Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 23:59
Behavioral task
behavioral1
Sample
73be99099641aa91746b4938124988dbccd195342f287be188406b57a98d2ba0.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
General
-
Target
73be99099641aa91746b4938124988dbccd195342f287be188406b57a98d2ba0.exe
-
Size
3.7MB
-
MD5
ba1c24b2d74a8a09351d3f6a64a7af23
-
SHA1
3c0d35568a4525242cdba87ef34efce57b3eb424
-
SHA256
73be99099641aa91746b4938124988dbccd195342f287be188406b57a98d2ba0
-
SHA512
cd690a7ec3464522421fbd87c11ebb5403f61745176fdeebc140a3f73928b9199c3a27a1791b76c6f22baa002142b017ba1cf9b66df7e1db790771764c317c1d
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98l:U6XLq/qPPslzKx/dJg1ErmNI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2956-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2108-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1196-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2868-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2440-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2636-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2968-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1200-87-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1200-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/860-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/860-100-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3044-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2984-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2412-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/536-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1632-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/536-157-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1940-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2188-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1836-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1148-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1664-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1816-229-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2760-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2152-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1576-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2168-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2168-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3032-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2644-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2300-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3048-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2180-461-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1724-499-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-625-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2832-644-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2436-670-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3000-695-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/536-730-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/996-743-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2188-761-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/484-798-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3064-830-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2992-939-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3020-952-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2108 dpddv.exe 2900 80880.exe 1196 pdvvd.exe 2736 rflflrr.exe 2868 268066.exe 2636 pjvpv.exe 2440 824644.exe 2968 2066268.exe 1200 68060.exe 860 flxffrr.exe 2268 flfffxf.exe 2984 frxflxr.exe 3044 htnhnh.exe 572 bbnnbb.exe 2412 04628.exe 536 pdjvd.exe 1632 bthntt.exe 1940 868622.exe 2188 bnbttt.exe 1836 w20024.exe 1148 rlxfflr.exe 340 608066.exe 1664 2408048.exe 1816 1fxxxxr.exe 764 48640.exe 2760 