Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 10:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6502227cb4f9cf3f669e3f9e2096808603ba910e4beb67e0c737a3fa40571d65.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6502227cb4f9cf3f669e3f9e2096808603ba910e4beb67e0c737a3fa40571d65.exe
-
Size
454KB
-
MD5
705567e6aa7306460b090858e476aa7b
-
SHA1
37e87315917bc10ab673fe1a864fec0fe1388e68
-
SHA256
6502227cb4f9cf3f669e3f9e2096808603ba910e4beb67e0c737a3fa40571d65
-
SHA512
f1614497294a5a348ea66ea4e191077bbbb99cbe6050f7e77da59b5d26c7380dce42c1975f6022039f978a6a2adf8f1c4f222d849a96eee40f371d0aa774363d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2924-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-133-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1096-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-154-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2536-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/744-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-320-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2980-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-359-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1564-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-489-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/448-488-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/984-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/688-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-792-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1728-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-1137-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2628-1194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2924 3lxfrxl.exe 2676 vvpdp.exe 2956 llxfrxl.exe 2804 84440.exe 2668 bbhbtb.exe 2392 480066.exe 2712 8888484.exe 1036 hnhtht.exe 1952 ppdvd.exe 2864 lxrfxrl.exe 2260 260682.exe 2092 68662.exe 2060 q28020.exe 1096 284286.exe 2032 tbbnnb.exe 620 1htbht.exe 2892 86002.exe 844 0464226.exe 2536 660262.exe 2300 llrllxx.exe 2508 44228.exe 1700 ddvdd.exe 2364 86048.exe 1624 4844620.exe 1708 flflrlx.exe 1764 5bbtbh.exe 744 ffrlxff.exe 1520 c008086.exe 2168 jvdpp.exe 1632 0420246.exe 988 lxxrlff.exe 2560 btntnn.exe 2132 xrlrllx.exe 2920 bhhnbh.exe 2948 5djvv.exe 2980 pdvjd.exe 2968 3pvdp.exe 2840 c046880.exe 2692 6080402.exe 2724 226862.exe 2152 jjjjd.exe 2444 c480208.exe 572 9ppjd.exe 644 260206.exe 268 lxrrfxf.exe 2884 rllrfxr.exe 2904 bbtbnn.exe 2872 7tthnt.exe 2260 840486.exe 2092 480628.exe 2432 6668686.exe 1840 8886200.exe 1692 264640.exe 1564 bhtbnb.exe 1800 882262.exe 400 22060.exe 2892 42064.exe 1428 82624.exe 2500 lxrrxll.exe 2232 a6266.exe 2540 6646242.exe 448 886802.exe 812 lrlrrfr.exe 984 rxrrfrx.exe -
