Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 17:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c2293abda7d0c4294d75c286710724aeb990ef729851e8df110c6fe7d8319528.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c2293abda7d0c4294d75c286710724aeb990ef729851e8df110c6fe7d8319528.exe
-
Size
454KB
-
MD5
b29891dfe79476db682cc0fc792b9d0f
-
SHA1
a51a0dd300c60f44c9518de2d9375271b320fcf7
-
SHA256
c2293abda7d0c4294d75c286710724aeb990ef729851e8df110c6fe7d8319528
-
SHA512
c5a7af1ec8f748ca67def2156f9fea4eba520d6216a6b8175c14bf10c23e1544ad02fa5dc09e71368f0e7cf71200cfb525836392def8f6309efe0fd690fff831
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetP:q7Tc2NYHUrAwfMp3CDtP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2032-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/720-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-57-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2792-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-168-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2964-165-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1920-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-212-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/968-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-235-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1008-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-403-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1740-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-447-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1640-468-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2284-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-614-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1640-731-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2056-744-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1312-770-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1260-801-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3024-815-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-875-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-974-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2484-1029-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1312-1050-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2076-1056-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2076-1058-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/236-1162-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 720 lfxxflr.exe 2536 9btbhh.exe 2916 c040846.exe 2188 4446266.exe 2796 k46666.exe 2880 2084624.exe 2792 btbhbt.exe 2928 600628.exe 2904 xrllrrf.exe 2672 86000.exe 2460 3jdjv.exe 2976 i480242.exe 2848 jjdpd.exe 1860 06206.exe 2868 0806846.exe 1608 ttnthn.exe 2964 hnhttt.exe 2972 m0844.exe 1920 048646.exe 2336 a2062.exe 1676 i086006.exe 2584 442022.exe 968 c666062.exe 1004 206262.exe 1260 q20684.exe 1008 rfrrxrx.exe 788 08624.exe 3024 268468.exe 1396 btnthn.exe 1488 bbbnth.exe 236 nhttnb.exe 2016 82020.exe 2000 9flllrr.exe 1592 842466.exe 2344 484400.exe 2404 88868.exe 2780 tnbhth.exe 2556 0806284.exe 2320 u644444.exe 2816 1rffffr.exe 2708 608448.exe 2724 bttthh.exe 2936 5dddj.exe 2792 k04222.exe 2884 ppjjp.exe 2656 m2002.exe 1304 q26406.exe 2220 bttbnn.exe 1616 86062.exe 2840 i080220.exe 2588 820066.exe 1740 204422.exe 1816 o228062.exe 1640 42060.exe 1608 lxrrfxr.exe 680 6422486.exe 2988 4246002.exe 2148 nbhnnn.exe 2328 6804662.exe 2316 4244046.exe 1144 5vpvv.exe 1328 m4680.exe 1680 0428002.exe 2008 5jpdp.exe -
