Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 20:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe
-
Size
454KB
-
MD5
46a7f8b252b602740d469013d50f4fea
-
SHA1
6698c429e1ec586083ee9f35a20606aaca5a630c
-
SHA256
1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0
-
SHA512
a93fb4896d86b21545eb048fd42712af0b456925aa1fe8cd158547f80943d4d7825acf41320c43b865c778a2b23cb69247452c7a9f67365539c261187c60930a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2100-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-110-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2620-108-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3036-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-129-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2120-140-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1076-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/648-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/352-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-304-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2892-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1128-363-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2016-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-384-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2388-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-459-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1580-465-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2044-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-632-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2816-639-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2560-646-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3052-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/560-825-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-915-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3052-965-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-987-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1468-1018-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/860-1043-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/728-1059-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2152 fffrllf.exe 2888 9jddd.exe 2848 vpjpp.exe 2940 w02462.exe 3032 8062266.exe 2900 3frlrxl.exe 2760 3nbbbb.exe 2288 60802.exe 2980 hbbbnh.exe 2120 42468.exe 2620 420688.exe 3036 7lffrlr.exe 3008 hthntt.exe 2872 66682.exe 2596 bnhnbb.exe 1076 42880.exe 2384 8640668.exe 2024 4284264.exe 648 9nbnhh.exe 2952 66808.exe 772 ppjdp.exe 352 480248.exe 1940 86266.exe 1736 64668.exe 1088 pdpvj.exe 1604 vjdpv.exe 896 20282.exe 2424 vpjdp.exe 1716 q86020.exe 1988 0866284.exe 2452 vjvpp.exe 1696 a8624.exe 2332 484062.exe 2448 hthhbh.exe 2948 vjvvj.exe 2892 c428884.exe 2704 ffxfxrx.exe 2884 e20026.exe 3040 866660.exe 2752 g6006.exe 2808 thnhhb.exe 1128 dpdpd.exe 2768 dvddv.exe 2016 k48466.exe 2080 lxrlrlx.exe 2416 0806884.exe 2388 jdppp.exe 3052 2684242.exe 3020 lrxffxf.exe 3004 fxrrlrl.exe 2336 08002.exe 1948 86884.exe 2176 rxfxfff.exe 2012 3jjvv.exe 1596 hthhhh.exe 1580 jvpvd.exe 2672 btbhhn.exe 2044 vvpdp.exe 2660 rrrxllx.exe 1900 46884.exe 352 26062.exe 1192 c404002.exe 1564 822462.exe 1736 u422880.exe -