resource yara_rule behavioral1/memory/2924-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-39-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2392-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/744-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/984-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-1047-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/812-1054-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-1061-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-1103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-1105-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1536-1118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-1144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-1194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-1231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-1244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-1251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-1270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/812-1339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-1352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-1359-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2688446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4028402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0420246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8468282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2924 2244 6502227cb4f9cf3f669e3f9e2096808603ba910e4beb67e0c737a3fa40571d65.exe 30 PID 2244 wrote to memory of 2924 2244 6502227cb4f9cf3f669e3f9e2096808603ba910e4beb67e0c737a3fa40571d65.exe 30 PID 2244 wrote to memory of 2924 2244 6502227cb4f9cf3f669e3f9e2096808603ba910e4beb67e0c737a3fa40571d65.exe 30 PID 2244 wrote to memory of 2924 2244 6502227cb4f9cf3f669e3f9e2096808603ba910e4beb67e0c737a3fa40571d65.exe 30 PID 2924 wrote to memory of 2676 2924 3lxfrxl.exe 31 PID 2924 wrote to memory of 2676 2924 3lxfrxl.exe 31 PID 2924 wrote to memory of 2676 2924 3lxfrxl.exe 31 PID 2924 wrote to memory of 2676 2924 3lxfrxl.exe 31 PID 2676 wrote to memory of 2956 2676 vvpdp.exe 32 PID 2676 wrote to memory of 2956 2676 vvpdp.exe 32 PID 2676 wrote to memory of 2956 2676 vvpdp.exe 32 PID 2676 wrote to memory of 2956 2676 vvpdp.exe 32 PID 2956 wrote to memory of 2804 2956 llxfrxl.exe 33 PID 2956 wrote to memory of 2804 2956 llxfrxl.exe 33 PID 2956 wrote to memory of 2804 2956 llxfrxl.exe 33 PID 2956 wrote to memory of 2804 2956 llxfrxl.exe 33 PID 2804 wrote to memory of 2668 2804 84440.exe 34 PID 2804 wrote to memory of 2668 2804 84440.exe 34 PID 2804 wrote to memory of 2668 2804 84440.exe 34 PID 2804 wrote to memory of 2668 2804 84440.exe 34 PID 2668 wrote to memory of 2392 2668 bbhbtb.exe 35 PID 2668 wrote to memory of 2392 2668 bbhbtb.exe 35 PID 2668 wrote to memory of 2392 2668 bbhbtb.exe 35 PID 2668 wrote to memory of 2392 2668 bbhbtb.exe 35 PID 2392 wrote to memory of 2712 2392 480066.exe 36 PID 2392 wrote to memory of 2712 2392 480066.exe 36 PID 2392 wrote to memory of 2712 2392 480066.exe 36 PID 2392 wrote to memory of 2712 2392 480066.exe 36 PID 2712 wrote to memory of 1036 2712 8888484.exe 37 PID 2712 wrote to memory of 1036 2712 8888484.exe 37 PID 2712 wrote to memory of 1036 2712 8888484.exe 37 PID 2712 wrote to memory of 1036 2712 