resource yara_rule behavioral1/memory/720-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/720-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-406-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2220-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-403-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1816-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-822-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2544-856-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-875-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-955-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-1127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-1167-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c284480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 008084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w68288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 682288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e66644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 720 2032 c2293abda7d0c4294d75c286710724aeb990ef729851e8df110c6fe7d8319528.exe 30 PID 2032 wrote to memory of 720 2032 c2293abda7d0c4294d75c286710724aeb990ef729851e8df110c6fe7d8319528.exe 30 PID 2032 wrote to memory of 720 2032 c2293abda7d0c4294d75c286710724aeb990ef729851e8df110c6fe7d8319528.exe 30 PID 2032 wrote to memory of 720 2032 c2293abda7d0c4294d75c286710724aeb990ef729851e8df110c6fe7d8319528.exe 30 PID 720 wrote to memory of 2536 720 lfxxflr.exe 31 PID 720 wrote to memory of 2536 720 lfxxflr.exe 31 PID 720 wrote to memory of 2536 720 lfxxflr.exe 31 PID 720 wrote to memory of 2536 720 lfxxflr.exe 31 PID 2536 wrote to memory of 2916 2536 9btbhh.exe 32 PID 2536 wrote to memory of 2916 2536 9btbhh.exe 32 PID 2536 wrote to memory of 2916 2536 9btbhh.exe 32 PID 2536 wrote to memory of 2916 2536 9btbhh.exe 32 PID 2916 wrote to memory of 2188 2916 c040846.exe 33 PID 2916 wrote to memory of 2188 2916 c040846.exe 33 PID 2916 wrote to memory of 2188 2916 c040846.exe 33 PID 2916 wrote to memory of 2188 2916 c040846.exe 33 PID 2188 wrote to memory of 2796 2188 4446266.exe 34 PID 2188 wrote to memory of 2796 2188 4446266.exe 34 PID 2188 wrote to memory of 2796 2188 4446266.exe 34 PID 2188 wrote to memory of 2796 2188 4446266.exe 34 PID 2796 wrote to memory of 2880 2796 k46666.exe 35 PID 2796 wrote to memory of 2880 2796 k46666.exe 35 PID 2796 wrote to memory of 2880 2796 k46666.exe 35 PID 2796 wrote to memory of 2880 2796 k46666.exe 35 PID 2880 wrote to memory of 2792 2880 2084624.exe 36 PID 2880 wrote to memory of 2792 2880 2084624.exe 36 PID 2880 wrote to memory of 2792 2880 2084624.exe 36 PID 2880 wrote to memory of 2792 2880 2084624.exe 36 PID 2792 wrote to memory of 2928 2792 btbhbt.exe 37 PID 2792 wrote to memory of 2928 2792 btbhbt.exe 37 PID 2792 wrote to memory of 2928 2792 btbhbt.exe 37 PID 2792 wrote to memory of 2928 2792 btbhbt.exe 37 PID 2928 wrote to memory of 2904 2928 600628.exe 38 PID 2928 wrote to memory of 2904 2928 600628.exe 38 PID 2928 wrote to memory of 2904 2928 600628.exe 38 PID 2928 wrote to memory of 2904 2928 600628.exe 38 PID 2904 wrote to memory of 2672 2904 xrllrrf.exe 39 PID 2904 wrote to memory of 2672 2904 xrllrrf.exe 39 PID 2904 wrote to memory of 2672 2904 xrllrrf.exe 39 PID 2904 wrote to memory of 2672 2904 xrllrrf.exe 39 PID 2672 wrote to memory of 2460 2672 86000.exe 40 PID 2672 wrote to memory of 2460 2672 86000.exe 40 PID 2672 wrote to memory of 2460 2672 86000.exe 40 PID 2672 wrote to memory of 2460 2672 86000.exe 40 PID 2460 wrote to memory of 2976 2460 3jdjv.exe 41 PID 2460 wrote to memory of 2976 2460 3jdjv.exe 41 PID 2460 wrote to memory of 2976 2460 3jdjv.exe 41 PID 2460 wrote to memory of 2976 2460 3jdjv.exe 41 PID 2976 wrote to memory of 2848 2976 i480242.exe 42 PID 2976 wrote to memory of 2848 2976 i480242.exe 42 PID 2976 wrote to memory of 2848 2976 i480242.exe 42 PID 2976 wrote to memory of 2848 2976 i480242.exe 42 PID 2848 wrote to memory of 1860 2848 jjdpd.exe 43 PID 2848 wrote to memory of 1860 2848 jjdpd.exe 43 PID 2848 wrote to memory of 1860 2848 jjdpd.exe 43 PID 2848 wrote to memory of 1860 2848 jjdpd.exe 43 PID 1860 wrote to memory of 2868 1860 06206.exe 44 PID 1860 wrote to memory of 2868 1860 06206.exe 44 PID 1860 wrote to memory of 2868 1860 06206.exe 44 PID 1860 wrote to memory of 2868 1860 06206.exe 44 PID 2868 wrote to memory of 1608 2868 0806846.exe 45 PID 2868 wrote to memory of 1608 2868 0806846.exe 45 PID 2868 wrote to memory of 1608 2868 0806846.exe 45 PID 2868 wrote to memory of 1608 2868 0806846.