Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 18:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2cfdca78f4dc4f9a7cbb711f38496abe86ef2f7b2471ef74d2dba7a9341b3920.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2cfdca78f4dc4f9a7cbb711f38496abe86ef2f7b2471ef74d2dba7a9341b3920.exe
-
Size
456KB
-
MD5
a572dc39fd2c99accb9358dedb70330b
-
SHA1
26ca4a2be9fd35fdfb4790a1d57c7d6db3af1106
-
SHA256
2cfdca78f4dc4f9a7cbb711f38496abe86ef2f7b2471ef74d2dba7a9341b3920
-
SHA512
87b65a5920fe1d0a2ac3857d6b06149644b2ff609635819ad74f050b3f594df538b590b030ad3044dfb65197021da0f7824bf003b3495f53729617c0fdb58afb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRL:q7Tc2NYHUrAwfMp3CDRL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2292-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-79-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/1240-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-112-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1708-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-118-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2976-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-138-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2740-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-234-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/868-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-263-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2124-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/752-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-312-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2316-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-483-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2080-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-595-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1088-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-843-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2692-931-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-930-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/324-969-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/560-1042-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1604-1062-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1088-1119-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2508 5ffflrx.exe 1512 1jvvj.exe 2828 tthntn.exe 2244 7ntbnt.exe 2848 60684.exe 2776 5jvvd.exe 2856 8262446.exe 1240 864422.exe 2632 1rfrxfr.exe 2464 nbnntt.exe 1708 hbtbnt.exe 2280 jdvvd.exe 2976 1hbbtt.exe 3060 82624.exe 2740 4866268.exe 1968 20840.exe 2476 6466880.exe 2564 q20020.exe 1016 fxlllrf.exe 2200 e24400.exe 1316 jdvjj.exe 2876 xrxxlxl.exe 872 pjvpp.exe 1604 7dvvj.exe 2436 m8624.exe 868 xfxflrf.exe 2116 dvddp.exe 2124 nhbhnn.exe 1620 ffxfrxl.exe 876 5xrflfr.exe 752 c662446.exe 2508 w86062.exe 2300 flrrxrf.exe 1720 8600280.exe 2316 7frlfxf.exe 2772 dvdjj.exe 2840 1hbbnn.exe 2604 jdpvp.exe 2644 s8200.exe 2920 tbttbb.exe 2808 c640666.exe 2640 20802.exe 2688 2662046.exe 2532 nhbnnt.exe 2464 hbntbh.exe 2504 pjvdj.exe 3028 thbhtt.exe 3048 9dpvp.exe 2968 4844006.exe 2900 nhnntt.exe 2728 vvppv.exe 2948 5htthh.exe 1496 fxrxlrf.exe 1968 0246220.exe 2324 7vjpv.exe 896 s0442.exe 2564 vpdjv.exe 2620 llxrxfl.exe 2136 flxlrrx.exe 2080 jddpd.exe 1316 g4228.exe 2876 jvppp.exe 900 7dppv.exe 2236 q02844.exe -
