Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 19:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb4ab67100d58b964a654ecba12f0e940c6f3dc8b8a194f6957c07d643aadaa7N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
fb4ab67100d58b964a654ecba12f0e940c6f3dc8b8a194f6957c07d643aadaa7N.exe
-
Size
456KB
-
MD5
c09b8c6cd879f2c43f3d5247e16dcc50
-
SHA1
a449144f1dc7002d6fe2ee895226c95ed96b4a54
-
SHA256
fb4ab67100d58b964a654ecba12f0e940c6f3dc8b8a194f6957c07d643aadaa7
-
SHA512
33f1069dfbb1dbd57ef7a584a5d50942cb46e4ab7b177212b8e30a058ab39690cfc98ad8918a56f556639126223b5a694cf48ff4b74fe1d6c1942cc498f2091b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRM:q7Tc2NYHUrAwfMp3CDRM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2800-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-135-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2952-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-292-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2120-299-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2872-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-417-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1584-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-436-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2520-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1012-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-754-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1544-832-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1544-831-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1900-896-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-918-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2492-957-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-1032-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-1052-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1564-1072-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1720-1171-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2204-1257-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2900 ffllrxl.exe 2136 btnnhh.exe 2696 fflfrlx.exe 2852 428006.exe 2664 thttbb.exe 2104 04024.exe 1588 ttnnhh.exe 2988 xrllrrx.exe 2624 lfllflx.exe 2092 g2002.exe 2336 w48866.exe 3068 o640202.exe 3044 xfrfrrl.exe 2952 8200268.exe 1092 3dvvj.exe 2068 xfxlrxf.exe 1556 82024.exe 1928 u084006.exe 860 048084.exe 1744 266622.exe 1708 642206.exe 1096 ttnthn.exe 2468 m8666.exe 1488 xllfrrx.exe 784 1nbtnt.exe 1668 dpjjv.exe 568 086688.exe 1688 60860.exe 1872 3vpdj.exe 2120 264022.exe 1448 1vddp.exe 2804 9pjpp.exe 1512 k20026.exe 2872 08064.exe 2820 lfflxxr.exe 2140 vpjjv.exe 2704 04628.exe 2660 8628602.exe 2832 jvjjj.exe 2708 24088.exe 2532 246684.exe 1252 0806228.exe 2484 42846.exe 2516 dvddv.exe 3056 424422.exe 2876 60062.exe 1524 22628.exe 2888 vpppj.exe 2980 248468.exe 604 jdjpp.exe 264 u026666.exe 1584 frfxxxx.exe 2496 86880.exe 1932 5bhhbt.exe 2520 7frrxxf.exe 3004 3ddjv.exe 688 64280.exe 1012 e02244.exe 444 1nbbbb.exe 1896 vjpdj.exe 2100 2602442.exe 1800 084400.exe 1492 808266.exe 324 vvppd.exe -