frfxllx.exe 2356 jvjpp.exe 1924 nbhbbb.exe 2152 02462.exe 1576 lxfrxxf.exe 2168 9ntbnh.exe 1788 frrlllf.exe 1580 48002.exe 2464 004044.exe 2896 5jvdv.exe 2728 rflrfxl.exe 2628 nhnbbt.exe 3032 2444444.exe 2644 0422222.exe 2632 pvjjp.exe 2948 1rxrlfl.exe 2724 0806600.exe 936 dvdpp.exe 1676 lflflxf.exe 1340 a6280.exe 2036 088882.exe 2300 fxflrrf.exe 2844 00886.exe 2996 8684462.exe 2856 thhhhh.exe 3048 c022266.exe 2688 420022.exe 3016 000228.exe 2076 llxxlrx.exe 1808 826200.exe 1868 08620.exe 2180 6046668.exe 1608 64668.exe 1836 bbbthn.exe 1572 04628.exe 1324 9nhbnb.exe 2572 426802.exe 1724 0828446.exe 1544 4866488.exe -
resource yara_rule behavioral1/memory/2956-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000120fe-10.dat upx behavioral1/memory/2956-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2956-3-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0008000000018bdd-21.dat upx behavioral1/memory/2108-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001921d-29.dat upx behavioral1/memory/2900-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1196-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001921f-38.dat upx behavioral1/files/0x0006000000019242-45.dat upx behavioral1/files/0x003600000001875f-56.dat upx behavioral1/memory/2868-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001925b-64.dat upx behavioral1/memory/2440-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2636-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2968-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001925d-75.dat upx behavioral1/files/0x000800000001932a-83.dat upx behavioral1/files/0x0006000000019da9-94.dat upx behavioral1/memory/1200-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019db5-104.dat upx behavioral1/memory/860-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019f9a-112.dat upx behavioral1/memory/2984-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019fb8-124.dat upx behavioral1/memory/3044-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2984-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a071-132.dat upx behavioral1/files/0x000500000001a07a-140.dat upx behavioral1/files/0x000500000001a09a-149.dat upx behavioral1/memory/2412-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/536-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1632-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a303-160.dat upx behavioral1/files/0x000500000001a355-170.dat upx behavioral1/memory/1940-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1940-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2188-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a41a-179.dat upx behavioral1/files/0x000500000001a41c-187.dat upx behavioral1/memory/1836-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1148-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a41f-197.dat upx behavioral1/memory/1836-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1148-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a423-209.dat upx behavioral1/memory/340-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a42d-216.dat upx behavioral1/memory/1664-218-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a467-226.dat upx behavioral1/files/0x000500000001a487-235.dat upx behavioral1/memory/1816-229-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2760-244-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a489-243.dat upx behavioral1/files/0x000500000001a494-252.dat upx behavioral1/files/0x000500000001a495-261.dat upx behavioral1/memory/1924-260-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4a5-269.dat upx behavioral1/memory/2152-270-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4ab-278.dat upx behavioral1/memory/1576-279-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4ad-285.dat upx