtn.exec:\1htbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\44286.exec:\44286.exe17⤵
- Executes dropped EXE
PID:3028 -
\??\c:\2824880.exec:\2824880.exe18⤵
- Executes dropped EXE
PID:1900 -
\??\c:\lrlrflf.exec:\lrlrflf.exe19⤵
- Executes dropped EXE
PID:1272 -
\??\c:\thbhtt.exec:\thbhtt.exe20⤵
- Executes dropped EXE
PID:1984 -
\??\c:\82620.exec:\82620.exe21⤵
- Executes dropped EXE
PID:2208 -
\??\c:\426640.exec:\426640.exe22⤵
- Executes dropped EXE
PID:1296 -
\??\c:\ffxfxrl.exec:\ffxfxrl.exe23⤵
- Executes dropped EXE
PID:2400 -
\??\c:\48084.exec:\48084.exe24⤵
- Executes dropped EXE
PID:1056 -
\??\c:\g2024.exec:\g2024.exe25⤵
- Executes dropped EXE
PID:784 -
\??\c:\ttnbtb.exec:\ttnbtb.exe26⤵
- Executes dropped EXE
PID:1628 -
\??\c:\5ttbhn.exec:\5ttbhn.exe27⤵
- Executes dropped EXE
PID:1728 -
\??\c:\tntttt.exec:\tntttt.exe28⤵
- Executes dropped EXE
PID:2564 -
\??\c:\04468.exec:\04468.exe29⤵
- Executes dropped EXE
PID:1028 -
\??\c:\bhbnbn.exec:\bhbnbn.exe30⤵
- Executes dropped EXE
PID:2368 -
\??\c:\lxlfffl.exec:\lxlfffl.exe31⤵
- Executes dropped EXE
PID:1960 -
\??\c:\60884.exec:\60884.exe32⤵
- Executes dropped EXE
PID:1768 -
\??\c:\jdppd.exec:\jdppd.exe33⤵
- Executes dropped EXE
PID:2292 -
\??\c:\fflfxxf.exec:\fflfxxf.exe34⤵PID:1580
-
\??\c:\jpppj.exec:\jpppj.exe35⤵
- Executes dropped EXE
PID:2744 -
\??\c:\vpdvj.exec:\vpdvj.exe36⤵
- Executes dropped EXE
PID:2916 -
\??\c:\ddvdp.exec:\ddvdp.exe37⤵
- Executes dropped EXE
PID:2768 -
\??\c:\rxlxrrx.exec:\rxlxrrx.exe38⤵
- Executes dropped EXE
PID:2760 -
\??\c:\frxfxfr.exec:\frxfxfr.exe39⤵
- Executes dropped EXE
PID:2800 -
\??\c:\rfxxrrx.exec:\rfxxrrx.exe40⤵
- Executes dropped EXE
PID:2808 -
\??\c:\lfrrrxx.exec:\lfrrrxx.exe41⤵
- Executes dropped EXE
PID:1980 -
\??\c:\jvdvd.exec:\jvdvd.exe42⤵
- Executes dropped EXE
PID:2372 -
\??\c:\086206.exec:\086206.exe43⤵
- Executes dropped EXE
PID:2044 -
\??\c:\868284.exec:\868284.exe44⤵
- Executes dropped EXE
PID:2468 -
\??\c:\a0284.exec:\a0284.exe45⤵
- Executes dropped EXE
PID:2664 -
\??\c:\w24448.exec:\w24448.exe46⤵
- Executes dropped EXE
PID:1348 -
\??\c:\c262464.exec:\c262464.exe47⤵
- Executes dropped EXE
PID:2692 -
\??\c:\8684440.exec:\8684440.exe48⤵
- Executes dropped EXE
PID:2900 -
\??\c:\220288.exec:\220288.exe49⤵
- Executes dropped EXE
PID:3020 -
\??\c:\64222.exec:\64222.exe50⤵
- Executes dropped EXE
PID:2432 -
\??\c:\1lrrlll.exec:\1lrrlll.exe51⤵
- Executes dropped EXE
PID:528 -
\??\c:\o644008.exec:\o644008.exe52⤵
- Executes dropped EXE
PID:856 -
\??\c:\jdppj.exec:\jdppj.exe53⤵
- Executes dropped EXE
PID:2896 -
\??\c:\bnhnbb.exec:\bnhnbb.exe54⤵
- Executes dropped EXE
PID:2616 -
\??\c:\3llflfl.exec:\3llflfl.exe55⤵
- Executes dropped EXE
PID:2424 -
\??\c:\4862828.exec:\4862828.exe56⤵
- Executes dropped EXE
PID:2984 -
\??\c:\240066.exec:\240066.exe57⤵
- Executes dropped EXE
PID:1808 -
\??\c:\nbtnth.exec:\nbtnth.exe58⤵
- Executes dropped EXE
PID:2244 -
\??\c:\a0806.exec:\a0806.exe59⤵
- Executes dropped EXE
PID:2512 -
\??\c:\q48462.exec:\q48462.exe60⤵
