Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/12/2024, 22:25
Behavioral task
behavioral1
Sample
6771caafa04088a93e2611937ddb31dbc0a145d3fab0929f7c679a05bce99666N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6771caafa04088a93e2611937ddb31dbc0a145d3fab0929f7c679a05bce99666N.exe
-
Size
376KB
-
MD5
7c3a978c1722da9c5a16e0dc5646ba40
-
SHA1
3da4cc484c7743f50414e60bdea0b2d7b3e79c2c
-
SHA256
6771caafa04088a93e2611937ddb31dbc0a145d3fab0929f7c679a05bce99666
-
SHA512
4962f2e083949f86e41ef8099a6a01ec1f63cae6921b433ac984e7d35f72d87d3cd5fc8fe4b10e7a3c523c855cdca1cdf2dc051663de30e4b3a6ee82e06f99fd
-
SSDEEP
6144:0cm4FmowdHoSHWVs+QEoD/dL/4oSlCIqbKRs4EkfRDaPRrnVkWHQmA:C4wFHoS2Vs+IdMoSzqkR5RWVVWmA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2720-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2192-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-24-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2780-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2692-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3036-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2696-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1220-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/592-80-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2156-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1540-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1540-137-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1044-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2764-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2764-157-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/1868-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2452-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1932-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1796-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/864-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2044-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1872-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1872-248-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/1728-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1496-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2620-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3036-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2272-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/836-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1768-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/492-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1996-427-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2752-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-470-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2532-543-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2332-568-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1520-579-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1532-617-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2640-645-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2004-698-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2112-751-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1848-803-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2496-831-0x0000000000320000-0x0000000000347000-memory.dmp family_blackmoon behavioral1/memory/2332-854-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/672-1025-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/372-1072-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2936-1127-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2896-1152-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/2836-1159-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2720 rlxxflx.exe 2780 8824680.exe 2692 tthnbb.exe 3036 224600.exe 2824 00464.exe 2696 9bhtht.exe 2748 xrffrxf.exe 592 hhbtnt.exe 1220 822028.exe 2396 rlxfrxf.exe 2156 88260.exe 2864 668068.exe 1232 pjddv.exe 1540 tnnbtb.exe 1044 