resource yara_rule behavioral1/memory/2900-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-417-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1584-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1012-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-754-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2448-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-889-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-896-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-1032-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-1031-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/2000-1045-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-1065-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2740-1092-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-1224-0x00000000003B0000-0x00000000003DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 460062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i220864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e64644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2800 wrote to memory of 2900 2800 fb4ab67100d58b964a654ecba12f0e940c6f3dc8b8a194f6957c07d643aadaa7N.exe 30 PID 2800 wrote to memory of 2900 2800 fb4ab67100d58b964a654ecba12f0e940c6f3dc8b8a194f6957c07d643aadaa7N.exe 30 PID 2800 wrote to memory of 2900 2800 fb4ab67100d58b964a654ecba12f0e940c6f3dc8b8a194f6957c07d643aadaa7N.exe 30 PID 2800 wrote to memory of 2900 2800 fb4ab67100d58b964a654ecba12f0e940c6f3dc8b8a194f6957c07d643aadaa7N.exe 30 PID 2900 wrote to memory of 2136 2900 ffllrxl.exe 31 PID 2900 wrote to memory of 2136 2900 ffllrxl.exe 31 PID 2900 wrote to memory of 2136 2900 ffllrxl.exe 31 PID 2900 wrote to memory of 2136 2900 ffllrxl.exe 31 PID 2136 wrote to memory of 2696 2136 btnnhh.exe 32 PID 2136 wrote to memory of 2696 2136 btnnhh.exe 32 PID 2136 wrote to memory of 2696 2136 btnnhh.exe 32 PID 2136 wrote to memory of 2696 2136 btnnhh.exe 32 PID 2696 wrote to memory of 2852 2696 fflfrlx.exe 33 PID 2696 wrote to memory of 2852 2696 fflfrlx.exe 33 PID 2696 wrote to memory of 2852 2696 fflfrlx.exe 33 PID 2696 wrote to memory of 2852 2696 fflfrlx.exe 33 PID 2852 wrote to memory of 2664 2852 428006.exe 34 PID 2852 wrote to memory of 2664 2852 428006.exe 34 PID 2852 wrote to memory of 2664 2852 428006.exe 34 PID 2852 wrote to memory of 2664 2852 428006.exe 34 PID 2664 wrote to memory of 2104 2664 thttbb.exe 35 PID 2664 wrote to memory of 2104 2664 thttbb.exe 35 PID 2664 wrote to memory of 2104 2664 thttbb.exe 35 PID 2664 wrote to memory of 2104 2664 thttbb.exe 35 PID 2104 wrote to memory of 1588 2104 04024.exe 36 PID 2104 wrote to memory of 1588 2104 04024.exe 36 PID 2104 wrote to memory of 1588 2104 04024.exe 36 PID 2104 wrote to memory of 1588 2104 04024.exe 36 PID 1588 wrote to memory of 2988 1588 ttnnhh.exe 37 PID 1588 wrote to memory of 2988 1588 ttnnhh.exe 37 PID 1588 wrote to memory of 2988 1588 ttnnhh.exe 37 PID 1588 