- Executes dropped EXE
PID:2308 -
\??\c:\xflrrrr.exec:\xflrrrr.exe61⤵
- Executes dropped EXE
PID:2332 -
\??\c:\k86806.exec:\k86806.exe62⤵
- Executes dropped EXE
PID:1740 -
\??\c:\xlflxlf.exec:\xlflxlf.exe63⤵
- Executes dropped EXE
PID:1104 -
\??\c:\04228.exec:\04228.exe64⤵
- Executes dropped EXE
PID:2196 -
\??\c:\lfrrlxr.exec:\lfrrlxr.exe65⤵
- Executes dropped EXE
PID:2584 -
\??\c:\g8004.exec:\g8004.exe66⤵
- Executes dropped EXE
PID:1520 -
\??\c:\tnhntb.exec:\tnhntb.exe67⤵PID:992
-
\??\c:\8680224.exec:\8680224.exe68⤵PID:1804
-
\??\c:\g8886.exec:\g8886.exe69⤵PID:996
-
\??\c:\9bnttb.exec:\9bnttb.exe70⤵PID:2092
-
\??\c:\hhtnhn.exec:\hhtnhn.exe71⤵PID:2524
-
\??\c:\7djjp.exec:\7djjp.exe72⤵PID:2780
-
\??\c:\5lxfffl.exec:\5lxfffl.exe73⤵PID:292
-
\??\c:\448240.exec:\448240.exe74⤵PID:2840
-
\??\c:\9pvpd.exec:\9pvpd.exe75⤵PID:2820
-
\??\c:\lfrfrrf.exec:\lfrfrrf.exe76⤵PID:2992
-
\??\c:\o880846.exec:\o880846.exe77⤵PID:2880
-
\??\c:\3pdjd.exec:\3pdjd.exe78⤵PID:2956
-
\??\c:\5xfxxrr.exec:\5xfxxrr.exe79⤵PID:2644
-
\??\c:\6628406.exec:\6628406.exe80⤵PID:2756
-
\??\c:\ttbtbb.exec:\ttbtbb.exe81⤵PID:2868
-
\??\c:\hhnnnt.exec:\hhnnnt.exe82⤵PID:2680
-
\??\c:\rrlxflx.exec:\rrlxflx.exe83⤵PID:2448
-
\??\c:\frffrrx.exec:\frffrrx.exe84⤵PID:2232
-
\??\c:\860622.exec:\860622.exe85⤵PID:3008
-
\??\c:\1btnbh.exec:\1btnbh.exe86⤵PID:836
-
\??\c:\26068.exec:\26068.exe87⤵PID:2692
-
\??\c:\9tttbh.exec:\9tttbh.exe88⤵PID:2908
-
\??\c:\482840.exec:\482840.exe89⤵PID:3020
-
\??\c:\1fffllx.exec:\1fffllx.exe90⤵PID:3000
-
\??\c:\a2464.exec:\a2464.exe91⤵PID:2856
-
\??\c:\c820248.exec:\c820248.exe92⤵PID:2688
-
\??\c:\u262068.exec:\u262068.exe93⤵PID:2896
-
\??\c:\26408.exec:\26408.exe94⤵PID:1052
-
\??\c:\a8802.exec:\a8802.exe95⤵PID:2424
-
\??\c:\u080884.exec:\u080884.exe96⤵PID:2172
-
\??\c:\nhthnn.exec:\nhthnn.exe97⤵PID:2988
-
\??\c:\nhbhnb.exec:\nhbhnb.exe98⤵PID:2580
-
\??\c:\2606808.exec:\2606808.exe99⤵
- System Location Discovery: System Language Discovery
PID:536 -
\??\c:\dvpdd.exec:\dvpdd.exe100⤵PID:2400
-
\??\c:\866224.exec:\866224.exe101⤵PID:2416
-
\??\c:\s6664.exec:\s6664.exe102⤵PID:784
-
\??\c:\nhbhnn.exec:\nhbhnn.exe103⤵PID:1360
-
\??\c:\5hbhth.exec:\5hbhth.exe104⤵PID:1104
-
\??\c:\jjjpj.exec:\jjjpj.exe105⤵PID:1756
-
\??\c:\3jdpd.exec:\3jdpd.exe106⤵PID:2052
-
\??\c:\hnnhnh.exec:\hnnhnh.exe107⤵PID:2516
-
\??\c:\pvpdj.exec:\pvpdj.exe108⤵PID:1000
-
\??\c:\pjdjv.exec:\pjdjv.exe109⤵PID:1640
-
\??\c:\00802.exec:\00802.exe110⤵PID:2592
-
\??\c:\7fxlffx.exec:\7fxlffx.exe111⤵PID:2092
-
\??\c:\vpppd.exec:\vpppd.exe112⤵PID:2524
-
\??\c:\ttbhtb.exec:\ttbhtb.exe113⤵PID:2852
-
\??\c:\vpddd.exec:\vpddd.exe114⤵PID:308
-
\??\c:\bbtbtt.exec:\bbtbtt.exe115⤵PID:1592
-
\??\c:\xrlxlrl.exec:\xrlxlrl.exe116⤵PID:2944
-
\??\c:\480244.exec:\480244.exe117⤵PID:1588
-
\??\c:\642800.exec:\642800.exe118⤵PID:2352
-
\??\c:\q82628.exec:\q82628.exe119⤵PID:2684
-
\??\c:\hbtttt.exec:\hbtttt.exe120⤵PID:2644
-
\??\c:\8806880.exec:\8806880.exe121⤵PID:2648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-