resource yara_rule behavioral1/memory/2292-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-157-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1968-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-187-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1316-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-483-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2080-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-587-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2388-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-1006-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-1069-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2600628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2080280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2508 2292 2cfdca78f4dc4f9a7cbb711f38496abe86ef2f7b2471ef74d2dba7a9341b3920.exe 31 PID 2292 wrote to memory of 2508 2292 2cfdca78f4dc4f9a7cbb711f38496abe86ef2f7b2471ef74d2dba7a9341b3920.exe 31 PID 2292 wrote to memory of 2508 2292 2cfdca78f4dc4f9a7cbb711f38496abe86ef2f7b2471ef74d2dba7a9341b3920.exe 31 PID 2292 wrote to memory of 2508 2292 2cfdca78f4dc4f9a7cbb711f38496abe86ef2f7b2471ef74d2dba7a9341b3920.exe 31 PID 2508 wrote to memory of 1512 2508 5ffflrx.exe 32 PID 2508 wrote to memory of 1512 2508 5ffflrx.exe 32 PID 2508 wrote to memory of 1512 2508 5ffflrx.exe 32 PID 2508 wrote to memory of 1512 2508 5ffflrx.exe 32 PID 1512 wrote to memory of 2828 1512 1jvvj.exe 33 PID 1512 wrote to memory of 2828 1512 1jvvj.exe 33 PID 1512 wrote to memory of 2828 1512 1jvvj.exe 33 PID 1512 wrote to memory of 2828 1512 1jvvj.exe 33 PID 2828 wrote to memory of 2244 2828 tthntn.exe 34 PID 2828 wrote to memory of 2244 2828 tthntn.exe 34 PID 2828 wrote to memory of 2244 2828 tthntn.exe 34 PID 2828 wrote to memory of 2244 2828 tthntn.exe 34 PID 2244 wrote to memory of 2848 2244 7ntbnt.exe 35 PID 2244 wrote to memory of 2848 2244 7ntbnt.exe 35 PID 2244 wrote to memory of 2848 2244 7ntbnt.exe 35 PID 2244 wrote to memory of 2848 2244 7ntbnt.exe 35 PID 2848 wrote to memory of 2776 2848 60684.exe 36 PID 2848 wrote to memory of 2776 2848 60684.exe 36 PID 2848 wrote to memory of 2776 2848 60684.exe 36 PID 2848 wrote to memory of 2776 2848 60684.exe 36 PID 2776 wrote to memory of 2856 2776 5jvvd.exe 37 PID 2776 wrote to memory of 2856 2776 5jvvd.exe 37 PID 2776 wrote to memory of 2856 2776 5jvvd.exe 37 PID 2776 wrote to memory of 2856 2776 5jvvd.exe 37 PID 2856 wrote to memory of 1240 2856 8262446.exe 38 PID 2856 wrote to memory of 1240 2856 8262446.exe 38 PID 2856 wrote to memory of 1240 2856 8262446.exe 38 PID 2856 wrote to memory of 1240 