Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e8308558432c25fa37aeafcf90e573bfc358f6ba62a1f8204e064e5780ef31c1.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e8308558432c25fa37aeafcf90e573bfc358f6ba62a1f8204e064e5780ef31c1.exe
-
Size
454KB
-
MD5
bcfe4c46c86c2b7c56b4bdb12d3631cf
-
SHA1
8624cdec18a12c3a287b2f27a76756caad07c00e
-
SHA256
e8308558432c25fa37aeafcf90e573bfc358f6ba62a1f8204e064e5780ef31c1
-
SHA512
41f7820bbc7ed992da26d0c932a74ccd4129eb83bb9b4293d0e34e2938615f64c0dd22268ed9a325602cae6608153e89d461a438b86fe4f0a443d9f12cb661d4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1L:q7Tc2NYHUrAwfMp3CD1L
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/1968-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-60-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2152-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-420-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2536-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-472-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/376-458-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2844-395-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2672-370-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2936-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/292-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-256-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/748-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-238-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1912-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-205-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1612-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/356-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-574-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2436-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-840-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1868-991-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-1270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1968 dvjpv.exe 1932 868422.exe 1256 484066.exe 2436 64222.exe 2224 64624.exe 2896 nhtntb.exe 2152 frxxfxl.exe 2124 lfxfffl.exe 2700 rxrfxxx.exe 2732 680066.exe 2752 0866662.exe 2380 k28460.exe 3044 1bthhh.exe 2944 w80000.exe 2952 xrlrrfl.exe 356 020006.exe 1272 424060.exe 1900 xrffrxx.exe 2532 9rfrrll.exe 2772 frfflrl.exe 1612 8640268.exe 1788 64628.exe 376 jvppp.exe 408 xrfxfxf.exe 1812 rxxxfxx.exe 1704 u866268.exe 748 xlxxfrr.exe 1040 1rllfrx.exe 2580 o466266.exe 1032 7xlfrfl.exe 292 ntbnhn.exe 2600 048806.exe 1584 44286.exe 1036 3ddjv.exe 2572 jdvvp.exe 2460 0080620.exe 1256 48002.exe 2184 xrxlrrf.exe 2684 frrlfll.exe 2152 bththn.exe 2712 9lfrrxl.exe 3052 e48468.exe 2936 hhbhbh.exe 2672 442462.exe 1512 e82284.exe 2552 m6842.exe 956 642240.exe 2844 04224.exe 2956 xrxfrrx.exe 3028 620028.exe 2980 ddddp.exe 3040 tnhttb.exe 580 00066.exe 1300 i084086.exe 2512 2660828.exe 2592 dddjp.exe 3064 lffflrx.exe 376 llfflfl.exe 2536 c040620.exe 1496 i202468.exe 1524 s8842.exe 1912 480028.exe 748 fxrxxff.exe 3048 fxrxllf.exe -
