Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 19:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe
-
Size
454KB
-
MD5
6487f96ed5baf873c7c08ebf03e24ec0
-
SHA1
dface4a32a8109a86c8fbde4a21cc26b915a33d8
-
SHA256
ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfa
-
SHA512
4090650089ed61df43770f5747df261fc77fca6392868a63046dfea1adbc8a380ece83c2f0f430a0a88e01583fa967d384075b55cc2471081998af52e22fbdac
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 58 IoCs
resource yara_rule behavioral1/memory/2160-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-42-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1924-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-57-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/396-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-179-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1808-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-199-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1028-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-222-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1596-234-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1608-254-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1608-253-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2612-259-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/580-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-360-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2832-366-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2672-398-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2140-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-418-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1156-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-552-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1680-565-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1680-585-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/876-584-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1576-593-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1480-599-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2020-614-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1576-612-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2220-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-796-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1084-815-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/844-893-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-1047-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2160 k64068.exe 1480 0602408.exe 1908 hbbhnt.exe 1924 frlfllr.exe 2508 2640288.exe 2768 9hbbnt.exe 2864 4206224.exe 3008 48680.exe 2804 u824246.exe 2676 7nnthn.exe 2648 20262.exe 2860 w08882.exe 1796 xlfflrf.exe 2688 26408.exe 1956 e26806.exe 396 20284.exe 1404 0602020.exe 2012 9rllrlr.exe 1808 82020.exe 2964 q08066.exe 1200 26684.exe 1028 8202442.exe 568 xrfflrf.exe 1596 2028460.exe 1256 dvdjp.exe 1608 9vjvp.exe 2612 226062.exe 2180 ttntbh.exe 580 u062484.exe 2088 4402846.exe 876 2028624.exe 2028 6428884.exe 2016 flflflx.exe 1556 8228068.exe 2264 086682.exe 2260 60224.exe 2364 k64488.exe 2112 5htnnb.exe 2720 bnbttn.exe 2816 lfrxlrx.exe 2832 vjvvj.exe 2744 i422846.exe 2844 0866224.exe 2752 rllflll.exe 2872 jpvjd.exe 2672 fxlrxxr.exe 2668 u428002.exe 2140 jjjvj.exe 2296 464006.exe 2484 bttthn.exe 1156 fxllrxf.exe 1540 1thntb.exe 1956 w80022.exe 2532 6886686.exe 2940 866004.exe 1968 tnhnht.exe 2984 7lrrrlr.exe 2144 a0404.exe 2488 fxrfrrf.exe 2236 5rrfxlr.exe 2724 s0280.exe 2032 6020626.exe 608 204800.exe 568 26288.exe -
