Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 21:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe
-
Size
456KB
-
MD5
54ce8b9840612af3ea0f31dc26d5d998
-
SHA1
0a686ecc450c5a6cf808b262f929596d00a1e5fe
-
SHA256
3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2
-
SHA512
d9b15aff7f86a4a43cc04619b305bd031ce423cd546c0cc8b8513e8b1bf6a9c04bfd324df8c7d5a17114b1bff9f8afc0427502e6e7eb462ea7c5623f137c1989
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR2:q7Tc2NYHUrAwfMp3CDR2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2756-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-187-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/296-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1416-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/108-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1200-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-346-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2580-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/856-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-391-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2860-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-436-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1252-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-476-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1732-495-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2444-508-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/908-515-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1512-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-594-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/868-665-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1832-717-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2536-759-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/908-793-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/352-806-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/748-814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/748-817-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2676-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-846-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/2840-938-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-951-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2184 fxrxxrx.exe 2712 60668.exe 2780 bbntbh.exe 3008 2088666.exe 2592 4244002.exe 2736 s0200.exe 2584 xfrlfxx.exe 2120 nbtnnh.exe 264 20240.exe 2260 4200002.exe 2312 jpppd.exe 2896 lllrllf.exe 2836 u644006.exe 836 8026220.exe 2088 7nbnnh.exe 2748 480644.exe 2028 frfxfxx.exe 2400 024626.exe 1392 20268.exe 3036 886408.exe 2448 2022488.exe 2536 868288.exe 296 vvjjj.exe 1140 htbhbb.exe 2348 3dddj.exe 604 jvddd.exe 1856 rxlxfrx.exe 1720 bbthth.exe 560 084882.exe 1416 60464.exe 2136 202288.exe 2500 w02288.exe 1520 68440.exe 2800 4200668.exe 2732 3ffffff.exe 108 204800.exe 3008 lrfxxrx.exe 1200 lfflxfr.exe 2832 thnhhh.exe 2580 bbnnnn.exe 2584 828466.exe 1776 pjddp.exe 856 llxflfr.exe 2284 64884.exe 2904 602222.exe 2860 ffflxxl.exe 2752 w02248.exe 2040 0804628.exe 2880 68628.exe 2920 ddppv.exe 484 5ddvj.exe 1252 9hhntb.exe 1892 rxrrrrx.exe 1676 flfxfrx.exe 3032 tthhtn.exe 1040 ffxxflf.exe 860 tntttn.exe 952 dpdjj.exe 2924 1flffxx.exe 1732 pjvpj.exe 296 86222.exe 2444 tnnhnh.exe 908 866824.exe 1616 488468.exe -