pjdjj.exe 2764 8824802.exe 1720 lfxflrf.exe 1868 ppjpj.exe 2452 lfxfxfl.exe 1932 600820.exe 1796 4464664.exe 2412 fxxfflf.exe 864 pvjjp.exe 2044 824422.exe 1476 ttnbnn.exe 1872 048040.exe 960 28242.exe 376 2608642.exe 832 jjdjp.exe 1728 ffxfrxf.exe 872 08286.exe 3052 tbtnnt.exe 1496 9frllxr.exe 2788 fxrfrxr.exe 2580 26064.exe 2780 c480802.exe 2608 3hhhth.exe 2620 608040.exe 3036 4086086.exe 2572 40420.exe 1660 5dvdd.exe 3016 k48084.exe 1308 226606.exe 568 9tnnnh.exe 1216 0460224.exe 2272 nnbhbh.exe 836 5dvvp.exe 1768 htnbnb.exe 492 nhhnbb.exe 1232 ddvjd.exe 1996 tttnbn.exe 1272 84408.exe 1756 224484.exe 112 4828626.exe 1376 pjvdj.exe 2752 3vpdv.exe 2448 886864.exe 2352 htbtbt.exe 1076 04286.exe 1508 6602686.exe 1796 8268020.exe 2424 0008622.exe 1684 0082002.exe 864 fxrxxxr.exe -
resource yara_rule behavioral1/memory/2192-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b000000012280-8.dat upx behavioral1/memory/2720-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2192-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001939f-17.dat upx behavioral1/files/0x00070000000193d0-26.dat upx behavioral1/memory/2692-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2780-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3036-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2692-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000193f9-35.dat upx behavioral1/files/0x0006000000019426-47.dat upx behavioral1/memory/3036-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019428-57.dat upx behavioral1/memory/2824-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2696-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000194c3-65.dat upx behavioral1/memory/2748-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000194d5-77.dat upx behavioral1/files/0x0005000000019647-85.dat upx behavioral1/memory/1220-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001964f-95.dat upx behavioral1/files/0x0005000000019650-103.dat upx behavioral1/memory/2156-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0032000000019354-112.dat upx behavioral1/files/0x00050000000197e4-122.dat upx behavioral1/memory/1540-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019a85-130.dat upx behavioral1/files/0x0005000000019b16-139.dat upx behavioral1/memory/1044-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019b18-148.dat upx behavioral1/files/0x0005000000019c79-160.dat upx behavioral1/memory/2764-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c8f-168.dat upx behavioral1/files/0x0005000000019c91-177.dat upx behavioral1/memory/1868-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019cc8-187.dat upx behavioral1/memory/2452-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1932-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d98-196.dat upx behavioral1/memory/1796-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019f62-204.dat upx behavioral1/files/0x0005000000019f77-212.dat upx behavioral1/files/0x000500000001a077-222.dat upx behavioral1/memory/864-221-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a07f-232.dat upx behavioral1/memory/2044-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a0b4-240.dat upx behavioral1/memory/1872-250-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a30e-251.dat upx behavioral1/files/0x000500000001a340-258.dat upx behavioral1/files/0x000500000001a444-266.dat upx behavioral1/files/0x000500000001a446-275.dat upx behavioral1/files/0x000500000001a447-286.dat upx behavioral1/memory/1728-284-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a448-293.dat upx behavioral1/memory/1496-307-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2608-326-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2620-340-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3036-347-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2272-392-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/836-399-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1768-407-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/492-414-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0440846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 