resource yara_rule behavioral1/memory/2100-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/648-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/560-825-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1472-839-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-846-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-965-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-1020-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-1046-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/728-1059-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 242684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w00266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e20688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4688880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2152 2100 1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe 30 PID 2100 wrote to memory of 2152 2100 1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe 30 PID 2100 wrote to memory of 2152 2100 1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe 30 PID 2100 wrote to memory of 2152 2100 1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe 30 PID 2152 wrote to memory of 2888 2152 fffrllf.exe 31 PID 2152 wrote to memory of 2888 2152 fffrllf.exe 31 PID 2152 wrote to memory of 2888 2152 fffrllf.exe 31 PID 2152 wrote to memory of 2888 2152 fffrllf.exe 31 PID 2888 wrote to memory of 2848 2888 9jddd.exe 32 PID 2888 wrote to memory of 2848 2888 9jddd.exe 32 PID 2888 wrote to memory of 2848 2888 9jddd.exe 32 PID 2888 wrote to memory of 2848 2888 9jddd.exe 32 PID 2848 wrote to memory of 2940 2848 vpjpp.exe 33 PID 2848 wrote to memory of 2940 2848 vpjpp.exe 33 PID 2848 wrote to memory of 2940 2848 vpjpp.exe 33 PID 2848 wrote to memory of 2940 2848 vpjpp.exe 33 PID 2940 wrote to memory of 3032 2940 w02462.exe 34 PID 2940 wrote to memory of 3032 2940 w02462.exe 34 PID 2940 wrote to memory of 3032 2940 w02462.exe 34 PID 2940 wrote to memory of 3032 2940 w02462.exe 34 PID 3032 wrote to memory of 2900 3032 8062266.exe 35 PID 3032 wrote to memory of 2900 3032 8062266.exe 35 PID 3032 wrote to memory of 2900 3032 8062266.exe 35 PID 3032 wrote to memory of 2900 3032 8062266.exe 35 PID 2900 wrote to memory of 2760 2900 3frlrxl.exe 36 PID 2900 wrote to memory of 2760 2900 3frlrxl.exe 36 PID 2900 wrote to memory of 2760 2900 3frlrxl.exe 36 PID 2900 wrote to memory of 2760 2900 3frlrxl.exe 36 PID 2760 wrote to memory of 2288 2760 3nbbbb.exe 37 PID 2760 wrote to memory of 2288 2760 3nbbbb.exe 37 PID 2760 wrote to memory of 2288 2760 3nbbbb.exe 37 PID 2760 wrote to memory of 2288 2760 3nbbbb.exe 37 PID 2288 wrote to memory of 2980 2288 60802.exe 38 PID 2288 wrote to memory of 2980 2288 60802.exe 38 PID 2288 wrote to memory of 2980 2288 60802.exe 38 PID 2288 wrote to memory of 2980 2288 60802.exe 38 PID 2980 wrote to memory of 2120 2980 hbbbnh.exe 39 PID 2980 wrote to memory of 2120 2980 hbbbnh.exe 39 PID 2980 wrote to memory of 2120 2980 hbbbnh.exe 39 PID 2980 wrote to memory of 2120 2980 hbbbnh.exe 39 PID 2120 wrote to memory of 2620 2120 42468.exe 40 PID 2120 wrote to memory of 2620 2120 42468.exe 40 PID 2120 wrote to memory of 2620 2120 42468.exe 40 PID 2120 wrote to memory of 2620 2120 42468.exe 40 PID 2620 wrote to memory of 3036 2620 420688.exe 41 PID 2620 wrote to memory of 3036 2620 420688.exe 41 PID 2620 wrote to memory of 3036 2620 420688.exe 41 PID 2620 wrote to memory of 3036 2620 420688.exe 41 PID 3036 wrote to memory of 3008 3036 7lffrlr.exe 42 PID 3036 wrote to memory of 3008 3036 7lffrlr.exe 42 PID 3036 wrote to memory of 3008 3036 7lffrlr.exe 42 PID 3036 wrote to memory of 3008 3036 7lffrlr.exe 42 PID 3008 wrote to memory of 2872 3008 hthntt.exe 43 PID 3008 wrote to memory of 2872 3008 hthntt.exe 43 PID 3008 wrote to memory of 2872 3008 hthntt.exe 43 PID 3008 wrote to memory of 2872 3008 hthntt.exe 43 PID 2872 wrote to memory of 2596 2872 66682.exe 44 PID 2872 wrote to memory of 2596 2872 66682.exe 44 PID 2872 wrote to memory of 2596 2872 66682.exe 44 PID 2872 wrote to memory of 2596 2872 66682.exe 44 PID 2596 wrote to memory of 1076 2596 bnhnbb.exe 45 PID 2596 wrote to memory of 1076 2596 bnhnbb.exe 45 PID 2596 wrote to memory of 1076 2596 bnhnbb.exe 45 PID 2596 wrote to memory of 1076 2596 bnhnbb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe"C:\Users\Admin\AppData\Local\Temp\1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\fffrllf.exec:\fffrllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\9jddd.exec:\9jddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\vpjpp.exec:\vpjpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\w02462.exec:\w02462.