wrote to memory of 2988 1588 ttnnhh.exe 37 PID 2988 wrote to memory of 2624 2988 xrllrrx.exe 38 PID 2988 wrote to memory of 2624 2988 xrllrrx.exe 38 PID 2988 wrote to memory of 2624 2988 xrllrrx.exe 38 PID 2988 wrote to memory of 2624 2988 xrllrrx.exe 38 PID 2624 wrote to memory of 2092 2624 lfllflx.exe 39 PID 2624 wrote to memory of 2092 2624 lfllflx.exe 39 PID 2624 wrote to memory of 2092 2624 lfllflx.exe 39 PID 2624 wrote to memory of 2092 2624 lfllflx.exe 39 PID 2092 wrote to memory of 2336 2092 g2002.exe 40 PID 2092 wrote to memory of 2336 2092 g2002.exe 40 PID 2092 wrote to memory of 2336 2092 g2002.exe 40 PID 2092 wrote to memory of 2336 2092 g2002.exe 40 PID 2336 wrote to memory of 3068 2336 w48866.exe 41 PID 2336 wrote to memory of 3068 2336 w48866.exe 41 PID 2336 wrote to memory of 3068 2336 w48866.exe 41 PID 2336 wrote to memory of 3068 2336 w48866.exe 41 PID 3068 wrote to memory of 3044 3068 o640202.exe 42 PID 3068 wrote to memory of 3044 3068 o640202.exe 42 PID 3068 wrote to memory of 3044 3068 o640202.exe 42 PID 3068 wrote to memory of 3044 3068 o640202.exe 42 PID 3044 wrote to memory of 2952 3044 xfrfrrl.exe 43 PID 3044 wrote to memory of 2952 3044 xfrfrrl.exe 43 PID 3044 wrote to memory of 2952 3044 xfrfrrl.exe 43 PID 3044 wrote to memory of 2952 3044 xfrfrrl.exe 43 PID 2952 wrote to memory of 1092 2952 8200268.exe 44 PID 2952 wrote to memory of 1092 2952 8200268.exe 44 PID 2952 wrote to memory of 1092 2952 8200268.exe 44 PID 2952 wrote to memory of 1092 2952 8200268.exe 44 PID 1092 wrote to memory of 2068 1092 3dvvj.exe 45 PID 1092 wrote to memory of 2068 1092 3dvvj.exe 45 PID 1092 wrote to memory of 2068 1092 3dvvj.exe 45 PID 1092 wrote to memory of 2068 1092 3dvvj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb4ab67100d58b964a654ecba12f0e940c6f3dc8b8a194f6957c07d643aadaa7N.exe"C:\Users\Admin\AppData\Local\Temp\fb4ab67100d58b964a654ecba12f0e940c6f3dc8b8a194f6957c07d643aadaa7N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\ffllrxl.exec:\ffllrxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\btnnhh.exec:\btnnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\fflfrlx.exec:\fflfrlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\428006.exec:\428006.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\thttbb.exec:\thttbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\04024.exec:\04024.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\ttnnhh.exec:\ttnnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\xrllrrx.exec:\xrllrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\lfllflx.exec:\lfllflx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\g2002.exec:\g2002.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\w48866.exec:\w48866.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\o640202.exec:\o640202.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\xfrfrrl.exec:\xfrfrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\8200268.exec:\8200268.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\3dvvj.exec:\3dvvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\xfxlrxf.exec:\xfxlrxf.exe17⤵