2856 8262446.exe 38 PID 1240 wrote to memory of 2632 1240 864422.exe 39 PID 1240 wrote to memory of 2632 1240 864422.exe 39 PID 1240 wrote to memory of 2632 1240 864422.exe 39 PID 1240 wrote to memory of 2632 1240 864422.exe 39 PID 2632 wrote to memory of 2464 2632 1rfrxfr.exe 40 PID 2632 wrote to memory of 2464 2632 1rfrxfr.exe 40 PID 2632 wrote to memory of 2464 2632 1rfrxfr.exe 40 PID 2632 wrote to memory of 2464 2632 1rfrxfr.exe 40 PID 2464 wrote to memory of 1708 2464 nbnntt.exe 41 PID 2464 wrote to memory of 1708 2464 nbnntt.exe 41 PID 2464 wrote to memory of 1708 2464 nbnntt.exe 41 PID 2464 wrote to memory of 1708 2464 nbnntt.exe 41 PID 1708 wrote to memory of 2280 1708 hbtbnt.exe 42 PID 1708 wrote to memory of 2280 1708 hbtbnt.exe 42 PID 1708 wrote to memory of 2280 1708 hbtbnt.exe 42 PID 1708 wrote to memory of 2280 1708 hbtbnt.exe 42 PID 2280 wrote to memory of 2976 2280 jdvvd.exe 43 PID 2280 wrote to memory of 2976 2280 jdvvd.exe 43 PID 2280 wrote to memory of 2976 2280 jdvvd.exe 43 PID 2280 wrote to memory of 2976 2280 jdvvd.exe 43 PID 2976 wrote to memory of 3060 2976 1hbbtt.exe 44 PID 2976 wrote to memory of 3060 2976 1hbbtt.exe 44 PID 2976 wrote to memory of 3060 2976 1hbbtt.exe 44 PID 2976 wrote to memory of 3060 2976 1hbbtt.exe 44 PID 3060 wrote to memory of 2740 3060 82624.exe 45 PID 3060 wrote to memory of 2740 3060 82624.exe 45 PID 3060 wrote to memory of 2740 3060 82624.exe 45 PID 3060 wrote to memory of 2740 3060 82624.exe 45 PID 2740 wrote to memory of 1968 2740 4866268.exe 46 PID 2740 wrote to memory of 1968 2740 4866268.exe 46 PID 2740 wrote to memory of 1968 2740 4866268.exe 46 PID 2740 wrote to memory of 1968 2740 4866268.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cfdca78f4dc4f9a7cbb711f38496abe86ef2f7b2471ef74d2dba7a9341b3920.exe"C:\Users\Admin\AppData\Local\Temp\2cfdca78f4dc4f9a7cbb711f38496abe86ef2f7b2471ef74d2dba7a9341b3920.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\5ffflrx.exec:\5ffflrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\1jvvj.exec:\1jvvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\tthntn.exec:\tthntn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\7ntbnt.exec:\7ntbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\60684.exec:\60684.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\5jvvd.exec:\5jvvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\8262446.exec:\8262446.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\864422.exec:\864422.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\1rfrxfr.exec:\1rfrxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\nbnntt.exec:\nbnntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\hbtbnt.exec:\hbtbnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\jdvvd.exec:\jdvvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\1hbbtt.exec:\1hbbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\82624.exec:\82624.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\4866268.exec:\4866268.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\20840.exec:\20840.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968 -