resource yara_rule behavioral1/memory/1968-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-420-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2536-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-458-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2936-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/748-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-205-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1612-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/356-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-991-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-1071-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-1078-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-1097-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-1134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-1177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-1220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-1270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-1277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-1326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-1336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-1355-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4806640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c468080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0448488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4862464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k46622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44646.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1968 1684 e8308558432c25fa37aeafcf90e573bfc358f6ba62a1f8204e064e5780ef31c1.exe 30 PID 1684 wrote to memory of 1968 1684 e8308558432c25fa37aeafcf90e573bfc358f6ba62a1f8204e064e5780ef31c1.exe 30 PID 1684 wrote to memory of 1968 1684 e8308558432c25fa37aeafcf90e573bfc358f6ba62a1f8204e064e5780ef31c1.exe 30 PID 1684 wrote to memory of 1968 1684 e8308558432c25fa37aeafcf90e573bfc358f6ba62a1f8204e064e5780ef31c1.exe 30 PID 1968 wrote to memory of 1932 1968 dvjpv.exe 31 PID 1968 wrote to memory of 1932 1968 dvjpv.exe 31 PID 1968 wrote to memory of 1932 1968 dvjpv.exe 31 PID 1968 wrote to memory of 1932 1968 dvjpv.exe 31 PID 1932 wrote to memory of 1256 1932 868422.exe 66 PID 1932 wrote to memory of 1256 1932 868422.exe 66 PID 1932 wrote to memory of 1256 1932 868422.exe 66 PID 1932 wrote to memory of 1256 1932 868422.exe 66 PID 1256 wrote to memory of 2436 1256 484066.exe 33 PID 1256 wrote to memory of 2436 1256 484066.exe 33 PID 1256 wrote to memory of 2436 1256 484066.exe 33 PID 1256 wrote to memory of 2436 1256 484066.exe 33 PID 2436 wrote to memory of 2224 2436 64222.exe 34 PID 2436 wrote to memory of 2224 2436 64222.exe 34 PID 2436 wrote to memory of 2224 2436 64222.exe 34 PID 2436 wrote to memory of 2224 2436 64222.exe 34 PID 2224 wrote to memory of 2896 2224 64624.exe 35 PID 2224 wrote to memory of 2896 2224 64624.exe 35 PID 2224 wrote to memory of 2896 2224 64624.exe 35 PID 2224 wrote to memory of 2896 2224 64624.exe 35 PID 2896 wrote to memory of 2152 2896 nhtntb.exe 69 PID 2896 wrote to memory