resource yara_rule behavioral1/memory/2712-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/396-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-199-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1028-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-366-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2140-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-418-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1156-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/608-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-552-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2192-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-584-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2220-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-758-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1112-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-893-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-955-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/484-998-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-1047-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4462222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4806402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2640848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2662068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 226240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2602068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0468046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2160 2712 ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe 30 PID 2712 wrote to memory of 2160 2712 ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe 30 PID 2712 wrote to memory of 2160 2712 ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe 30 PID 2712 wrote to memory of 2160 2712 ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe 30 PID 2160 wrote to memory of 1480 2160 k64068.exe 31 PID 2160 wrote to memory of 1480 2160 k64068.exe 31 PID 2160 wrote to memory of 1480 2160 k64068.exe 31 PID 2160 wrote to memory of 1480 2160 k64068.exe 31 PID 1480 wrote to memory of 1908 1480 0602408.exe 32 PID 1480 wrote to memory of 1908 1480 0602408.exe 32 PID 1480 wrote to memory of 1908 1480 0602408.exe 32 PID 1480 wrote to memory of 1908 1480 0602408.exe 32 PID 1908 wrote to memory of 1924 1908 hbbhnt.exe 33 PID 1908 wrote to memory of 1924 1908 hbbhnt.exe 33 PID 1908 wrote to memory of 1924 1908 hbbhnt.exe 33 PID 1908 wrote to memory of 1924 1908 hbbhnt.exe 33 PID 1924 wrote to memory of 2508 1924 frlfllr.exe 34 PID 1924 wrote to memory of 2508 1924 frlfllr.exe 34 PID 1924 wrote to memory of 2508 1924 frlfllr.exe 34 PID 1924 wrote to memory of 2508 1924 frlfllr.exe 34 PID 2508 wrote to memory of 2768 2508 2640288.exe 35 PID 2508 wrote to memory of 2768 2508 2640288.exe 35 PID 2508 wrote to memory of 2768 2508 2640288.exe 35 PID 2508 wrote to memory of 2768 2508 2640288.exe 35 PID 2768 wrote to memory of 2864 2768 9hbbnt.exe 36 PID 2768 wrote to memory of 2864 2768 9hbbnt.exe 36 PID 2768 wrote to memory of 2864 2768 9hbbnt.exe 36 PID 2768 wrote to memory of 2864 2768 9hbbnt.exe 36 PID 2864 wrote to memory of 3008 2864 4206224.exe 37 PID 2864 wrote to memory of 3008 2864 4206224.exe 37 PID 2864 wrote to memory of 3008 2864 4206224.exe 37 PID 2864 wrote to memory of 3008 2864 4206224.exe 37 PID 3008 wrote to memory of 2804 3008 48680.exe 38 PID 3008 wrote to memory of 2804 3008 48680.exe 38 PID 3008 wrote to memory of 2804 3008 48680.exe 38 PID 3008 wrote to memory of 2804 3008 48680.exe 38 PID 2804 wrote to memory of 2676 2804 u824246.exe 39 PID 2804 wrote to memory of 2676 2804 u824246.exe 39 PID 2804 wrote to memory of 2676 2804 u824246.exe 39 PID 2804 wrote to memory of 2676 2804 u824246.exe 39 PID 2676 wrote to memory of 2648 2676 7nnthn.exe 40 PID 2676 wrote to memory of 2648 2676 7nnthn.exe 40 PID 2676 wrote to memory of 2648 2676 7nnthn.exe 40 PID 2676 wrote to memory of 2648 2676 7nnthn.exe 40 PID 2648 wrote to memory of 2860 2648 20262.exe 41 PID 2648 wrote to memory of 2860 2648 20262.exe 41 PID 2648 wrote to memory of 2860 2648 20262.exe 41 PID 2648 wrote to memory of 2860 2648 20262.exe 41 PID 2860 wrote to memory of 1796 2860 w08882.exe 42 PID 2860 wrote to memory of 1796 2860 w08882.exe 42 PID 2860 wrote