8888484.exe 37 PID 1036 wrote to memory of 1952 1036 hnhtht.exe 38 PID 1036 wrote to memory of 1952 1036 hnhtht.exe 38 PID 1036 wrote to memory of 1952 1036 hnhtht.exe 38 PID 1036 wrote to memory of 1952 1036 hnhtht.exe 38 PID 1952 wrote to memory of 2864 1952 ppdvd.exe 39 PID 1952 wrote to memory of 2864 1952 ppdvd.exe 39 PID 1952 wrote to memory of 2864 1952 ppdvd.exe 39 PID 1952 wrote to memory of 2864 1952 ppdvd.exe 39 PID 2864 wrote to memory of 2260 2864 lxrfxrl.exe 40 PID 2864 wrote to memory of 2260 2864 lxrfxrl.exe 40 PID 2864 wrote to memory of 2260 2864 lxrfxrl.exe 40 PID 2864 wrote to memory of 2260 2864 lxrfxrl.exe 40 PID 2260 wrote to memory of 2092 2260 260682.exe 41 PID 2260 wrote to memory of 2092 2260 260682.exe 41 PID 2260 wrote to memory of 2092 2260 260682.exe 41 PID 2260 wrote to memory of 2092 2260 260682.exe 41 PID 2092 wrote to memory of 2060 2092 68662.exe 42 PID 2092 wrote to memory of 2060 2092 68662.exe 42 PID 2092 wrote to memory of 2060 2092 68662.exe 42 PID 2092 wrote to memory of 2060 2092 68662.exe 42 PID 2060 wrote to memory of 1096 2060 q28020.exe 43 PID 2060 wrote to memory of 1096 2060 q28020.exe 43 PID 2060 wrote to memory of 1096 2060 q28020.exe 43 PID 2060 wrote to memory of 1096 2060 q28020.exe 43 PID 1096 wrote to memory of 2032 1096 284286.exe 44 PID 1096 wrote to memory of 2032 1096 284286.exe 44 PID 1096 wrote to memory of 2032 1096 284286.exe 44 PID 1096 wrote to memory of 2032 1096 284286.exe 44 PID 2032 wrote to memory of 620 2032 tbbnnb.exe 45 PID 2032 wrote to memory of 620 2032 tbbnnb.exe 45 PID 2032 wrote to memory of 620 2032 tbbnnb.exe 45 PID 2032 wrote to memory of 620 2032 tbbnnb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6502227cb4f9cf3f669e3f9e2096808603ba910e4beb67e0c737a3fa40571d65.exe"C:\Users\Admin\AppData\Local\Temp\6502227cb4f9cf3f669e3f9e2096808603ba910e4beb67e0c737a3fa40571d65.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\3lxfrxl.exec:\3lxfrxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\vvpdp.exec:\vvpdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\llxfrxl.exec:\llxfrxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\84440.exec:\84440.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\bbhbtb.exec:\bbhbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\480066.exec:\480066.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\8888484.exec:\8888484.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\hnhtht.exec:\hnhtht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\ppdvd.exec:\ppdvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\lxrfxrl.exec:\lxrfxrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\260682.exec:\260682.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\68662.exec:\68662.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\q28020.exec:\q28020.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\284286.exec:\284286.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\tbbnnb.exec:\tbbnnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\1htbht.exec:\1htbht.exe17⤵