\??\c:\6466880.exec:\6466880.exe18⤵
- Executes dropped EXE
PID:2476 -
\??\c:\q20020.exec:\q20020.exe19⤵
- Executes dropped EXE
PID:2564 -
\??\c:\fxlllrf.exec:\fxlllrf.exe20⤵
- Executes dropped EXE
PID:1016 -
\??\c:\e24400.exec:\e24400.exe21⤵
- Executes dropped EXE
PID:2200 -
\??\c:\jdvjj.exec:\jdvjj.exe22⤵
- Executes dropped EXE
PID:1316 -
\??\c:\xrxxlxl.exec:\xrxxlxl.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
\??\c:\pjvpp.exec:\pjvpp.exe24⤵
- Executes dropped EXE
PID:872 -
\??\c:\7dvvj.exec:\7dvvj.exe25⤵
- Executes dropped EXE
PID:1604 -
\??\c:\m8624.exec:\m8624.exe26⤵
- Executes dropped EXE
PID:2436 -
\??\c:\xfxflrf.exec:\xfxflrf.exe27⤵
- Executes dropped EXE
PID:868 -
\??\c:\dvddp.exec:\dvddp.exe28⤵
- Executes dropped EXE
PID:2116 -
\??\c:\nhbhnn.exec:\nhbhnn.exe29⤵
- Executes dropped EXE
PID:2124 -
\??\c:\ffxfrxl.exec:\ffxfrxl.exe30⤵
- Executes dropped EXE
PID:1620 -
\??\c:\5xrflfr.exec:\5xrflfr.exe31⤵
- Executes dropped EXE
PID:876 -
\??\c:\c662446.exec:\c662446.exe32⤵
- Executes dropped EXE
PID:752 -
\??\c:\w86062.exec:\w86062.exe33⤵
- Executes dropped EXE
PID:2508 -
\??\c:\flrrxrf.exec:\flrrxrf.exe34⤵
- Executes dropped EXE
PID:2300 -
\??\c:\8600280.exec:\8600280.exe35⤵
- Executes dropped EXE
PID:1720 -
\??\c:\7frlfxf.exec:\7frlfxf.exe36⤵
- Executes dropped EXE
PID:2316 -
\??\c:\dvdjj.exec:\dvdjj.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772 -
\??\c:\1hbbnn.exec:\1hbbnn.exe38⤵
- Executes dropped EXE
PID:2840 -
\??\c:\jdpvp.exec:\jdpvp.exe39⤵
- Executes dropped EXE
PID:2604 -
\??\c:\s8200.exec:\s8200.exe40⤵
- Executes dropped EXE
PID:2644 -
\??\c:\tbttbb.exec:\tbttbb.exe41⤵
- Executes dropped EXE
PID:2920 -
\??\c:\c640666.exec:\c640666.exe42⤵
- Executes dropped EXE
PID:2808 -
\??\c:\20802.exec:\20802.exe43⤵
- Executes dropped EXE
PID:2640 -
\??\c:\2662046.exec:\2662046.exe44⤵
- Executes dropped EXE
PID:2688 -
\??\c:\nhbnnt.exec:\nhbnnt.exe45⤵
- Executes dropped EXE
PID:2532 -
\??\c:\hbntbh.exec:\hbntbh.exe46⤵
- Executes dropped EXE
PID:2464 -
\??\c:\pjvdj.exec:\pjvdj.exe47⤵
- Executes dropped EXE
PID:2504 -
\??\c:\thbhtt.exec:\thbhtt.exe48⤵
- Executes dropped EXE
PID:3028 -
\??\c:\9dpvp.exec:\9dpvp.exe49⤵
- Executes dropped EXE
PID:3048 -
\??\c:\4844006.exec:\4844006.exe50⤵
- Executes dropped EXE
PID:2968 -
\??\c:\nhnntt.exec:\nhnntt.exe51⤵
- Executes dropped EXE
PID:2900 -
\??\c:\vvppv.exec:\vvppv.exe52⤵
- Executes dropped EXE
PID:2728 -
\??\c:\5htthh.exec:\5htthh.exe53⤵
- Executes dropped EXE
PID:2948 -
\??\c:\fxrxlrf.exec:\fxrxlrf.exe54⤵
- Executes dropped EXE
PID:1496 -
\??\c:\0246220.exec:\0246220.exe55⤵
- Executes dropped EXE
PID:1968 -
\??\c:\7vjpv.exec:\7vjpv.exe56⤵
- Executes dropped EXE
PID:2324 -
\??\c:\s0442.exec:\s0442.exe57⤵
- Executes dropped EXE
PID:896 -
\??\c:\vpdjv.exec:\vpdjv.exe58⤵
- Executes dropped EXE
PID:2564 -
\??\c:\llxrxfl.exec:\llxrxfl.exe59⤵
- Executes dropped EXE