- Executes dropped EXE
PID:2068 -
\??\c:\82024.exec:\82024.exe18⤵
- Executes dropped EXE
PID:1556 -
\??\c:\u084006.exec:\u084006.exe19⤵
- Executes dropped EXE
PID:1928 -
\??\c:\048084.exec:\048084.exe20⤵
- Executes dropped EXE
PID:860 -
\??\c:\266622.exec:\266622.exe21⤵
- Executes dropped EXE
PID:1744 -
\??\c:\642206.exec:\642206.exe22⤵
- Executes dropped EXE
PID:1708 -
\??\c:\ttnthn.exec:\ttnthn.exe23⤵
- Executes dropped EXE
PID:1096 -
\??\c:\m8666.exec:\m8666.exe24⤵
- Executes dropped EXE
PID:2468 -
\??\c:\xllfrrx.exec:\xllfrrx.exe25⤵
- Executes dropped EXE
PID:1488 -
\??\c:\1nbtnt.exec:\1nbtnt.exe26⤵
- Executes dropped EXE
PID:784 -
\??\c:\dpjjv.exec:\dpjjv.exe27⤵
- Executes dropped EXE
PID:1668 -
\??\c:\086688.exec:\086688.exe28⤵
- Executes dropped EXE
PID:568 -
\??\c:\60860.exec:\60860.exe29⤵
- Executes dropped EXE
PID:1688 -
\??\c:\3vpdj.exec:\3vpdj.exe30⤵
- Executes dropped EXE
PID:1872 -
\??\c:\264022.exec:\264022.exe31⤵
- Executes dropped EXE
PID:2120 -
\??\c:\1vddp.exec:\1vddp.exe32⤵
- Executes dropped EXE
PID:1448 -
\??\c:\9pjpp.exec:\9pjpp.exe33⤵
- Executes dropped EXE
PID:2804 -
\??\c:\k20026.exec:\k20026.exe34⤵
- Executes dropped EXE
PID:1512 -
\??\c:\08064.exec:\08064.exe35⤵
- Executes dropped EXE
PID:2872 -
\??\c:\lfflxxr.exec:\lfflxxr.exe36⤵
- Executes dropped EXE
PID:2820 -
\??\c:\vpjjv.exec:\vpjjv.exe37⤵
- Executes dropped EXE
PID:2140 -
\??\c:\04628.exec:\04628.exe38⤵
- Executes dropped EXE
PID:2704 -
\??\c:\8628602.exec:\8628602.exe39⤵
- Executes dropped EXE
PID:2660 -
\??\c:\jvjjj.exec:\jvjjj.exe40⤵
- Executes dropped EXE
PID:2832 -
\??\c:\24088.exec:\24088.exe41⤵
- Executes dropped EXE
PID:2708 -
\??\c:\246684.exec:\246684.exe42⤵
- Executes dropped EXE
PID:2532 -
\??\c:\0806228.exec:\0806228.exe43⤵
- Executes dropped EXE
PID:1252 -
\??\c:\42846.exec:\42846.exe44⤵
- Executes dropped EXE
PID:2484 -
\??\c:\dvddv.exec:\dvddv.exe45⤵
- Executes dropped EXE
PID:2516 -
\??\c:\424422.exec:\424422.exe46⤵
- Executes dropped EXE
PID:3056 -
\??\c:\60062.exec:\60062.exe47⤵
- Executes dropped EXE
PID:2876 -
\??\c:\22628.exec:\22628.exe48⤵
- Executes dropped EXE
PID:1524 -
\??\c:\vpppj.exec:\vpppj.exe49⤵
- Executes dropped EXE
PID:2888 -
\??\c:\248468.exec:\248468.exe50⤵
- Executes dropped EXE
PID:2980 -
\??\c:\jdjpp.exec:\jdjpp.exe51⤵
- Executes dropped EXE
PID:604 -
\??\c:\u026666.exec:\u026666.exe52⤵
- Executes dropped EXE
PID:264 -
\??\c:\frfxxxx.exec:\frfxxxx.exe53⤵
- Executes dropped EXE
PID:1584 -
\??\c:\86880.exec:\86880.exe54⤵
- Executes dropped EXE
PID:2496 -
\??\c:\5bhhbt.exec:\5bhhbt.exe55⤵
- Executes dropped EXE
PID:1932 -
\??\c:\7frrxxf.exec:\7frrxxf.exe56⤵
- Executes dropped EXE
PID:2520 -
\??\c:\3ddjv.exec:\3ddjv.exe57⤵
- Executes dropped EXE
PID:3004 -
\??\c:\64280.exec:\64280.exe58⤵
- Executes dropped EXE
PID:688 -
\??\c:\e02244.exec:\e02244.exe59⤵
- Executes dropped EXE
PID:1012 -
\??\c:\1nbbbb.exec:\1nbbbb.exe60⤵