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\8062266.exec:\8062266.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\3frlrxl.exec:\3frlrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\3nbbbb.exec:\3nbbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\60802.exec:\60802.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\hbbbnh.exec:\hbbbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\42468.exec:\42468.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\420688.exec:\420688.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\7lffrlr.exec:\7lffrlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\hthntt.exec:\hthntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\66682.exec:\66682.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\bnhnbb.exec:\bnhnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\42880.exec:\42880.exe17⤵
- Executes dropped EXE
PID:1076 -
\??\c:\8640668.exec:\8640668.exe18⤵
- Executes dropped EXE
PID:2384 -
\??\c:\4284264.exec:\4284264.exe19⤵
- Executes dropped EXE
PID:2024 -
\??\c:\9nbnhh.exec:\9nbnhh.exe20⤵
- Executes dropped EXE
PID:648 -
\??\c:\66808.exec:\66808.exe21⤵
- Executes dropped EXE
PID:2952 -
\??\c:\ppjdp.exec:\ppjdp.exe22⤵
- Executes dropped EXE
PID:772 -
\??\c:\480248.exec:\480248.exe23⤵
- Executes dropped EXE
PID:352 -
\??\c:\86266.exec:\86266.exe24⤵
- Executes dropped EXE
PID:1940 -
\??\c:\64668.exec:\64668.exe25⤵
- Executes dropped EXE
PID:1736 -
\??\c:\pdpvj.exec:\pdpvj.exe26⤵
- Executes dropped EXE
PID:1088 -
\??\c:\vjdpv.exec:\vjdpv.exe27⤵
- Executes dropped EXE
PID:1604 -
\??\c:\20282.exec:\20282.exe28⤵
- Executes dropped EXE
PID:896 -
\??\c:\vpjdp.exec:\vpjdp.exe29⤵
- Executes dropped EXE
PID:2424 -
\??\c:\q86020.exec:\q86020.exe30⤵
- Executes dropped EXE
PID:1716 -
\??\c:\0866284.exec:\0866284.exe31⤵
- Executes dropped EXE
PID:1988 -
\??\c:\vjvpp.exec:\vjvpp.exe32⤵
- Executes dropped EXE
PID:2452 -
\??\c:\a8624.exec:\a8624.exe33⤵
- Executes dropped EXE
PID:1696 -
\??\c:\484062.exec:\484062.exe34⤵
- Executes dropped EXE
PID:2332 -
\??\c:\hthhbh.exec:\hthhbh.exe35⤵
- Executes dropped EXE
PID:2448 -
\??\c:\vjvvj.exec:\vjvvj.exe36⤵
- Executes dropped EXE
PID:2948 -
\??\c:\c428884.exec:\c428884.exe37⤵
- Executes dropped EXE
PID:2892 -
\??\c:\ffxfxrx.exec:\ffxfxrx.exe38⤵
- Executes dropped EXE
PID:2704 -
\??\c:\e20026.exec:\e20026.exe39⤵
- Executes dropped EXE
PID:2884 -
\??\c:\866660.exec:\866660.exe40⤵
- Executes dropped EXE
PID:3040 -
\??\c:\g6006.exec:\g6006.exe41⤵
- Executes dropped EXE
PID:2752 -
\??\c:\thnhhb.exec:\thnhhb.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
\??\c:\dpdpd.exec:\dpdpd.exe43⤵
- Executes dropped EXE
PID:1128 -
\??\c:\dvddv.exec:\dvddv.exe44⤵
- Executes dropped EXE
PID:2768 -
\??\c:\k48466.exec:\k48466.exe45⤵
- Executes dropped EXE
PID:2016 -
\??\c:\lxrlrlx.exec:\lxrlrlx.exe46⤵
- Executes dropped EXE
PID:2080 -
\??\c:\0806884.exec:\0806884.exe47⤵
- Executes dropped EXE
PID:2416 -
\??\c:\jdppp.exec:\jdppp.exe48⤵
- Executes dropped EXE
PID:2388 -
\??\c:\2684242.exec:\2684242.exe49⤵
- Executes dropped EXE
PID:3052 -
\??\c:\lrxffxf.exec:\lrxffxf.exe50⤵
- Executes dropped EXE
PID:3020 -