to memory of 1796 2860 w08882.exe 42 PID 2860 wrote to memory of 1796 2860 w08882.exe 42 PID 1796 wrote to memory of 2688 1796 xlfflrf.exe 43 PID 1796 wrote to memory of 2688 1796 xlfflrf.exe 43 PID 1796 wrote to memory of 2688 1796 xlfflrf.exe 43 PID 1796 wrote to memory of 2688 1796 xlfflrf.exe 43 PID 2688 wrote to memory of 1956 2688 26408.exe 44 PID 2688 wrote to memory of 1956 2688 26408.exe 44 PID 2688 wrote to memory of 1956 2688 26408.exe 44 PID 2688 wrote to memory of 1956 2688 26408.exe 44 PID 1956 wrote to memory of 396 1956 e26806.exe 45 PID 1956 wrote to memory of 396 1956 e26806.exe 45 PID 1956 wrote to memory of 396 1956 e26806.exe 45 PID 1956 wrote to memory of 396 1956 e26806.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe"C:\Users\Admin\AppData\Local\Temp\ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\k64068.exec:\k64068.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\0602408.exec:\0602408.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\hbbhnt.exec:\hbbhnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\frlfllr.exec:\frlfllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\2640288.exec:\2640288.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\9hbbnt.exec:\9hbbnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\4206224.exec:\4206224.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\48680.exec:\48680.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\u824246.exec:\u824246.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\7nnthn.exec:\7nnthn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\20262.exec:\20262.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\w08882.exec:\w08882.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\xlfflrf.exec:\xlfflrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\26408.exec:\26408.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\e26806.exec:\e26806.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\20284.exec:\20284.exe17⤵
- Executes dropped EXE
PID:396 -
\??\c:\0602020.exec:\0602020.exe18⤵
- Executes dropped EXE
PID:1404 -
\??\c:\9rllrlr.exec:\9rllrlr.exe19⤵
- Executes dropped EXE
PID:2012 -
\??\c:\82020.exec:\82020.exe20⤵
- Executes dropped EXE
PID:1808 -
\??\c:\q08066.exec:\q08066.exe21⤵
- Executes dropped EXE
PID:2964 -
\??\c:\26684.exec:\26684.exe22⤵
- Executes dropped EXE
PID:1200 -
\??\c:\8202442.exec:\8202442.exe23⤵
- Executes dropped EXE
PID:1028 -
\??\c:\xrfflrf.exec:\xrfflrf.exe24⤵
- Executes dropped EXE
PID:568 -
\??\c:\2028460.exec:\2028460.exe25⤵
- Executes dropped EXE
PID:1596 -
\??\c:\dvdjp.exec:\dvdjp.exe26⤵
- Executes dropped EXE
PID:1256 -
\??\c:\9vjvp.exec:\9vjvp.exe27⤵
- Executes dropped EXE
PID:1608 -
\??\c:\226062.exec:\226062.exe28⤵
- Executes dropped EXE
PID:2612 -
\??\c:\ttntbh.exec:\ttntbh.exe29⤵
- Executes dropped EXE
PID:2180 -
\??\c:\u062484.exec:\u062484.exe30⤵
- Executes dropped EXE
PID:580 -
\??\c:\4402846.exec:\4402846.exe31⤵
- Executes dropped EXE
PID:2088 -
\??\c:\2028624.exec:\2028624.exe32⤵
- Executes dropped EXE
PID:876 -
\??\c:\6428884.exec:\6428884.exe33⤵
- Executes dropped EXE
PID:2028 -
\??\c:\flflflx.exec:\flflflx.exe34⤵
- Executes dropped EXE
PID:2016 -
\??\c:\8228068.exec:\8228068.exe35⤵
- Executes dropped EXE
PID:1556 -
\??\c:\086682.exec:\086682.exe36⤵
- Executes dropped EXE
PID:2264 -
\??\c:\60224.exec:\60224.exe37⤵
- Executes dropped EXE
PID:2260 -
\??\c:\k64488.exec:\k64488.exe38⤵
- Executes dropped EXE
PID:2364 -
\??\c:\5htnnb.exec:\5htnnb.exe39⤵
- Executes dropped EXE
PID:2112 -
\??\c:\bnbttn.exec:\bnbttn.exe40⤵
- Executes dropped EXE
PID:2720 -
\??\c:\lfrxlrx.exec:\lfrxlrx.exe41⤵
- Executes dropped EXE
PID:2816 -
\??\c:\vjvvj.exec:\vjvvj.exe42⤵
- Executes dropped EXE
PID:2832 -
\??\c:\i422846.exec:\i422846.exe43⤵
- Executes dropped EXE
PID:2744 -
\??\c:\0866224.exec:\0866224.exe44⤵
- Executes dropped EXE
PID:2844 -
\??\c:\rllflll.exec:\rllflll.exe45⤵
- Executes dropped EXE
PID:2752 -
\??\c:\jpvjd.exec:\jpvjd.exe46⤵