- Executes dropped EXE
PID:444 -
\??\c:\vjpdj.exec:\vjpdj.exe61⤵
- Executes dropped EXE
PID:1896 -
\??\c:\2602442.exec:\2602442.exe62⤵
- Executes dropped EXE
PID:2100 -
\??\c:\084400.exec:\084400.exe63⤵
- Executes dropped EXE
PID:1800 -
\??\c:\808266.exec:\808266.exe64⤵
- Executes dropped EXE
PID:1492 -
\??\c:\vvppd.exec:\vvppd.exe65⤵
- Executes dropped EXE
PID:324 -
\??\c:\jvjpv.exec:\jvjpv.exe66⤵PID:1984
-
\??\c:\jdvjp.exec:\jdvjp.exe67⤵PID:948
-
\??\c:\48446.exec:\48446.exe68⤵PID:1608
-
\??\c:\dpdpv.exec:\dpdpv.exe69⤵PID:1656
-
\??\c:\9vppv.exec:\9vppv.exe70⤵
- System Location Discovery: System Language Discovery
PID:1688 -
\??\c:\vpjvd.exec:\vpjvd.exe71⤵PID:1216
-
\??\c:\6428628.exec:\6428628.exe72⤵PID:1444
-
\??\c:\608460.exec:\608460.exe73⤵PID:2740
-
\??\c:\486628.exec:\486628.exe74⤵PID:1544
-
\??\c:\7ttbbh.exec:\7ttbbh.exe75⤵PID:2800
-
\??\c:\lrxrlxr.exec:\lrxrlxr.exe76⤵PID:1640
-
\??\c:\jdvvp.exec:\jdvvp.exe77⤵PID:2900
-
\??\c:\604684.exec:\604684.exe78⤵PID:2920
-
\??\c:\264640.exec:\264640.exe79⤵PID:2696
-
\??\c:\k42880.exec:\k42880.exe80⤵PID:2716
-
\??\c:\g0840.exec:\g0840.exe81⤵PID:2680
-
\??\c:\26802.exec:\26802.exe82⤵PID:2828
-
\??\c:\9xxrrrx.exec:\9xxrrrx.exe83⤵PID:3028
-
\??\c:\xxlrxxf.exec:\xxlrxxf.exe84⤵PID:2104
-
\??\c:\a2624.exec:\a2624.exe85⤵PID:2700
-
\??\c:\m0468.exec:\m0468.exe86⤵PID:2988
-
\??\c:\tnhhtt.exec:\tnhhtt.exe87⤵PID:2088
-
\??\c:\1thbhh.exec:\1thbhh.exe88⤵PID:2728
-
\??\c:\9pdjv.exec:\9pdjv.exe89⤵PID:2092
-
\??\c:\646628.exec:\646628.exe90⤵
- System Location Discovery: System Language Discovery
PID:864 -
\??\c:\822800.exec:\822800.exe91⤵PID:2984
-
\??\c:\s6448.exec:\s6448.exe92⤵PID:3048
-
\??\c:\ddpjp.exec:\ddpjp.exe93⤵PID:3000
-
\??\c:\s8668.exec:\s8668.exe94⤵PID:604
-
\??\c:\482882.exec:\482882.exe95⤵PID:2480
-
\??\c:\btbbbt.exec:\btbbbt.exe96⤵PID:1584
-
\??\c:\604022.exec:\604022.exe97⤵PID:2496
-
\??\c:\602862.exec:\602862.exe98⤵PID:1924
-
\??\c:\ttbbhh.exec:\ttbbhh.exe99⤵PID:1100
-
\??\c:\8606042.exec:\8606042.exe100⤵PID:1728
-
\??\c:\nhnthn.exec:\nhnthn.exe101⤵PID:1676
-
\??\c:\8626628.exec:\8626628.exe102⤵PID:1576
-
\??\c:\48842.exec:\48842.exe103⤵PID:1572
-
\??\c:\xrxxfxl.exec:\xrxxfxl.exe104⤵PID:2052
-
\??\c:\vdvdd.exec:\vdvdd.exe105⤵PID:1896
-
\??\c:\o200600.exec:\o200600.exe106⤵PID:2468
-
\??\c:\1nhtnt.exec:\1nhtnt.exe107⤵PID:1800
-
\??\c:\6088668.exec:\6088668.exe108⤵PID:1660
-
\??\c:\pjjvp.exec:\pjjvp.exe109⤵PID:324
-
\??\c:\3xrxxrx.exec:\3xrxxrx.exe110⤵PID:1308
-
\??\c:\428860.exec:\428860.exe111⤵PID:948
-
\??\c:\i862006.exec:\i862006.exe112⤵PID:640
-
\??\c:\llxfxxf.exec:\llxfxxf.exe113⤵PID:1656
-
\??\c:\a0286.exec:\a0286.exe114⤵PID:2552
-
\??\c:\2088224.exec:\2088224.exe115⤵PID:1596
-
\??\c:\1djpv.exec:\1djpv.exe116⤵PID:1444
-
\??\c:\g4224.exec:\g4224.exe117⤵PID:2764
-
\??\c:\xlxxxxl.exec:\xlxxxxl.exe118⤵PID:1544
-
\??\c:\64280.exec:\64280.exe119⤵PID:2448
-
\??\c:\vpdjp.exec:\vpdjp.exe120⤵PID:2960
-
\??\c:\a6846.exec:\a6846.exe121⤵PID:2684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-