- Executes dropped EXE
PID:620 -
\??\c:\86002.exec:\86002.exe18⤵
- Executes dropped EXE
PID:2892 -
\??\c:\0464226.exec:\0464226.exe19⤵
- Executes dropped EXE
PID:844 -
\??\c:\660262.exec:\660262.exe20⤵
- Executes dropped EXE
PID:2536 -
\??\c:\llrllxx.exec:\llrllxx.exe21⤵
- Executes dropped EXE
PID:2300 -
\??\c:\44228.exec:\44228.exe22⤵
- Executes dropped EXE
PID:2508 -
\??\c:\ddvdd.exec:\ddvdd.exe23⤵
- Executes dropped EXE
PID:1700 -
\??\c:\86048.exec:\86048.exe24⤵
- Executes dropped EXE
PID:2364 -
\??\c:\4844620.exec:\4844620.exe25⤵
- Executes dropped EXE
PID:1624 -
\??\c:\flflrlx.exec:\flflrlx.exe26⤵
- Executes dropped EXE
PID:1708 -
\??\c:\5bbtbh.exec:\5bbtbh.exe27⤵
- Executes dropped EXE
PID:1764 -
\??\c:\ffrlxff.exec:\ffrlxff.exe28⤵
- Executes dropped EXE
PID:744 -
\??\c:\c008086.exec:\c008086.exe29⤵
- Executes dropped EXE
PID:1520 -
\??\c:\jvdpp.exec:\jvdpp.exe30⤵
- Executes dropped EXE
PID:2168 -
\??\c:\0420246.exec:\0420246.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
\??\c:\lxxrlff.exec:\lxxrlff.exe32⤵
- Executes dropped EXE
PID:988 -
\??\c:\btntnn.exec:\btntnn.exe33⤵
- Executes dropped EXE
PID:2560 -
\??\c:\xrlrllx.exec:\xrlrllx.exe34⤵
- Executes dropped EXE
PID:2132 -
\??\c:\bhhnbh.exec:\bhhnbh.exe35⤵
- Executes dropped EXE
PID:2920 -
\??\c:\5djvv.exec:\5djvv.exe36⤵
- Executes dropped EXE
PID:2948 -
\??\c:\pdvjd.exec:\pdvjd.exe37⤵
- Executes dropped EXE
PID:2980 -
\??\c:\3pvdp.exec:\3pvdp.exe38⤵
- Executes dropped EXE
PID:2968 -
\??\c:\c046880.exec:\c046880.exe39⤵
- Executes dropped EXE
PID:2840 -
\??\c:\6080402.exec:\6080402.exe40⤵
- Executes dropped EXE
PID:2692 -
\??\c:\226862.exec:\226862.exe41⤵
- Executes dropped EXE
PID:2724 -
\??\c:\jjjjd.exec:\jjjjd.exe42⤵
- Executes dropped EXE
PID:2152 -
\??\c:\c480208.exec:\c480208.exe43⤵
- Executes dropped EXE
PID:2444 -
\??\c:\9ppjd.exec:\9ppjd.exe44⤵
- Executes dropped EXE
PID:572 -
\??\c:\260206.exec:\260206.exe45⤵
- Executes dropped EXE
PID:644 -
\??\c:\lxrrfxf.exec:\lxrrfxf.exe46⤵
- Executes dropped EXE
PID:268 -
\??\c:\rllrfxr.exec:\rllrfxr.exe47⤵
- Executes dropped EXE
PID:2884 -
\??\c:\bbtbnn.exec:\bbtbnn.exe48⤵
- Executes dropped EXE
PID:2904 -
\??\c:\7tthnt.exec:\7tthnt.exe49⤵
- Executes dropped EXE
PID:2872 -
\??\c:\840486.exec:\840486.exe50⤵
- Executes dropped EXE
PID:2260 -
\??\c:\480628.exec:\480628.exe51⤵
- Executes dropped EXE
PID:2092 -
\??\c:\6668686.exec:\6668686.exe52⤵
- Executes dropped EXE
PID:2432 -
\??\c:\8886200.exec:\8886200.exe53⤵
- Executes dropped EXE
PID:1840 -
\??\c:\264640.exec:\264640.exe54⤵
- Executes dropped EXE
PID:1692 -
\??\c:\bhtbnb.exec:\bhtbnb.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1564 -
\??\c:\882262.exec:\882262.exe56⤵
- Executes dropped EXE
PID:1800 -
\??\c:\22060.exec:\22060.exe57⤵
- Executes dropped EXE
PID:400 -
\??\c:\42064.exec:\42064.exe58⤵
- Executes dropped EXE
PID:2892 -
\??\c:\82624.exec:\82624.exe59⤵
- Executes dropped EXE
PID:1428 -
\??\c:\lxrrxll.exec:\lxrrxll.exe60⤵
- Executes dropped EXE
PID:2500 -