664262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2200886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0008622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 886864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4862064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2720 2192 6771caafa04088a93e2611937ddb31dbc0a145d3fab0929f7c679a05bce99666N.exe 30 PID 2192 wrote to memory of 2720 2192 6771caafa04088a93e2611937ddb31dbc0a145d3fab0929f7c679a05bce99666N.exe 30 PID 2192 wrote to memory of 2720 2192 6771caafa04088a93e2611937ddb31dbc0a145d3fab0929f7c679a05bce99666N.exe 30 PID 2192 wrote to memory of 2720 2192 6771caafa04088a93e2611937ddb31dbc0a145d3fab0929f7c679a05bce99666N.exe 30 PID 2720 wrote to memory of 2780 2720 rlxxflx.exe 31 PID 2720 wrote to memory of 2780 2720 rlxxflx.exe 31 PID 2720 wrote to memory of 2780 2720 rlxxflx.exe 31 PID 2720 wrote to memory of 2780 2720 rlxxflx.exe 31 PID 2780 wrote to memory of 2692 2780 8824680.exe 32 PID 2780 wrote to memory of 2692 2780 8824680.exe 32 PID 2780 wrote to memory of 2692 2780 8824680.exe 32 PID 2780 wrote to memory of 2692 2780 8824680.exe 32 PID 2692 wrote to memory of 3036 2692 tthnbb.exe 33 PID 2692 wrote to memory of 3036 2692 tthnbb.exe 33 PID 2692 wrote to memory of 3036 2692 tthnbb.exe 33 PID 2692 wrote to memory of 3036 2692 tthnbb.exe 33 PID 3036 wrote to memory of 2824 3036 224600.exe 34 PID 3036 wrote to memory of 2824 3036 224600.exe 34 PID 3036 wrote to memory of 2824 3036 224600.exe 34 PID 3036 wrote to memory of 2824 3036 224600.exe 34 PID 2824 wrote to memory of 2696 2824 00464.exe 35 PID 2824 wrote to memory of 2696 2824 00464.exe 35 PID 2824 wrote to memory of 2696 2824 00464.exe 35 PID 2824 wrote to memory of 2696 2824 00464.exe 35 PID 2696 wrote to memory of 2748 2696 9bhtht.exe 36 PID 2696 wrote to memory of 2748 2696 9bhtht.exe 36 PID 2696 wrote to memory of 2748 2696 9bhtht.exe 36 PID 2696 wrote to memory of 2748 2696 9bhtht.exe 36 PID 2748 wrote to memory of 592 2748 xrffrxf.exe 37 PID 2748 wrote to memory of 592 2748 xrffrxf.exe 37 PID 2748 wrote to memory of 592 2748 xrffrxf.exe 37 PID 2748 wrote to memory of 592 2748 xrffrxf.exe 37 PID 592 wrote to memory of 1220 592 hhbtnt.exe 38 PID 592 wrote to memory of 1220 592 hhbtnt.exe 38 PID 592 wrote to memory of 1220 592 hhbtnt.exe 38 PID 592 wrote to memory of 1220 592 hhbtnt.exe 38 PID 1220 wrote to memory of 2396 1220 822028.exe 39 PID 1220 wrote to memory of 2396 1220 822028.exe 39 PID 1220 wrote to memory of 2396 1220 822028.exe 39 PID 1220 wrote to memory of 2396 1220 822028.exe 39 PID 2396 wrote to memory of 2156 2396 rlxfrxf.exe 40 PID 2396 wrote to memory of 2156 2396 rlxfrxf.exe 40 PID 2396 wrote to memory of 2156 2396 rlxfrxf.exe 40 PID 2396 wrote to memory of 2156 2396 rlxfrxf.exe 40 PID 2156 wrote to memory of 2864 2156 88260.exe 41 PID 2156 wrote to memory of 2864 2156 88260.exe 41 PID 2156 wrote to memory of 2864 2156 88260.exe 41 PID 2156 wrote to memory of 2864 2156 88260.exe 41 PID 2864 wrote to memory of 1232 2864 668068.exe 42 PID 2864 wrote to memory of 1232 2864 668068.exe 42 PID 2864 wrote to memory of 1232 2864 668068.exe 42 PID 2864 wrote to memory of 1232 2864 668068.exe 42 PID 1232 wrote to memory of 1540 1232 pjddv.exe 43 PID 1232 wrote to memory of 1540 1232 pjddv.exe 43 PID 1232 wrote to memory of 1540 1232 pjddv.exe 43 PID 1232 wrote to memory of 1540 1232 pjddv.exe 43 PID 1540 wrote to memory of 1044 1540 tnnbtb.exe 44 PID 1540 wrote to memory of 1044 1540 tnnbtb.exe 44 PID 1540 wrote to memory of 1044 1540 tnnbtb.exe 44 PID 1540 wrote to memory of 1044 1540 tnnbtb.exe 44 PID 1044 wrote to memory of 2764 1044 pjdjj.exe 45 PID 1044 wrote to memory of 2764 1044 pjdjj.exe 45 PID 1044 wrote to memory of 2764 1044 pjdjj.exe 45 PID 1044 wrote to memory of 2764 1044 pjdjj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6771caafa04088a93e2611937ddb31dbc0a145d3fab0929f7c679a05bce99666N.exe"C:\Users\Admin\AppData\Local\Temp\6771caafa04088a93e2611937ddb31dbc0a145d3fab0929f7c679a05bce99666N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\rlxxflx.exec:\rlxxflx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\8824680.exec:\8824680.