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2293abda7d0c4294d75c286710724aeb990ef729851e8df110c6fe7d8319528.exe"C:\Users\Admin\AppData\Local\Temp\c2293abda7d0c4294d75c286710724aeb990ef729851e8df110c6fe7d8319528.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\lfxxflr.exec:\lfxxflr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\9btbhh.exec:\9btbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\c040846.exec:\c040846.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\4446266.exec:\4446266.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\k46666.exec:\k46666.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\2084624.exec:\2084624.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\btbhbt.exec:\btbhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\600628.exec:\600628.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\xrllrrf.exec:\xrllrrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\86000.exec:\86000.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\3jdjv.exec:\3jdjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\i480242.exec:\i480242.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\jjdpd.exec:\jjdpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\06206.exec:\06206.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\0806846.exec:\0806846.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\ttnthn.exec:\ttnthn.exe17⤵
- Executes dropped EXE
PID:1608 -
\??\c:\hnhttt.exec:\hnhttt.exe18⤵
- Executes dropped EXE
PID:2964 -
\??\c:\m0844.exec:\m0844.exe19⤵
- Executes dropped EXE
PID:2972 -
\??\c:\048646.exec:\048646.exe20⤵
- Executes dropped EXE
PID:1920 -
\??\c:\a2062.exec:\a2062.exe21⤵
- Executes dropped EXE
PID:2336 -
\??\c:\i086006.exec:\i086006.exe22⤵
- Executes dropped EXE
PID:1676 -
\??\c:\442022.exec:\442022.exe23⤵
- Executes dropped EXE
PID:2584 -
\??\c:\c666062.exec:\c666062.exe24⤵
- Executes dropped EXE
PID:968 -
\??\c:\206262.exec:\206262.exe25⤵
- Executes dropped EXE
PID:1004 -
\??\c:\q20684.exec:\q20684.exe26⤵
- Executes dropped EXE
PID:1260 -
\??\c:\rfrrxrx.exec:\rfrrxrx.exe27⤵
- Executes dropped EXE
PID:1008 -
\??\c:\08624.exec:\08624.exe28⤵
- Executes dropped EXE
PID:788 -
\??\c:\268468.exec:\268468.exe29⤵
- Executes dropped EXE
PID:3024 -
\??\c:\btnthn.exec:\btnthn.exe30⤵
- Executes dropped EXE
PID:1396 -
\??\c:\bbbnth.exec:\bbbnth.exe31⤵
- Executes dropped EXE
PID:1488 -
\??\c:\nhttnb.exec:\nhttnb.exe32⤵
- Executes dropped EXE
PID:236 -
\??\c:\82020.exec:\82020.exe33⤵
- Executes dropped EXE
PID:2016 -
\??\c:\9flllrr.exec:\9flllrr.exe34⤵
- Executes dropped EXE
PID:2000 -
\??\c:\842466.exec:\842466.exe35⤵
- Executes dropped EXE
PID:1592 -
\??\c:\484400.exec:\484400.exe36⤵
- Executes dropped EXE
PID:2344 -
\??\c:\88868.exec:\88868.exe37⤵
- Executes dropped EXE
PID:2404 -
\??\c:\tnbhth.exec:\tnbhth.exe38⤵
- Executes dropped EXE
PID:2780 -
\??\c:\0806284.exec:\0806284.exe39⤵
- Executes dropped EXE
PID:2556 -
\??\c:\u644444.exec:\u644444.exe40⤵
- Executes dropped EXE
PID:2320 -
\??\c:\1rffffr.exec:\1rffffr.exe41⤵
- Executes dropped EXE
PID:2816 -
\??\c:\608448.exec:\608448.exe42⤵
- Executes dropped EXE
PID:2708 -
\??\c:\bttthh.exec:\bttthh.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724 -
\??\c:\5dddj.exec:\5dddj.exe44⤵
- Executes dropped EXE
PID:2936 -
\??\c:\k04222.exec:\k04222.exe45⤵
- Executes dropped EXE
PID:2792 -
\??\c:\ppjjp.exec:\ppjjp.exe46⤵
- Executes dropped EXE
PID:2884 -
\??\c:\m2002.exec:\m2002.exe47⤵