resource yara_rule behavioral1/memory/2756-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-187-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/296-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/560-270-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2500-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/856-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-408-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1252-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/748-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-938-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-951-0x00000000002B0000-0x00000000002DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6800046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c024686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2000606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 024626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o684044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2600284.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2184 2756 3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe 31 PID 2756 wrote to memory of 2184 2756 3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe 31 PID 2756 wrote to memory of 2184 2756 3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe 31 PID 2756 wrote to memory of 2184 2756 3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe 31 PID 2184 wrote to memory of 2712 2184 fxrxxrx.exe 32 PID 2184 wrote to memory of 2712 2184 fxrxxrx.exe 32 PID 2184 wrote to memory of 2712 2184 fxrxxrx.exe 32 PID 2184 wrote to memory of 2712 2184 fxrxxrx.exe 32 PID 2712 wrote to memory of 2780 2712 60668.exe 33 PID 2712 wrote to memory of 2780 2712 60668.exe 33 PID 2712 wrote to memory of 2780 2712 60668.exe 33 PID 2712 wrote to memory of 2780 2712 60668.exe 33 PID 2780 wrote to memory of 3008 2780 bbntbh.exe 34 PID 2780 wrote to memory of 3008 2780 bbntbh.exe 34 PID 2780 wrote to memory of 3008 2780 bbntbh.exe 34 PID 2780 wrote to memory of 3008 2780 bbntbh.exe 34 PID 3008 wrote to memory of 2592 3008 2088666.exe 35 PID 3008 wrote to memory of 2592 3008 2088666.exe 35 PID 3008 wrote to memory of 2592 3008 2088666.exe 35 PID 3008 wrote to memory of 2592 3008 2088666.exe 35 PID 2592 wrote to memory of 2736 2592 4244002.exe 36 PID 2592 wrote to memory of 2736 2592 4244002.exe 36 PID 2592 wrote to memory of 2736 2592 4244002.exe 36 PID 2592 wrote to memory of 2736 2592 4244002.exe 36 PID 2736 wrote to memory of 2584 2736 s0200.exe 37 PID 2736 wrote to memory of 2584 2736 s0200.exe 37 PID 2736 wrote to memory of 2584 2736 s0200.exe 37 PID 2736 wrote to memory of 2584 2736 s0200.exe 37 PID 2584 wrote to memory of 2120 2584 xfrlfxx.exe 38 PID 2584 wrote to memory of 2120 2584 xfrlfxx.exe 38 PID 2584 wrote to memory of 2120 2584 xfrlfxx.exe 38 PID 2584 wrote to memory of 2120 2584 xfrlfxx.exe 38 PID 2120 wrote to memory of 264 2120 nbtnnh.exe 39 PID 2120 wrote to memory of 264 2120 nbtnnh.exe 39 PID 2120 wrote to memory of 264 2120 nbtnnh.exe 39 PID 2120 wrote to memory of 264 2120 nbtnnh.exe 39 PID 264 wrote to memory of 2260 264 20240.exe 40 PID 264 wrote to memory of 2260 264 20240.exe 40 PID 264 wrote to memory of 2260 264 20240.exe 40 PID 264 wrote to memory of 2260 264 20240.exe 40 PID 2260 wrote to memory of 2312 2260 4200002.exe 41 PID 2260 wrote to memory of 2312 2260 4200002.exe 41 PID 2260 wrote to memory of 2312 2260 4200002.exe 41 PID 2260 wrote to memory of 2312 2260 4200002.exe 41 PID 2312 wrote to memory of 2896 2312 jpppd.exe 42 PID 2312 wrote to memory of 2896 2312 jpppd.exe 42 PID 2312 wrote to memory of 2896 2312 jpppd.exe 42 PID 2312 wrote to memory of 2896 2312 jpppd.exe 42 PID 2896 wrote to memory of 2836 2896 lllrllf.exe 43 PID 2896 wrote to memory of 2836 2896 lllrllf.exe 43 PID 2896 wrote to memory of 2836 2896 lllrllf.exe 43 PID 2896 wrote to memory of 2836 2896 lllrllf.exe 43 PID 2836 wrote to memory of 836 2836 u644006.exe 44 PID 2836 wrote to memory of 836 2836 u644006.exe 44 PID 2836 wrote to memory of 836 2836 u644006.exe 44 PID 2836 wrote to memory of 836 2836 u644006.exe 44 PID 836 wrote to