of 2152 2896 nhtntb.exe 69 PID 2896 wrote to memory of 2152 2896 nhtntb.exe 69 PID 2896 wrote to memory of 2152 2896 nhtntb.exe 69 PID 2152 wrote to memory of 2124 2152 frxxfxl.exe 37 PID 2152 wrote to memory of 2124 2152 frxxfxl.exe 37 PID 2152 wrote to memory of 2124 2152 frxxfxl.exe 37 PID 2152 wrote to memory of 2124 2152 frxxfxl.exe 37 PID 2124 wrote to memory of 2700 2124 lfxfffl.exe 38 PID 2124 wrote to memory of 2700 2124 lfxfffl.exe 38 PID 2124 wrote to memory of 2700 2124 lfxfffl.exe 38 PID 2124 wrote to memory of 2700 2124 lfxfffl.exe 38 PID 2700 wrote to memory of 2732 2700 rxrfxxx.exe 39 PID 2700 wrote to memory of 2732 2700 rxrfxxx.exe 39 PID 2700 wrote to memory of 2732 2700 rxrfxxx.exe 39 PID 2700 wrote to memory of 2732 2700 rxrfxxx.exe 39 PID 2732 wrote to memory of 2752 2732 680066.exe 40 PID 2732 wrote to memory of 2752 2732 680066.exe 40 PID 2732 wrote to memory of 2752 2732 680066.exe 40 PID 2732 wrote to memory of 2752 2732 680066.exe 40 PID 2752 wrote to memory of 2380 2752 0866662.exe 41 PID 2752 wrote to memory of 2380 2752 0866662.exe 41 PID 2752 wrote to memory of 2380 2752 0866662.exe 41 PID 2752 wrote to memory of 2380 2752 0866662.exe 41 PID 2380 wrote to memory of 3044 2380 k28460.exe 42 PID 2380 wrote to memory of 3044 2380 k28460.exe 42 PID 2380 wrote to memory of 3044 2380 k28460.exe 42 PID 2380 wrote to memory of 3044 2380 k28460.exe 42 PID 3044 wrote to memory of 2944 3044 1bthhh.exe 43 PID 3044 wrote to memory of 2944 3044 1bthhh.exe 43 PID 3044 wrote to memory of 2944 3044 1bthhh.exe 43 PID 3044 wrote to memory of 2944 3044 1bthhh.exe 43 PID 2944 wrote to memory of 2952 2944 w80000.exe 44 PID 2944 wrote to memory of 2952 2944 w80000.exe 44 PID 2944 wrote to memory of 2952 2944 w80000.exe 44 PID 2944 wrote to memory of 2952 2944 w80000.exe 44 PID 2952 wrote to memory of 356 2952 xrlrrfl.exe 45 PID 2952 wrote to memory of 356 2952 xrlrrfl.exe 45 PID 2952 wrote to memory of 356 2952 xrlrrfl.exe 45 PID 2952 wrote to memory of 356 2952 xrlrrfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8308558432c25fa37aeafcf90e573bfc358f6ba62a1f8204e064e5780ef31c1.exe"C:\Users\Admin\AppData\Local\Temp\e8308558432c25fa37aeafcf90e573bfc358f6ba62a1f8204e064e5780ef31c1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\dvjpv.exec:\dvjpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\868422.exec:\868422.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\484066.exec:\484066.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\64222.exec:\64222.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\64624.exec:\64624.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\nhtntb.exec:\nhtntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\frxxfxl.exec:\frxxfxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\lfxfffl.exec:\lfxfffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\rxrfxxx.exec:\rxrfxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\680066.exec:\680066.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\0866662.exec:\0866662.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\k28460.exec:\k28460.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\1bthhh.exec:\1bthhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\w80000.exec:\w80000.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\xrlrrfl.exec:\xrlrrfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\020006.exec:\020006.exe17⤵