behavioral1/memory/2168-288-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6206266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4864286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8866884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4822484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlflrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8084440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8206880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2108 2956 73be99099641aa91746b4938124988dbccd195342f287be188406b57a98d2ba0.exe 31 PID 2956 wrote to memory of 2108 2956 73be99099641aa91746b4938124988dbccd195342f287be188406b57a98d2ba0.exe 31 PID 2956 wrote to memory of 2108 2956 73be99099641aa91746b4938124988dbccd195342f287be188406b57a98d2ba0.exe 31 PID 2956 wrote to memory of 2108 2956 73be99099641aa91746b4938124988dbccd195342f287be188406b57a98d2ba0.exe 31 PID 2108 wrote to memory of 2900 2108 dpddv.exe 32 PID 2108 wrote to memory of 2900 2108 dpddv.exe 32 PID 2108 wrote to memory of 2900 2108 dpddv.exe 32 PID 2108 wrote to memory of 2900 2108 dpddv.exe 32 PID 2900 wrote to memory of 1196 2900 80880.exe 33 PID 2900 wrote to memory of 1196 2900 80880.exe 33 PID 2900 wrote to memory of 1196 2900 80880.exe 33 PID 2900 wrote to memory of 1196 2900 80880.exe 33 PID 1196 wrote to memory of 2736 1196 pdvvd.exe 34 PID 1196 wrote to memory of 2736 1196 pdvvd.exe 34 PID 1196 wrote to memory of 2736 1196 pdvvd.exe 34 PID 1196 wrote to memory of 2736 1196 pdvvd.exe 34 PID 2736 wrote to memory of 2868 2736 rflflrr.exe 35 PID 2736 wrote to memory of 2868 2736 rflflrr.exe 35 PID 2736 wrote to memory of 2868 2736 rflflrr.exe 35 PID 2736 wrote to memory of 2868 2736 rflflrr.exe 35 PID 2868 wrote to memory of 2636 2868 268066.exe 36 PID 2868 wrote to memory of 2636 2868 268066.exe 36 PID 2868 wrote to memory of 2636 2868 268066.exe 36 PID 2868 wrote to memory of 2636 2868 268066.exe 36 PID 2636 wrote to memory of 2440 2636 pjvpv.exe 37 PID 2636 wrote to memory of 2440 2636 pjvpv.exe 37 PID 2636 wrote to memory of 2440 2636 pjvpv.exe 37 PID 2636 wrote to memory of 2440 2636 pjvpv.exe 37 PID 2440 wrote to memory of 2968 2440 824644.exe 38 PID 2440 wrote to memory of 2968 2440 824644.exe 38 PID 2440 wrote to memory of 2968 2440 824644.exe 38 PID 2440 wrote to memory of 2968 2440 824644.exe 38 PID 2968 wrote to memory of 1200 2968 2066268.exe 39 PID 2968 wrote to memory of 1200 2968 2066268.exe 39 PID 2968 wrote to memory of 1200 2968 2066268.exe 39 PID 2968 wrote to memory of 1200 2968 2066268.exe 39 PID 1200 wrote to memory of 860 1200 68060.exe 40 PID 1200 wrote to memory of 860 1200 68060.exe 40 PID 1200 wrote to memory of 860 1200 68060.exe 40 PID 1200 wrote to memory of 860 1200 68060.exe 40 PID 860 wrote to memory of 2268 860 flxffrr.exe 41 PID 860 wrote to memory of 2268 860 flxffrr.exe 41 PID 860 wrote to memory of 2268 860 flxffrr.exe 41 PID 860 wrote to memory of 2268 860 flxffrr.exe 41 PID 2268 wrote to memory of 2984 2268 flfffxf.exe 42 PID 2268 wrote to memory of 2984 2268 flfffxf.exe 42 PID 2268 wrote to memory of 2984 2268 flfffxf.exe 42 PID 2268 wrote to memory of 2984 2268 flfffxf.exe 42 PID 2984 wrote to memory of 3044 2984 frxflxr.exe 43 PID 2984 wrote to memory of 3044 2984 frxflxr.exe 43 PID 2984 wrote to memory of 3044 2984 frxflxr.exe 43 PID 2984 wrote to memory of 3044 2984 frxflxr.exe 43 PID 3044 wrote to memory of 572 3044 htnhnh.exe 44 PID 3044 wrote to memory of 572 3044 htnhnh.exe 44 PID 3044 wrote to memory of 572 3044 htnhnh.exe 44 PID 3044 wrote to memory of 572 3044 htnhnh.exe 44 PID 572 wrote to memory of 2412 572 bbnnbb.exe 45 PID 572 wrote to memory of 2412 572 bbnnbb.exe 45 PID 572 wrote to memory of 2412 572 bbnnbb.exe 45 PID 572 wrote to memory of 2412 572 bbnnbb.exe 45 PID 2412 wrote to memory of 536 2412 04628.exe 46 PID 2412 wrote to memory of 536 2412 04628.exe 46 PID 2412 wrote to memory of 536 2412 04628.exe 46 PID 2412 wrote to memory of 536 2412 04628.