memory of 2088 836 8026220.exe 45 PID 836 wrote to memory of 2088 836 8026220.exe 45 PID 836 wrote to memory of 2088 836 8026220.exe 45 PID 836 wrote to memory of 2088 836 8026220.exe 45 PID 2088 wrote to memory of 2748 2088 7nbnnh.exe 46 PID 2088 wrote to memory of 2748 2088 7nbnnh.exe 46 PID 2088 wrote to memory of 2748 2088 7nbnnh.exe 46 PID 2088 wrote to memory of 2748 2088 7nbnnh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe"C:\Users\Admin\AppData\Local\Temp\3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\fxrxxrx.exec:\fxrxxrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\60668.exec:\60668.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\bbntbh.exec:\bbntbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\2088666.exec:\2088666.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\4244002.exec:\4244002.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\s0200.exec:\s0200.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\xfrlfxx.exec:\xfrlfxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\nbtnnh.exec:\nbtnnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\20240.exec:\20240.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\4200002.exec:\4200002.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\jpppd.exec:\jpppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\lllrllf.exec:\lllrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\u644006.exec:\u644006.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\8026220.exec:\8026220.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\7nbnnh.exec:\7nbnnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\480644.exec:\480644.exe17⤵
- Executes dropped EXE
PID:2748 -
\??\c:\frfxfxx.exec:\frfxfxx.exe18⤵
- Executes dropped EXE
PID:2028 -
\??\c:\024626.exec:\024626.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400 -
\??\c:\20268.exec:\20268.exe20⤵
- Executes dropped EXE
PID:1392 -
\??\c:\886408.exec:\886408.exe21⤵
- Executes dropped EXE
PID:3036 -
\??\c:\2022488.exec:\2022488.exe22⤵
- Executes dropped EXE
PID:2448 -
\??\c:\868288.exec:\868288.exe23⤵
- Executes dropped EXE
PID:2536 -
\??\c:\vvjjj.exec:\vvjjj.exe24⤵
- Executes dropped EXE
PID:296 -
\??\c:\htbhbb.exec:\htbhbb.exe25⤵
- Executes dropped EXE
PID:1140 -
\??\c:\3dddj.exec:\3dddj.exe26⤵
- Executes dropped EXE
PID:2348 -
\??\c:\jvddd.exec:\jvddd.exe27⤵
- Executes dropped EXE
PID:604 -
\??\c:\rxlxfrx.exec:\rxlxfrx.exe28⤵
- Executes dropped EXE
PID:1856 -
\??\c:\bbthth.exec:\bbthth.exe29⤵
- Executes dropped EXE
PID:1720 -
\??\c:\084882.exec:\084882.exe30⤵
- Executes dropped EXE
PID:560 -
\??\c:\60464.exec:\60464.exe31⤵
- Executes dropped EXE
PID:1416 -
\??\c:\202288.exec:\202288.exe32⤵
- Executes dropped EXE
PID:2136 -
\??\c:\w02288.exec:\w02288.exe33⤵
- Executes dropped EXE
PID:2500 -
\??\c:\68440.exec:\68440.exe34⤵
- Executes dropped EXE
PID:1520 -
\??\c:\4200668.exec:\4200668.exe35⤵
- Executes dropped EXE
PID:2800 -
\??\c:\3ffffff.exec:\3ffffff.exe36⤵
- Executes dropped EXE
PID:2732 -
\??\c:\204800.exec:\204800.exe37⤵
- Executes dropped EXE
PID:108 -
\??\c:\lrfxxrx.exec:\lrfxxrx.exe38⤵
- Executes dropped EXE
PID:3008 -
\??\c:\lfflxfr.exec:\lfflxfr.exe39⤵
- Executes dropped EXE
PID:1200 -
\??\c:\thnhhh.exec:\thnhhh.exe40⤵
- Executes dropped EXE
PID:2832 -
\??\c:\bbnnnn.exec:\bbnnnn.exe41⤵
- Executes dropped EXE
PID:2580 -
\??\c:\828466.exec:\828466.exe42⤵
- Executes dropped EXE
PID:2584 -
\??\c:\pjddp.exec:\pjddp.exe43⤵
- Executes dropped EXE
PID:1776 -
\??\c:\llxflfr.exec:\llxflfr.exe44⤵
- Executes dropped EXE
PID:856 -
\??\c:\64884.exec:\64884.exe45⤵
- Executes dropped EXE
PID:2284 -
\??\c:\602222.exec:\602222.exe46⤵
- Executes dropped EXE
PID:2904 -
\??\c:\ffflxxl.exec:\ffflxxl.exe47⤵
- Executes dropped EXE
PID:2860 -