\??\c:\a6266.exec:\a6266.exe61⤵
- Executes dropped EXE
PID:2232 -
\??\c:\6646242.exec:\6646242.exe62⤵
- Executes dropped EXE
PID:2540 -
\??\c:\886802.exec:\886802.exe63⤵
- Executes dropped EXE
PID:448 -
\??\c:\lrlrrfr.exec:\lrlrrfr.exe64⤵
- Executes dropped EXE
PID:812 -
\??\c:\rxrrfrx.exec:\rxrrfrx.exe65⤵
- Executes dropped EXE
PID:984 -
\??\c:\86404.exec:\86404.exe66⤵PID:944
-
\??\c:\a0884.exec:\a0884.exe67⤵PID:1592
-
\??\c:\rlflxxf.exec:\rlflxxf.exe68⤵PID:2228
-
\??\c:\20668.exec:\20668.exe69⤵PID:872
-
\??\c:\pvpjv.exec:\pvpjv.exe70⤵PID:2436
-
\??\c:\vdpdv.exec:\vdpdv.exe71⤵PID:688
-
\??\c:\8200880.exec:\8200880.exe72⤵PID:2324
-
\??\c:\pppvd.exec:\pppvd.exe73⤵PID:2748
-
\??\c:\606428.exec:\606428.exe74⤵PID:2148
-
\??\c:\9btbhn.exec:\9btbhn.exe75⤵PID:2252
-
\??\c:\28446.exec:\28446.exe76⤵PID:1720
-
\??\c:\bthbth.exec:\bthbth.exe77⤵PID:2752
-
\??\c:\4440022.exec:\4440022.exe78⤵PID:2244
-
\??\c:\dvdjj.exec:\dvdjj.exe79⤵
- System Location Discovery: System Language Discovery
PID:2944 -
\??\c:\ppvdv.exec:\ppvdv.exe80⤵PID:2976
-
\??\c:\ppvvd.exec:\ppvvd.exe81⤵PID:2704
-
\??\c:\8060600.exec:\8060600.exe82⤵PID:2936
-
\??\c:\pjpjd.exec:\pjpjd.exe83⤵PID:2868
-
\??\c:\rlflxfr.exec:\rlflxfr.exe84⤵PID:2700
-
\??\c:\pjdpp.exec:\pjdpp.exe85⤵PID:2720
-
\??\c:\rxfrlxr.exec:\rxfrlxr.exe86⤵PID:2404
-
\??\c:\6464864.exec:\6464864.exe87⤵PID:2176
-
\??\c:\xrlflrf.exec:\xrlflrf.exe88⤵PID:320
-
\??\c:\40088.exec:\40088.exe89⤵PID:300
-
\??\c:\1pjjp.exec:\1pjjp.exe90⤵PID:568
-
\??\c:\626660.exec:\626660.exe91⤵PID:836
-
\??\c:\jjpvj.exec:\jjpvj.exe92⤵PID:2448
-
\??\c:\jjddd.exec:\jjddd.exe93⤵PID:2200
-
\??\c:\tnhtbn.exec:\tnhtbn.exe94⤵
- System Location Discovery: System Language Discovery
PID:1248 -
\??\c:\022824.exec:\022824.exe95⤵PID:2112
-
\??\c:\826864.exec:\826864.exe96⤵PID:2000
-
\??\c:\hhnbhb.exec:\hhnbhb.exe97⤵PID:2432
-
\??\c:\hbbbnt.exec:\hbbbnt.exe98⤵PID:2028
-
\??\c:\4868020.exec:\4868020.exe99⤵PID:1888
-
\??\c:\tthtnh.exec:\tthtnh.exe100⤵PID:1516
-
\??\c:\bhtbnt.exec:\bhtbnt.exe101⤵PID:1304
-
\??\c:\0640262.exec:\0640262.exe102⤵PID:1272
-
\??\c:\pvjjp.exec:\pvjjp.exe103⤵PID:2248
-
\??\c:\440448.exec:\440448.exe104⤵PID:2256
-
\??\c:\bbntnb.exec:\bbntnb.exe105⤵PID:1944
-
\??\c:\222484.exec:\222484.exe106⤵PID:2232
-
\??\c:\04880.exec:\04880.exe107⤵PID:2508
-
\??\c:\hnhthh.exec:\hnhthh.exe108⤵PID:2504
-
\??\c:\u824684.exec:\u824684.exe109⤵PID:2196
-
\??\c:\48242.exec:\48242.exe110⤵PID:2464
-
\??\c:\0248446.exec:\0248446.exe111⤵PID:1624
-
\??\c:\06088.exec:\06088.exe112⤵PID:1780
-
\??\c:\4486646.exec:\4486646.exe113⤵PID:1708
-
\??\c:\7tntnh.exec:\7tntnh.exe114⤵PID:2080
-
\??\c:\86820.exec:\86820.exe115⤵PID:544
-
\??\c:\lrxrflf.exec:\lrxrflf.exe116⤵PID:744
-
\??\c:\44804.exec:\44804.exe117⤵PID:2168
-
\??\c:\26624.exec:\26624.exe118⤵PID:2400
-
\??\c:\2688446.exec:\2688446.exe119⤵
- System Location Discovery: System Language Discovery
PID:1512 -
\??\c:\ddjdv.exec:\ddjdv.exe120⤵PID:988
-
\??\c:\fxxlxfx.exec:\fxxlxfx.exe121⤵PID:2584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-