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\73be99099641aa91746b4938124988dbccd195342f287be188406b57a98d2ba0.exe"C:\Users\Admin\AppData\Local\Temp\73be99099641aa91746b4938124988dbccd195342f287be188406b57a98d2ba0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\dpddv.exec:\dpddv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\80880.exec:\80880.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\pdvvd.exec:\pdvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\rflflrr.exec:\rflflrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\268066.exec:\268066.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\pjvpv.exec:\pjvpv.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\824644.exec:\824644.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\2066268.exec:\2066268.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\68060.exec:\68060.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\flxffrr.exec:\flxffrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\flfffxf.exec:\flfffxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\frxflxr.exec:\frxflxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\htnhnh.exec:\htnhnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\bbnnbb.exec:\bbnnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\04628.exec:\04628.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\pdjvd.exec:\pdjvd.exe17⤵
- Executes dropped EXE
PID:536 -
\??\c:\bthntt.exec:\bthntt.exe18⤵
- Executes dropped EXE
PID:1632 -
\??\c:\868622.exec:\868622.exe19⤵
- Executes dropped EXE
PID:1940 -
\??\c:\bnbttt.exec:\bnbttt.exe20⤵
- Executes dropped EXE
PID:2188 -
\??\c:\w20024.exec:\w20024.exe21⤵
- Executes dropped EXE
PID:1836 -
\??\c:\rlxfflr.exec:\rlxfflr.exe22⤵
- Executes dropped EXE
PID:1148 -
\??\c:\608066.exec:\608066.exe23⤵
- Executes dropped EXE
PID:340 -
\??\c:\2408048.exec:\2408048.exe24⤵
- Executes dropped EXE
PID:1664 -
\??\c:\1fxxxxr.exec:\1fxxxxr.exe25⤵
- Executes dropped EXE
PID:1816 -
\??\c:\48640.exec:\48640.exe26⤵
- Executes dropped EXE
PID:764 -
\??\c:\frfxllx.exec:\frfxllx.exe27⤵
- Executes dropped EXE
PID:2760 -
\??\c:\jvjpp.exec:\jvjpp.exe28⤵
- Executes dropped EXE
PID:2356 -
\??\c:\nbhbbb.exec:\nbhbbb.exe29⤵
- Executes dropped EXE
PID:1924 -
\??\c:\02462.exec:\02462.exe30⤵
- Executes dropped EXE
PID:2152 -
\??\c:\lxfrxxf.exec:\lxfrxxf.exe31⤵
- Executes dropped EXE
PID:1576 -
\??\c:\9ntbnh.exec:\9ntbnh.exe32⤵
- Executes dropped EXE
PID:2168 -
\??\c:\frrlllf.exec:\frrlllf.exe33⤵
- Executes dropped EXE
PID:1788 -
\??\c:\48002.exec:\48002.exe34⤵
- Executes dropped EXE
PID:1580 -
\??\c:\004044.exec:\004044.exe35⤵
- Executes dropped EXE
PID:2464 -
\??\c:\5jvdv.exec:\5jvdv.exe36⤵
- Executes dropped EXE
PID:2896 -
\??\c:\rflrfxl.exec:\rflrfxl.exe37⤵
- Executes dropped EXE
PID:2728 -
\??\c:\nhnbbt.exec:\nhnbbt.exe38⤵
- Executes dropped EXE
PID:2628 -
\??\c:\2444444.exec:\2444444.exe39⤵
- Executes dropped EXE
PID:3032 -
\??\c:\0422222.exec:\0422222.exe40⤵
- Executes dropped EXE
PID:2644 -
\??\c:\pvjjp.exec:\pvjjp.exe41⤵
- Executes dropped EXE
PID:2632 -
\??\c:\1rxrlfl.exec:\1rxrlfl.exe42⤵
- Executes dropped EXE
PID:2948 -
\??\c:\0806600.exec:\0806600.exe43⤵
- Executes dropped EXE
PID:2724 -
\??\c:\dvdpp.exec:\dvdpp.exe44⤵
- Executes dropped EXE
PID:936 -
\??\c:\lflflxf.exec:\lflflxf.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676 -
\??\c:\a6280.exec:\a6280.exe46⤵
- Executes dropped EXE
PID:1340 -
\??\c:\088882.exec:\088882.exe47⤵
- Executes dropped EXE
PID:2036 -
\??\c:\fxflrrf.exec:\fxflrrf.exe48⤵
- Executes dropped EXE
PID:2300 -
\??\c:\00886.exec:\00886.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
\??\c:\8684462.exec:\8684462.exe50⤵