- Executes dropped EXE
PID:356 -
\??\c:\424060.exec:\424060.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1272 -
\??\c:\xrffrxx.exec:\xrffrxx.exe19⤵
- Executes dropped EXE
PID:1900 -
\??\c:\9rfrrll.exec:\9rfrrll.exe20⤵
- Executes dropped EXE
PID:2532 -
\??\c:\frfflrl.exec:\frfflrl.exe21⤵
- Executes dropped EXE
PID:2772 -
\??\c:\8640268.exec:\8640268.exe22⤵
- Executes dropped EXE
PID:1612 -
\??\c:\64628.exec:\64628.exe23⤵
- Executes dropped EXE
PID:1788 -
\??\c:\jvppp.exec:\jvppp.exe24⤵
- Executes dropped EXE
PID:376 -
\??\c:\xrfxfxf.exec:\xrfxfxf.exe25⤵
- Executes dropped EXE
PID:408 -
\??\c:\rxxxfxx.exec:\rxxxfxx.exe26⤵
- Executes dropped EXE
PID:1812 -
\??\c:\u866268.exec:\u866268.exe27⤵
- Executes dropped EXE
PID:1704 -
\??\c:\xlxxfrr.exec:\xlxxfrr.exe28⤵
- Executes dropped EXE
PID:748 -
\??\c:\1rllfrx.exec:\1rllfrx.exe29⤵
- Executes dropped EXE
PID:1040 -
\??\c:\o466266.exec:\o466266.exe30⤵
- Executes dropped EXE
PID:2580 -
\??\c:\7xlfrfl.exec:\7xlfrfl.exe31⤵
- Executes dropped EXE
PID:1032 -
\??\c:\ntbnhn.exec:\ntbnhn.exe32⤵
- Executes dropped EXE
PID:292 -
\??\c:\048806.exec:\048806.exe33⤵
- Executes dropped EXE
PID:2600 -
\??\c:\44286.exec:\44286.exe34⤵
- Executes dropped EXE
PID:1584 -
\??\c:\3ddjv.exec:\3ddjv.exe35⤵
- Executes dropped EXE
PID:1036 -
\??\c:\jdvvp.exec:\jdvvp.exe36⤵
- Executes dropped EXE
PID:2572 -
\??\c:\0080620.exec:\0080620.exe37⤵
- Executes dropped EXE
PID:2460 -
\??\c:\48002.exec:\48002.exe38⤵
- Executes dropped EXE
PID:1256 -
\??\c:\xrxlrrf.exec:\xrxlrrf.exe39⤵
- Executes dropped EXE
PID:2184 -
\??\c:\frrlfll.exec:\frrlfll.exe40⤵
- Executes dropped EXE
PID:2684 -
\??\c:\bththn.exec:\bththn.exe41⤵
- Executes dropped EXE
PID:2152 -
\??\c:\9lfrrxl.exec:\9lfrrxl.exe42⤵
- Executes dropped EXE
PID:2712 -
\??\c:\e48468.exec:\e48468.exe43⤵
- Executes dropped EXE
PID:3052 -
\??\c:\hhbhbh.exec:\hhbhbh.exe44⤵
- Executes dropped EXE
PID:2936 -
\??\c:\442462.exec:\442462.exe45⤵
- Executes dropped EXE
PID:2672 -
\??\c:\e82284.exec:\e82284.exe46⤵
- Executes dropped EXE
PID:1512 -
\??\c:\m6842.exec:\m6842.exe47⤵
- Executes dropped EXE
PID:2552 -
\??\c:\642240.exec:\642240.exe48⤵
- Executes dropped EXE
PID:956 -
\??\c:\04224.exec:\04224.exe49⤵
- Executes dropped EXE
PID:2844 -
\??\c:\xrxfrrx.exec:\xrxfrrx.exe50⤵
- Executes dropped EXE
PID:2956 -
\??\c:\620028.exec:\620028.exe51⤵
- Executes dropped EXE
PID:3028 -
\??\c:\ddddp.exec:\ddddp.exe52⤵
- Executes dropped EXE
PID:2980 -
\??\c:\tnhttb.exec:\tnhttb.exe53⤵
- Executes dropped EXE
PID:3040 -
\??\c:\00066.exec:\00066.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:580 -
\??\c:\i084086.exec:\i084086.exe55⤵
- Executes dropped EXE
PID:1300 -
\??\c:\2660828.exec:\2660828.exe56⤵
- Executes dropped EXE
PID:2512 -
\??\c:\dddjp.exec:\dddjp.exe57⤵
- Executes dropped EXE