- Executes dropped EXE
PID:2872 -
\??\c:\fxlrxxr.exec:\fxlrxxr.exe47⤵
- Executes dropped EXE
PID:2672 -
\??\c:\u428002.exec:\u428002.exe48⤵
- Executes dropped EXE
PID:2668 -
\??\c:\jjjvj.exec:\jjjvj.exe49⤵
- Executes dropped EXE
PID:2140 -
\??\c:\464006.exec:\464006.exe50⤵
- Executes dropped EXE
PID:2296 -
\??\c:\bttthn.exec:\bttthn.exe51⤵
- Executes dropped EXE
PID:2484 -
\??\c:\fxllrxf.exec:\fxllrxf.exe52⤵
- Executes dropped EXE
PID:1156 -
\??\c:\1thntb.exec:\1thntb.exe53⤵
- Executes dropped EXE
PID:1540 -
\??\c:\w80022.exec:\w80022.exe54⤵
- Executes dropped EXE
PID:1956 -
\??\c:\6886686.exec:\6886686.exe55⤵
- Executes dropped EXE
PID:2532 -
\??\c:\866004.exec:\866004.exe56⤵
- Executes dropped EXE
PID:2940 -
\??\c:\tnhnht.exec:\tnhnht.exe57⤵
- Executes dropped EXE
PID:1968 -
\??\c:\7lrrrlr.exec:\7lrrrlr.exe58⤵
- Executes dropped EXE
PID:2984 -
\??\c:\a0404.exec:\a0404.exe59⤵
- Executes dropped EXE
PID:2144 -
\??\c:\fxrfrrf.exec:\fxrfrrf.exe60⤵
- Executes dropped EXE
PID:2488 -
\??\c:\5rrfxlr.exec:\5rrfxlr.exe61⤵
- Executes dropped EXE
PID:2236 -
\??\c:\s0280.exec:\s0280.exe62⤵
- Executes dropped EXE
PID:2724 -
\??\c:\6020626.exec:\6020626.exe63⤵
- Executes dropped EXE
PID:2032 -
\??\c:\204800.exec:\204800.exe64⤵
- Executes dropped EXE
PID:608 -
\??\c:\26288.exec:\26288.exe65⤵
- Executes dropped EXE
PID:568 -
\??\c:\dddpv.exec:\dddpv.exe66⤵
- System Location Discovery: System Language Discovery
PID:1596 -
\??\c:\rrlxlxr.exec:\rrlxlxr.exe67⤵PID:1716
-
\??\c:\7bnttb.exec:\7bnttb.exe68⤵PID:1996
-
\??\c:\60620.exec:\60620.exe69⤵PID:2456
-
\??\c:\q60628.exec:\q60628.exe70⤵PID:2204
-
\??\c:\tnhtht.exec:\tnhtht.exe71⤵PID:2196
-
\??\c:\tnhhbh.exec:\tnhhbh.exe72⤵PID:1680
-
\??\c:\82006.exec:\82006.exe73⤵PID:2228
-
\??\c:\4828006.exec:\4828006.exe74⤵PID:2192
-
\??\c:\1htbhh.exec:\1htbhh.exe75⤵PID:876
-
\??\c:\vvpdj.exec:\vvpdj.exe76⤵PID:1576
-
\??\c:\jpjdv.exec:\jpjdv.exe77⤵PID:1480
-
\??\c:\4240624.exec:\4240624.exe78⤵PID:2136
-
\??\c:\g6680.exec:\g6680.exe79⤵PID:2020
-
\??\c:\64224.exec:\64224.exe80⤵
- System Location Discovery: System Language Discovery
PID:2312 -
\??\c:\lfxflrl.exec:\lfxflrl.exe81⤵PID:2460
-
\??\c:\3xrxflr.exec:\3xrxflr.exe82⤵PID:2340
-
\??\c:\084028.exec:\084028.exe83⤵PID:2836
-
\??\c:\bntbhb.exec:\bntbhb.exe84⤵PID:3024
-
\??\c:\1vdpv.exec:\1vdpv.exe85⤵PID:2220
-
\??\c:\048846.exec:\048846.exe86⤵PID:2784
-
\??\c:\ddvjj.exec:\ddvjj.exe87⤵PID:2652
-
\??\c:\w20200.exec:\w20200.exe88⤵PID:2792
-
\??\c:\208084.exec:\208084.exe89⤵PID:2664
-
\??\c:\4884242.exec:\4884242.exe90⤵PID:2748
-
\??\c:\lfflxfr.exec:\lfflxfr.exe91⤵PID:2680
-
\??\c:\xxrfxxr.exec:\xxrfxxr.exe92⤵PID:1332
-
\??\c:\6422840.exec:\6422840.exe93⤵PID:668
-
\??\c:\0484224.exec:\0484224.exe94⤵PID:1664
-
\??\c:\8606846.exec:\8606846.exe95⤵PID:320
-
\??\c:\20242.exec:\20242.exe96⤵PID:1156
-
\??\c:\thbhnb.exec:\thbhnb.exe97⤵PID:1152
-
\??\c:\w08084.exec:\w08084.exe98⤵PID:1312
-
\??\c:\9rffrxr.exec:\9rffrxr.exe99⤵PID:2376
-
\??\c:\vvvdp.exec:\vvvdp.exe100⤵PID:1916
-
\??\c:\082284.exec:\082284.exe101⤵PID:2820
-
\??\c:\0088004.exec:\0088004.exe102⤵PID:2012
-
\??\c:\442804.exec:\442804.exe103⤵PID:2920
-
\??\c:\8226280.exec:\8226280.exe104⤵PID:2964
-
\??\c:\ddvjv.exec:\ddvjv.exe105⤵PID:408
-
\??\c:\1pdjp.exec:\1pdjp.exe106⤵PID:1112
-
\??\c:\vdvjv.exec:\vdvjv.exe107⤵PID:308
-
\??\c:\1vpvp.exec:\1vpvp.exe108⤵PID:1084
-
\??\c:\48242.exec:\48242.exe109⤵PID:2036
-
\??\c:\ddvjj.exec:\ddvjj.exe110⤵PID:756
-
\??\c:\5rlrxfr.exec:\5rlrxfr.exe111⤵PID:1720
-
\??\c:\9jdjd.exec:\9jdjd.exe112⤵PID:1868
-
\??\c:\4442828.exec:\4442828.exe113⤵PID:2156
-
\??\c:\e48084.exec:\e48084.exe114⤵PID:696
-
\??\c:\7vppd.exec:\7vppd.exe115⤵PID:1724
-
\??\c:\482806.exec:\482806.exe116⤵PID:2440
-
\??\c:\lfrxllr.exec:\lfrxllr.exe117⤵PID:2088
-
\??\c:\k68868.exec:\k68868.exe118⤵PID:2936
-
\??\c:\9hbnbn.exec:\9hbnbn.exe119⤵PID:2584
-
\??\c:\vppvv.exec:\vppvv.exe120⤵PID:2160
-
\??\c:\bhbnhn.exec:\bhbnhn.exe121⤵PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-