\??\c:\fxrrlrl.exec:\fxrrlrl.exe51⤵
- Executes dropped EXE
PID:3004 -
\??\c:\08002.exec:\08002.exe52⤵
- Executes dropped EXE
PID:2336 -
\??\c:\86884.exec:\86884.exe53⤵
- Executes dropped EXE
PID:1948 -
\??\c:\rxfxfff.exec:\rxfxfff.exe54⤵
- Executes dropped EXE
PID:2176 -
\??\c:\3jjvv.exec:\3jjvv.exe55⤵
- Executes dropped EXE
PID:2012 -
\??\c:\hthhhh.exec:\hthhhh.exe56⤵
- Executes dropped EXE
PID:1596 -
\??\c:\jvpvd.exec:\jvpvd.exe57⤵
- Executes dropped EXE
PID:1580 -
\??\c:\btbhhn.exec:\btbhhn.exe58⤵
- Executes dropped EXE
PID:2672 -
\??\c:\vvpdp.exec:\vvpdp.exe59⤵
- Executes dropped EXE
PID:2044 -
\??\c:\rrrxllx.exec:\rrrxllx.exe60⤵
- Executes dropped EXE
PID:2660 -
\??\c:\46884.exec:\46884.exe61⤵
- Executes dropped EXE
PID:1900 -
\??\c:\26062.exec:\26062.exe62⤵
- Executes dropped EXE
PID:352 -
\??\c:\c404002.exec:\c404002.exe63⤵
- Executes dropped EXE
PID:1192 -
\??\c:\822462.exec:\822462.exe64⤵
- Executes dropped EXE
PID:1564 -
\??\c:\u422880.exec:\u422880.exe65⤵
- Executes dropped EXE
PID:1736 -
\??\c:\xrlfxfl.exec:\xrlfxfl.exe66⤵PID:1484
-
\??\c:\hbtbtt.exec:\hbtbtt.exe67⤵PID:396
-
\??\c:\2028006.exec:\2028006.exe68⤵PID:1648
-
\??\c:\ffxxrxr.exec:\ffxxrxr.exe69⤵PID:3060
-
\??\c:\1bnnnt.exec:\1bnnnt.exe70⤵PID:2116
-
\??\c:\vvjdp.exec:\vvjdp.exe71⤵PID:1884
-
\??\c:\686222.exec:\686222.exe72⤵PID:988
-
\??\c:\0226008.exec:\0226008.exe73⤵PID:1756
-
\??\c:\080062.exec:\080062.exe74⤵PID:1764
-
\??\c:\c860000.exec:\c860000.exe75⤵PID:1624
-
\??\c:\dvjvj.exec:\dvjvj.exe76⤵PID:2568
-
\??\c:\08068.exec:\08068.exe77⤵PID:2916
-
\??\c:\nnhbbb.exec:\nnhbbb.exe78⤵PID:2964
-
\??\c:\6084620.exec:\6084620.exe79⤵PID:2828
-
\??\c:\dvpdp.exec:\dvpdp.exe80⤵PID:2984
-
\??\c:\fxfflll.exec:\fxfflll.exe81⤵PID:2236
-
\??\c:\2202062.exec:\2202062.exe82⤵PID:2192
-
\??\c:\3tntbh.exec:\3tntbh.exe83⤵PID:2092
-
\??\c:\26806.exec:\26806.exe84⤵PID:2816
-
\??\c:\864688.exec:\864688.exe85⤵PID:2560
-
\??\c:\fxrlfrf.exec:\fxrlfrf.exe86⤵PID:2748
-
\??\c:\c288068.exec:\c288068.exe87⤵PID:1008
-
\??\c:\vpjpd.exec:\vpjpd.exe88⤵PID:2980
-
\??\c:\bnhntt.exec:\bnhntt.exe89⤵
- System Location Discovery: System Language Discovery
PID:320 -
\??\c:\1lfrrxl.exec:\1lfrrxl.exe90⤵PID:3028
-
\??\c:\hhbnbh.exec:\hhbnbh.exe91⤵
- System Location Discovery: System Language Discovery
PID:2180 -
\??\c:\9flllxf.exec:\9flllxf.exe92⤵PID:3052
-
\??\c:\9dpdd.exec:\9dpdd.exe93⤵PID:1944
-
\??\c:\frffflx.exec:\frffflx.exe94⤵PID:2976
-
\??\c:\bnbttn.exec:\bnbttn.exe95⤵PID:1092
-
\??\c:\flxxllr.exec:\flxxllr.exe96⤵PID:2596
-
\??\c:\vvjpv.exec:\vvjpv.exe97⤵PID:1036
-
\??\c:\7rffllx.exec:\7rffllx.exe98⤵PID:2040
-
\??\c:\646006.exec:\646006.exe99⤵PID:1904
-
\??\c:\48886.exec:\48886.exe100⤵PID:1596
-
\??\c:\ffxlflx.exec:\ffxlflx.exe101⤵PID:1436
-
\??\c:\04806.exec:\04806.exe102⤵PID:2052
-
\??\c:\dpddp.exec:\dpddp.exe103⤵PID:2496
-
\??\c:\86064.exec:\86064.exe104⤵PID:1744
-
\??\c:\dvppv.exec:\dvppv.exe105⤵PID:1376
-
\??\c:\tnbbnn.exec:\tnbbnn.exe106⤵PID:728
-
\??\c:\7xxrlfl.exec:\7xxrlfl.exe107⤵PID:2512
-
\??\c:\ddpdv.exec:\ddpdv.exe108⤵PID:2432
-
\??\c:\o682222.exec:\o682222.exe109⤵PID:1720
-
\??\c:\lfxfxxf.exec:\lfxfxxf.exe110⤵PID:2636
-
\??\c:\1jpdv.exec:\1jpdv.exe111⤵PID:560
-
\??\c:\2028628.exec:\2028628.exe112⤵PID:620
-
\??\c:\hhtthh.exec:\hhtthh.exe113⤵PID:2316
-
\??\c:\0484600.exec:\0484600.exe114⤵PID:2776
-
\??\c:\btnntt.exec:\btnntt.exe115⤵PID:1692
-
\??\c:\k28084.exec:\k28084.exe116⤵PID:1448
-
\??\c:\7thhnh.exec:\7thhnh.exe117⤵PID:1472
-
\??\c:\08002.exec:\08002.exe118⤵PID:2408
-
\??\c:\jdjpj.exec:\jdjpj.exe119⤵PID:2824
-
\??\c:\btnnbh.exec:\btnnbh.exe120⤵PID:2108
-
\??\c:\frllrxl.exec:\frllrxl.exe121⤵PID:2804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-