PID:2592 -
\??\c:\lffflrx.exec:\lffflrx.exe58⤵
- Executes dropped EXE
PID:3064 -
\??\c:\llfflfl.exec:\llfflfl.exe59⤵
- Executes dropped EXE
PID:376 -
\??\c:\c040620.exec:\c040620.exe60⤵
- Executes dropped EXE
PID:2536 -
\??\c:\i202468.exec:\i202468.exe61⤵
- Executes dropped EXE
PID:1496 -
\??\c:\s8842.exec:\s8842.exe62⤵
- Executes dropped EXE
PID:1524 -
\??\c:\480028.exec:\480028.exe63⤵
- Executes dropped EXE
PID:1912 -
\??\c:\fxrxxff.exec:\fxrxxff.exe64⤵
- Executes dropped EXE
PID:748 -
\??\c:\fxrxllf.exec:\fxrxllf.exe65⤵
- Executes dropped EXE
PID:3048 -
\??\c:\btbhtb.exec:\btbhtb.exe66⤵PID:1032
-
\??\c:\6464624.exec:\6464624.exe67⤵PID:1936
-
\??\c:\u026602.exec:\u026602.exe68⤵PID:1948
-
\??\c:\jjppv.exec:\jjppv.exe69⤵PID:2056
-
\??\c:\pjddv.exec:\pjddv.exe70⤵PID:2324
-
\??\c:\xfffllx.exec:\xfffllx.exe71⤵PID:2572
-
\??\c:\lrlrfll.exec:\lrlrfll.exe72⤵PID:1680
-
\??\c:\lrlrffr.exec:\lrlrffr.exe73⤵PID:2008
-
\??\c:\7nhbbt.exec:\7nhbbt.exe74⤵PID:2184
-
\??\c:\444846.exec:\444846.exe75⤵PID:2684
-
\??\c:\7lffllx.exec:\7lffllx.exe76⤵PID:2420
-
\??\c:\hhbtbn.exec:\hhbtbn.exe77⤵PID:2436
-
\??\c:\642864.exec:\642864.exe78⤵PID:2936
-
\??\c:\lxxflrl.exec:\lxxflrl.exe79⤵PID:2828
-
\??\c:\vjjjd.exec:\vjjjd.exe80⤵PID:1664
-
\??\c:\2220846.exec:\2220846.exe81⤵PID:2792
-
\??\c:\lxllllr.exec:\lxllllr.exe82⤵PID:956
-
\??\c:\7thnbh.exec:\7thnbh.exe83⤵PID:1624
-
\??\c:\20280.exec:\20280.exe84⤵PID:2832
-
\??\c:\vvjpj.exec:\vvjpj.exe85⤵PID:2440
-
\??\c:\dpddj.exec:\dpddj.exe86⤵PID:2796
-
\??\c:\0806862.exec:\0806862.exe87⤵PID:2068
-
\??\c:\1djvj.exec:\1djvj.exe88⤵PID:3060
-
\??\c:\200660.exec:\200660.exe89⤵PID:832
-
\??\c:\jpjdj.exec:\jpjdj.exe90⤵PID:1740
-
\??\c:\1thtbb.exec:\1thtbb.exe91⤵PID:2736
-
\??\c:\thtttt.exec:\thtttt.exe92⤵PID:2524
-
\??\c:\864404.exec:\864404.exe93⤵PID:2096
-
\??\c:\9bntth.exec:\9bntth.exe94⤵PID:1296
-
\??\c:\7bnbbt.exec:\7bnbbt.exe95⤵PID:2024
-
\??\c:\tnhhnh.exec:\tnhhnh.exe96⤵PID:2772
-
\??\c:\64000.exec:\64000.exe97⤵PID:376
-
\??\c:\262608.exec:\262608.exe98⤵PID:2040
-
\??\c:\c422400.exec:\c422400.exe99⤵PID:1284
-
\??\c:\240400.exec:\240400.exe100⤵PID:1044
-
\??\c:\pdppp.exec:\pdppp.exe101⤵PID:1800
-
\??\c:\0488446.exec:\0488446.exe102⤵PID:892
-
\??\c:\1rxrxxx.exec:\1rxrxxx.exe103⤵PID:1100
-
\??\c:\s4666.exec:\s4666.exe104⤵PID:1852
-
\??\c:\0046042.exec:\0046042.exe105⤵PID:1720
-
\??\c:\7lxfrfr.exec:\7lxfrfr.exe106⤵PID:2656
-
\??\c:\8622422.exec:\8622422.exe107⤵PID:1812
-
\??\c:\46626.exec:\46626.exe108⤵PID:1772
-
\??\c:\a2884.exec:\a2884.exe109⤵PID:3048
-
\??\c:\nhbbnt.exec:\nhbbnt.exe110⤵PID:1032
-
\??\c:\xrlxxrx.exec:\xrlxxrx.exe111⤵PID:2392
-
\??\c:\q60284.exec:\q60284.exe112⤵PID:868
-
\??\c:\5pjpj.exec:\5pjpj.exe113⤵PID:864
-
\??\c:\008020.exec:\008020.exe114⤵PID:1844
-
\??\c:\080662.exec:\080662.exe115⤵PID:2080
-
\??\c:\tnhhbn.exec:\tnhhbn.exe116⤵PID:2428
-
\??\c:\dvvjj.exec:\dvvjj.exe117⤵PID:2448
-
\??\c:\bbbthh.exec:\bbbthh.exe118⤵PID:2352
-
\??\c:\nhnhhh.exec:\nhnhhh.exe119⤵PID:2288
-
\??\c:\6022888.exec:\6022888.exe120⤵PID:2124
-
\??\c:\42444.exec:\42444.exe121⤵PID:2704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-