- Executes dropped EXE
PID:2996 -
\??\c:\thhhhh.exec:\thhhhh.exe51⤵
- Executes dropped EXE
PID:2856 -
\??\c:\c022266.exec:\c022266.exe52⤵
- Executes dropped EXE
PID:3048 -
\??\c:\420022.exec:\420022.exe53⤵
- Executes dropped EXE
PID:2688 -
\??\c:\000228.exec:\000228.exe54⤵
- Executes dropped EXE
PID:3016 -
\??\c:\llxxlrx.exec:\llxxlrx.exe55⤵
- Executes dropped EXE
PID:2076 -
\??\c:\826200.exec:\826200.exe56⤵
- Executes dropped EXE
PID:1808 -
\??\c:\08620.exec:\08620.exe57⤵
- Executes dropped EXE
PID:1868 -
\??\c:\6046668.exec:\6046668.exe58⤵
- Executes dropped EXE
PID:2180 -
\??\c:\64668.exec:\64668.exe59⤵
- Executes dropped EXE
PID:1608 -
\??\c:\bbbthn.exec:\bbbthn.exe60⤵
- Executes dropped EXE
PID:1836 -
\??\c:\04628.exec:\04628.exe61⤵
- Executes dropped EXE
PID:1572 -
\??\c:\9nhbnb.exec:\9nhbnb.exe62⤵
- Executes dropped EXE
PID:1324 -
\??\c:\426802.exec:\426802.exe63⤵
- Executes dropped EXE
PID:2572 -
\??\c:\0828446.exec:\0828446.exe64⤵
- Executes dropped EXE
PID:1724 -
\??\c:\4866488.exec:\4866488.exe65⤵
- Executes dropped EXE
PID:1544 -
\??\c:\0880444.exec:\0880444.exe66⤵PID:1984
-
\??\c:\7vvpp.exec:\7vvpp.exe67⤵PID:2760
-
\??\c:\rfxrxff.exec:\rfxrxff.exe68⤵PID:1076
-
\??\c:\jpjvd.exec:\jpjvd.exe69⤵PID:1252
-
\??\c:\rfrxxfx.exec:\rfrxxfx.exe70⤵PID:1924
-
\??\c:\202086.exec:\202086.exe71⤵PID:2368
-
\??\c:\jvjdp.exec:\jvjdp.exe72⤵PID:1764
-
\??\c:\jvvdd.exec:\jvvdd.exe73⤵PID:356
-
\??\c:\680060.exec:\680060.exe74⤵PID:816
-
\??\c:\lxxxxxx.exec:\lxxxxxx.exe75⤵PID:1056
-
\??\c:\rlxfxlx.exec:\rlxfxlx.exe76⤵
- System Location Discovery: System Language Discovery
PID:1580 -
\??\c:\jvdjj.exec:\jvdjj.exe77⤵PID:2748
-
\??\c:\nhhhtt.exec:\nhhhtt.exe78⤵PID:1872
-
\??\c:\hnttbn.exec:\hnttbn.exe79⤵PID:2912
-
\??\c:\40424.exec:\40424.exe80⤵PID:2116
-
\??\c:\4040002.exec:\4040002.exe81⤵PID:2892
-
\??\c:\642660.exec:\642660.exe82⤵PID:2676
-
\??\c:\w04666.exec:\w04666.exe83⤵PID:2684
-
\??\c:\9htbbh.exec:\9htbbh.exe84⤵PID:2664
-
\??\c:\2240644.exec:\2240644.exe85⤵PID:2824
-
\??\c:\3btbhh.exec:\3btbhh.exe86⤵PID:2832
-
\??\c:\htntbb.exec:\htntbb.exe87⤵PID:2992
-
\??\c:\84844.exec:\84844.exe88⤵
- System Location Discovery: System Language Discovery
PID:2156 -
\??\c:\rlxxxxr.exec:\rlxxxxr.exe89⤵PID:2436
-
\??\c:\5dpvp.exec:\5dpvp.exe90⤵PID:1412
-
\??\c:\vpvdj.exec:\vpvdj.exe91⤵PID:1152
-
\??\c:\pdjdv.exec:\pdjdv.exe92⤵PID:2268
-
\??\c:\7pdvd.exec:\7pdvd.exe93⤵PID:2980
-
\??\c:\82646.exec:\82646.exe94⤵PID:3000
-
\??\c:\048024.exec:\048024.exe95⤵PID:3008
-
\??\c:\pjvvj.exec:\pjvvj.exe96⤵PID:3060
-
\??\c:\nhbnbn.exec:\nhbnbn.exe97⤵PID:2008
-
\??\c:\bntbtb.exec:\bntbtb.exe98⤵PID:2272
-
\??\c:\xrrxrlx.exec:\xrrxrlx.exe99⤵PID:536
-
\??\c:\60402.exec:\60402.exe100⤵PID:1632
-
\??\c:\dvvjp.exec:\dvvjp.exe101⤵PID:996
-
\??\c:\9rxfxfl.exec:\9rxfxfl.exe102⤵PID:1156
-
\??\c:\026440.exec:\026440.exe103⤵PID:2188
-
\??\c:\8866884.exec:\8866884.exe104⤵
- System Location Discovery: System Language Discovery
PID:2044 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe105⤵PID:340
-
\??\c:\a4802.exec:\a4802.exe106⤵PID:2584
-
\??\c:\0600066.exec:\0600066.exe107⤵PID:1796
-
\??\c:\7fxxllr.exec:\7fxxllr.exe108⤵PID:2404
-
\??\c:\fxlrxrx.exec:\fxlrxrx.exe109⤵PID:1972
-
\??\c:\046688.exec:\046688.exe110⤵PID:484
-
\??\c:\tbbnhn.exec:\tbbnhn.exe111⤵PID:608
-
\??\c:\046220.exec:\046220.exe112⤵PID:2376
-
\??\c:\64624.exec:\64624.exe113⤵PID:2140
-
\??\c:\20062.exec:\20062.exe114⤵PID:352
-
\??\c:\446222.exec:\446222.exe115⤵PID:3064
-
\??\c:\6206266.exec:\6206266.exe116⤵
- System Location Discovery: System Language Discovery
PID:892 -
\??\c:\646062.exec:\646062.exe117⤵PID:1640
-
\??\c:\jvjvj.exec:\jvjvj.exe118⤵PID:2168
-
\??\c:\vpddd.exec:\vpddd.exe119⤵PID:1988
-
\??\c:\i860606.exec:\i860606.exe120⤵PID:2884
-
\??\c:\9bbbth.exec:\9bbbth.exe121⤵PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-