PID:2620 -
\??\c:\flxlrrx.exec:\flxlrrx.exe60⤵
- Executes dropped EXE
PID:2136 -
\??\c:\jddpd.exec:\jddpd.exe61⤵
- Executes dropped EXE
PID:2080 -
\??\c:\g4228.exec:\g4228.exe62⤵
- Executes dropped EXE
PID:1316 -
\??\c:\jvppp.exec:\jvppp.exe63⤵
- Executes dropped EXE
PID:2876 -
\??\c:\7dppv.exec:\7dppv.exe64⤵
- Executes dropped EXE
PID:900 -
\??\c:\q02844.exec:\q02844.exe65⤵
- Executes dropped EXE
PID:2236 -
\??\c:\btntnt.exec:\btntnt.exe66⤵PID:1372
-
\??\c:\026802.exec:\026802.exe67⤵PID:2592
-
\??\c:\tnbttb.exec:\tnbttb.exe68⤵PID:868
-
\??\c:\7lllllx.exec:\7lllllx.exe69⤵PID:1660
-
\??\c:\s6062.exec:\s6062.exe70⤵PID:2612
-
\??\c:\820066.exec:\820066.exe71⤵PID:2356
-
\??\c:\062626.exec:\062626.exe72⤵PID:884
-
\??\c:\7xllxxl.exec:\7xllxxl.exe73⤵PID:1876
-
\??\c:\u484008.exec:\u484008.exe74⤵PID:2568
-
\??\c:\6046860.exec:\6046860.exe75⤵PID:1752
-
\??\c:\48808.exec:\48808.exe76⤵PID:1940
-
\??\c:\bbnnhh.exec:\bbnnhh.exe77⤵PID:2388
-
\??\c:\jddjp.exec:\jddjp.exe78⤵PID:2336
-
\??\c:\llflrfr.exec:\llflrfr.exe79⤵PID:2316
-
\??\c:\260684.exec:\260684.exe80⤵PID:2788
-
\??\c:\xlffllx.exec:\xlffllx.exe81⤵PID:2844
-
\??\c:\a4862.exec:\a4862.exe82⤵PID:2604
-
\??\c:\bttbbb.exec:\bttbbb.exe83⤵PID:2760
-
\??\c:\7thtth.exec:\7thtth.exe84⤵PID:2400
-
\??\c:\tbnthn.exec:\tbnthn.exe85⤵PID:2672
-
\??\c:\hbtnth.exec:\hbtnth.exe86⤵PID:2640
-
\??\c:\642884.exec:\642884.exe87⤵PID:1952
-
\??\c:\60840.exec:\60840.exe88⤵PID:308
-
\??\c:\nnbhtb.exec:\nnbhtb.exe89⤵PID:2464
-
\??\c:\2640880.exec:\2640880.exe90⤵PID:2036
-
\??\c:\vppvv.exec:\vppvv.exe91⤵PID:2820
-
\??\c:\082466.exec:\082466.exe92⤵PID:2296
-
\??\c:\82402.exec:\82402.exe93⤵PID:3004
-
\??\c:\20808.exec:\20808.exe94⤵PID:1276
-
\??\c:\vdddp.exec:\vdddp.exe95⤵PID:2708
-
\??\c:\ppjjv.exec:\ppjjv.exe96⤵PID:2468
-
\??\c:\04286.exec:\04286.exe97⤵PID:1508
-
\??\c:\420062.exec:\420062.exe98⤵
- System Location Discovery: System Language Discovery
PID:1968 -
\??\c:\jpvpd.exec:\jpvpd.exe99⤵PID:2324
-
\??\c:\8200262.exec:\8200262.exe100⤵PID:1128
-
\??\c:\xrllrxl.exec:\xrllrxl.exe101⤵PID:2564
-
\??\c:\vpjjv.exec:\vpjjv.exe102⤵PID:952
-
\??\c:\hhbhtt.exec:\hhbhtt.exe103⤵PID:2028
-
\??\c:\lfrrlfr.exec:\lfrrlfr.exe104⤵PID:2080
-
\??\c:\fxrfllx.exec:\fxrfllx.exe105⤵PID:1444
-
\??\c:\bbttbb.exec:\bbttbb.exe106⤵PID:1732
-
\??\c:\26446.exec:\26446.exe107⤵PID:2424
-
\??\c:\04224.exec:\04224.exe108⤵PID:1632
-
\??\c:\3frxxfr.exec:\3frxxfr.exe109⤵PID:2436
-
\??\c:\082268.exec:\082268.exe110⤵PID:780
-
\??\c:\fxllrrx.exec:\fxllrrx.exe111⤵PID:2020
-
\??\c:\3tttbb.exec:\3tttbb.exe112⤵PID:2572
-
\??\c:\llrxlrx.exec:\llrxlrx.exe113⤵PID:1088
-
\??\c:\tnhhbn.exec:\tnhhbn.exe114⤵PID:1816
-
\??\c:\60846.exec:\60846.exe115⤵PID:1936
-
\??\c:\vpjdp.exec:\vpjdp.exe116⤵PID:2396
-
\??\c:\486288.exec:\486288.exe117⤵PID:1580
-
\??\c:\264628.exec:\264628.exe118⤵PID:1584
-
\??\c:\a0464.exec:\a0464.exe119⤵PID:1528
-
\??\c:\xrflffr.exec:\xrflffr.exe120⤵PID:2732
-
\??\c:\xxllxfr.exec:\xxllxfr.exe121⤵PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-