- Executes dropped EXE
PID:2656 -
\??\c:\q26406.exec:\q26406.exe48⤵
- Executes dropped EXE
PID:1304 -
\??\c:\bttbnn.exec:\bttbnn.exe49⤵
- Executes dropped EXE
PID:2220 -
\??\c:\86062.exec:\86062.exe50⤵
- Executes dropped EXE
PID:1616 -
\??\c:\i080220.exec:\i080220.exe51⤵
- Executes dropped EXE
PID:2840 -
\??\c:\820066.exec:\820066.exe52⤵
- Executes dropped EXE
PID:2588 -
\??\c:\204422.exec:\204422.exe53⤵
- Executes dropped EXE
PID:1740 -
\??\c:\o228062.exec:\o228062.exe54⤵
- Executes dropped EXE
PID:1816 -
\??\c:\42060.exec:\42060.exe55⤵
- Executes dropped EXE
PID:1640 -
\??\c:\lxrrfxr.exec:\lxrrfxr.exe56⤵
- Executes dropped EXE
PID:1608 -
\??\c:\6422486.exec:\6422486.exe57⤵
- Executes dropped EXE
PID:680 -
\??\c:\4246002.exec:\4246002.exe58⤵
- Executes dropped EXE
PID:2988 -
\??\c:\nbhnnn.exec:\nbhnnn.exe59⤵
- Executes dropped EXE
PID:2148 -
\??\c:\6804662.exec:\6804662.exe60⤵
- Executes dropped EXE
PID:2328 -
\??\c:\4244046.exec:\4244046.exe61⤵
- Executes dropped EXE
PID:2316 -
\??\c:\5vpvv.exec:\5vpvv.exe62⤵
- Executes dropped EXE
PID:1144 -
\??\c:\m4680.exec:\m4680.exe63⤵
- Executes dropped EXE
PID:1328 -
\??\c:\0428002.exec:\0428002.exe64⤵
- Executes dropped EXE
PID:1680 -
\??\c:\5jpdp.exec:\5jpdp.exe65⤵
- Executes dropped EXE
PID:2008 -
\??\c:\64006.exec:\64006.exe66⤵PID:1688
-
\??\c:\48282.exec:\48282.exe67⤵PID:1984
-
\??\c:\c462444.exec:\c462444.exe68⤵PID:1696
-
\??\c:\4428668.exec:\4428668.exe69⤵PID:2036
-
\??\c:\btntbt.exec:\btntbt.exe70⤵PID:3000
-
\??\c:\8662402.exec:\8662402.exe71⤵PID:2388
-
\??\c:\0200662.exec:\0200662.exe72⤵PID:1744
-
\??\c:\82066.exec:\82066.exe73⤵PID:2284
-
\??\c:\tnntbb.exec:\tnntbb.exe74⤵PID:304
-
\??\c:\hnhnbb.exec:\hnhnbb.exe75⤵PID:896
-
\??\c:\02840.exec:\02840.exe76⤵PID:236
-
\??\c:\u602006.exec:\u602006.exe77⤵PID:1564
-
\??\c:\84846.exec:\84846.exe78⤵PID:1716
-
\??\c:\868844.exec:\868844.exe79⤵PID:2448
-
\??\c:\rffxfff.exec:\rffxfff.exe80⤵PID:2168
-
\??\c:\6028002.exec:\6028002.exe81⤵PID:2404
-
\??\c:\808222.exec:\808222.exe82⤵PID:2744
-
\??\c:\nnntbb.exec:\nnntbb.exe83⤵PID:2920
-
\??\c:\dpdjp.exec:\dpdjp.exe84⤵PID:2320
-
\??\c:\bnnbhn.exec:\bnnbhn.exe85⤵PID:2900
-
\??\c:\htnntt.exec:\htnntt.exe86⤵PID:2608
-
\??\c:\rfxflrx.exec:\rfxflrx.exe87⤵PID:2724
-
\??\c:\tnhnbh.exec:\tnhnbh.exe88⤵PID:3008
-
\??\c:\04404.exec:\04404.exe89⤵PID:2600
-
\??\c:\djddp.exec:\djddp.exe90⤵PID:2644
-
\??\c:\608464.exec:\608464.exe91⤵PID:2664
-
\??\c:\rxrrlrr.exec:\rxrrlrr.exe92⤵PID:1996
-
\??\c:\0828408.exec:\0828408.exe93⤵PID:1732
-
\??\c:\9ppdv.exec:\9ppdv.exe94⤵PID:688
-
\??\c:\264628.exec:\264628.exe95⤵PID:1616
-
\??\c:\424400.exec:\424400.exe96⤵PID:1976
-
\??\c:\xxflxxl.exec:\xxflxxl.exe97⤵PID:2588
-
\??\c:\nhhhbb.exec:\nhhhbb.exe98⤵PID:1700
-
\??\c:\3pjdj.exec:\3pjdj.exe99⤵PID:1876
-
\??\c:\jvjjj.exec:\jvjjj.exe100⤵PID:1640
-
\??\c:\5dpjp.exec:\5dpjp.exe101⤵PID:1892
-
\??\c:\80884.exec:\80884.exe102⤵PID:2056
-
\??\c:\1xlfflf.exec:\1xlfflf.exe103⤵PID:604
-
\??\c:\3bthtb.exec:\3bthtb.exe104⤵PID:1920
-
\??\c:\frlrllr.exec:\frlrllr.exe105⤵PID:448
-
\??\c:\btnbnn.exec:\btnbnn.exe106⤵PID:1312
-
\??\c:\4846400.exec:\4846400.exe107⤵PID:2076
-
\??\c:\ntnbnb.exec:\ntnbnb.exe108⤵PID:1604
-
\??\c:\60020.exec:\60020.exe109⤵
- System Location Discovery: System Language Discovery
PID:844 -
\??\c:\w00224.exec:\w00224.exe110⤵PID:2852
-
\??\c:\thtbhn.exec:\thtbhn.exe111⤵PID:1260
-
\??\c:\20440.exec:\20440.exe112⤵PID:1844
-
\??\c:\ddvdj.exec:\ddvdj.exe113⤵PID:3064
-
\??\c:\rfxlxxf.exec:\rfxlxxf.exe114⤵PID:3024
-
\??\c:\w84062.exec:\w84062.exe115⤵PID:1156
-
\??\c:\5bhhht.exec:\5bhhht.exe116⤵PID:632
-
\??\c:\86288.exec:\86288.exe117⤵PID:1488
-
\??\c:\208228.exec:\208228.exe118⤵PID:304
-
\??\c:\9lxfrrx.exec:\9lxfrrx.exe119⤵PID:2016
-
\??\c:\420228.exec:\420228.exe120⤵PID:2544
-
\??\c:\6428444.exec:\6428444.exe121⤵PID:2000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-