\??\c:\w02248.exec:\w02248.exe48⤵
- Executes dropped EXE
PID:2752 -
\??\c:\0804628.exec:\0804628.exe49⤵
- Executes dropped EXE
PID:2040 -
\??\c:\68628.exec:\68628.exe50⤵
- Executes dropped EXE
PID:2880 -
\??\c:\ddppv.exec:\ddppv.exe51⤵
- Executes dropped EXE
PID:2920 -
\??\c:\5ddvj.exec:\5ddvj.exe52⤵
- Executes dropped EXE
PID:484 -
\??\c:\9hhntb.exec:\9hhntb.exe53⤵
- Executes dropped EXE
PID:1252 -
\??\c:\rxrrrrx.exec:\rxrrrrx.exe54⤵
- Executes dropped EXE
PID:1892 -
\??\c:\flfxfrx.exec:\flfxfrx.exe55⤵
- Executes dropped EXE
PID:1676 -
\??\c:\tthhtn.exec:\tthhtn.exe56⤵
- Executes dropped EXE
PID:3032 -
\??\c:\ffxxflf.exec:\ffxxflf.exe57⤵
- Executes dropped EXE
PID:1040 -
\??\c:\tntttn.exec:\tntttn.exe58⤵
- Executes dropped EXE
PID:860 -
\??\c:\dpdjj.exec:\dpdjj.exe59⤵
- Executes dropped EXE
PID:952 -
\??\c:\1flffxx.exec:\1flffxx.exe60⤵
- Executes dropped EXE
PID:2924 -
\??\c:\pjvpj.exec:\pjvpj.exe61⤵
- Executes dropped EXE
PID:1732 -
\??\c:\86222.exec:\86222.exe62⤵
- Executes dropped EXE
PID:296 -
\??\c:\tnnhnh.exec:\tnnhnh.exe63⤵
- Executes dropped EXE
PID:2444 -
\??\c:\866824.exec:\866824.exe64⤵
- Executes dropped EXE
PID:908 -
\??\c:\488468.exec:\488468.exe65⤵
- Executes dropped EXE
PID:1616 -
\??\c:\tbtthb.exec:\tbtthb.exe66⤵PID:468
-
\??\c:\k28884.exec:\k28884.exe67⤵PID:980
-
\??\c:\4246684.exec:\4246684.exe68⤵PID:624
-
\??\c:\3xllllr.exec:\3xllllr.exe69⤵PID:976
-
\??\c:\a6406.exec:\a6406.exe70⤵PID:2396
-
\??\c:\frfllxr.exec:\frfllxr.exe71⤵PID:568
-
\??\c:\frxrxxf.exec:\frxrxxf.exe72⤵PID:2456
-
\??\c:\6800002.exec:\6800002.exe73⤵PID:1512
-
\??\c:\864088.exec:\864088.exe74⤵PID:2720
-
\??\c:\0284828.exec:\0284828.exe75⤵PID:2700
-
\??\c:\42040.exec:\42040.exe76⤵PID:1508
-
\??\c:\9jvdj.exec:\9jvdj.exe77⤵PID:2508
-
\??\c:\824400.exec:\824400.exe78⤵PID:2824
-
\??\c:\nhbbht.exec:\nhbbht.exe79⤵PID:3008
-
\??\c:\xrfxllr.exec:\xrfxllr.exe80⤵PID:1200
-
\??\c:\86228.exec:\86228.exe81⤵PID:2636
-
\??\c:\m8224.exec:\m8224.exe82⤵PID:2644
-
\??\c:\rfrrxxx.exec:\rfrrxxx.exe83⤵PID:2616
-
\??\c:\08006.exec:\08006.exe84⤵PID:2424
-
\??\c:\fxlrrrx.exec:\fxlrrrx.exe85⤵PID:2928
-
\??\c:\nbtbnn.exec:\nbtbnn.exe86⤵PID:2100
-
\??\c:\u422006.exec:\u422006.exe87⤵PID:868
-
\??\c:\9tnnbb.exec:\9tnnbb.exe88⤵PID:772
-
\??\c:\6426284.exec:\6426284.exe89⤵PID:1864
-
\??\c:\hbhtbb.exec:\hbhtbb.exe90⤵PID:2836
-
\??\c:\dvjjp.exec:\dvjjp.exe91⤵PID:1936
-
\??\c:\g0402.exec:\g0402.exe92⤵PID:1832
-
\??\c:\08048.exec:\08048.exe93⤵PID:2392
-
\??\c:\s0468.exec:\s0468.exe94⤵PID:2884
-
\??\c:\bnhhnn.exec:\bnhhnn.exe95⤵PID:1556
-
\??\c:\vpjjp.exec:\vpjjp.exe96⤵PID:1260
-
\??\c:\2426666.exec:\2426666.exe97⤵PID:2116
-
\??\c:\0424228.exec:\0424228.exe98⤵PID:2220
-
\??\c:\2088440.exec:\2088440.exe99⤵PID:3040
-
\??\c:\bhthbb.exec:\bhthbb.exe100⤵PID:752
-
\??\c:\8608600.exec:\8608600.exe101⤵PID:268
-
\??\c:\482480.exec:\482480.exe102⤵PID:2536
-
\??\c:\bnnhhh.exec:\bnnhhh.exe103⤵PID:1704
-
\??\c:\vpddv.exec:\vpddv.exe104⤵PID:1876
-
\??\c:\22062.exec:\22062.exe105⤵PID:1688
-
\??\c:\jdppv.exec:\jdppv.exe106⤵PID:1668
-
\??\c:\jvjjj.exec:\jvjjj.exe107⤵PID:908
-
\??\c:\2028406.exec:\2028406.exe108⤵PID:2540
-
\??\c:\9jvjv.exec:\9jvjv.exe109⤵PID:352
-
\??\c:\424066.exec:\424066.exe110⤵PID:1640
-
\??\c:\u206268.exec:\u206268.exe111⤵PID:748
-
\??\c:\1vjpp.exec:\1vjpp.exe112⤵PID:2856
-
\??\c:\462220.exec:\462220.exe113⤵PID:2208
-
\??\c:\642866.exec:\642866.exe114⤵PID:2436
-
\??\c:\86440.exec:\86440.exe115⤵PID:2676
-
\??\c:\dpjjp.exec:\dpjjp.exe116⤵PID:884
-
\??\c:\2600286.exec:\2600286.exe117⤵PID:2800
-
\??\c:\0622402.exec:\0622402.exe118⤵PID:1096
-
\??\c:\1frllll.exec:\1frllll.exe119⤵PID:2604
-
\??\c:\9rfflll.exec:\9rfflll.exe120⤵PID:2608
-
\??\c:\lfxxxfx.exec:\lfxxxfx.exe121⤵PID:2684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-