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\tthnbb.exec:\tthnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\224600.exec:\224600.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\00464.exec:\00464.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\9bhtht.exec:\9bhtht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\xrffrxf.exec:\xrffrxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\hhbtnt.exec:\hhbtnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\822028.exec:\822028.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\rlxfrxf.exec:\rlxfrxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\88260.exec:\88260.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\668068.exec:\668068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\pjddv.exec:\pjddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\tnnbtb.exec:\tnnbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\pjdjj.exec:\pjdjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\8824802.exec:\8824802.exe17⤵
- Executes dropped EXE
PID:2764 -
\??\c:\lfxflrf.exec:\lfxflrf.exe18⤵
- Executes dropped EXE
PID:1720 -
\??\c:\ppjpj.exec:\ppjpj.exe19⤵
- Executes dropped EXE
PID:1868 -
\??\c:\lfxfxfl.exec:\lfxfxfl.exe20⤵
- Executes dropped EXE
PID:2452 -
\??\c:\600820.exec:\600820.exe21⤵
- Executes dropped EXE
PID:1932 -
\??\c:\4464664.exec:\4464664.exe22⤵
- Executes dropped EXE
PID:1796 -
\??\c:\fxxfflf.exec:\fxxfflf.exe23⤵
- Executes dropped EXE
PID:2412 -
\??\c:\pvjjp.exec:\pvjjp.exe24⤵
- Executes dropped EXE
PID:864 -
\??\c:\824422.exec:\824422.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044 -
\??\c:\ttnbnn.exec:\ttnbnn.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1476 -
\??\c:\048040.exec:\048040.exe27⤵
- Executes dropped EXE
PID:1872 -
\??\c:\28242.exec:\28242.exe28⤵
- Executes dropped EXE
PID:960 -
\??\c:\2608642.exec:\2608642.exe29⤵
- Executes dropped EXE
PID:376 -
\??\c:\jjdjp.exec:\jjdjp.exe30⤵
- Executes dropped EXE
PID:832 -
\??\c:\ffxfrxf.exec:\ffxfrxf.exe31⤵
- Executes dropped EXE
PID:1728 -
\??\c:\08286.exec:\08286.exe32⤵
- Executes dropped EXE
PID:872 -
\??\c:\tbtnnt.exec:\tbtnnt.exe33⤵
- Executes dropped EXE
PID:3052 -
\??\c:\9frllxr.exec:\9frllxr.exe34⤵
- Executes dropped EXE
PID:1496 -
\??\c:\fxrfrxr.exec:\fxrfrxr.exe35⤵
- Executes dropped EXE
PID:2788 -
\??\c:\26064.exec:\26064.exe36⤵
- Executes dropped EXE
PID:2580 -
\??\c:\c480802.exec:\c480802.exe37⤵
- Executes dropped EXE
PID:2780 -
\??\c:\3hhhth.exec:\3hhhth.exe38⤵
- Executes dropped EXE
PID:2608 -
\??\c:\608040.exec:\608040.exe39⤵
- Executes dropped EXE
PID:2620 -
\??\c:\4086086.exec:\4086086.exe40⤵
- Executes dropped EXE
PID:3036 -
\??\c:\40420.exec:\40420.exe41⤵
- Executes dropped EXE
PID:2572 -
\??\c:\5dvdd.exec:\5dvdd.exe42⤵
- Executes dropped EXE
PID:1660 -
\??\c:\k48084.exec:\k48084.exe43⤵
- Executes dropped EXE
PID:3016 -
\??\c:\226606.exec:\226606.exe44⤵
- Executes dropped EXE
PID:1308 -
\??\c:\9tnnnh.exec:\9tnnnh.exe45⤵
- Executes dropped EXE
PID:568 -
\??\c:\0460224.exec:\0460224.exe46⤵
- Executes dropped EXE
PID:1216 -
\??\c:\nnbhbh.exec:\nnbhbh.exe47⤵
- Executes dropped EXE
PID:2272 -
\??\c:\5dvvp.exec:\5dvvp.exe48⤵
- Executes dropped EXE
PID:836 -
\??\c:\htnbnb.exec:\htnbnb.exe49⤵
- Executes dropped EXE
PID:1768 -
\??\c:\nhhnbb.exec:\nhhnbb.exe50⤵
- Executes dropped EXE
PID:492 -
\??\c:\ddvjd.exec:\ddvjd.exe51⤵
- Executes dropped EXE
PID:1232 -
\??\c:\tttnbn.exec:\tttnbn.exe52⤵
- Executes dropped EXE
PID:1996 -
\??\c:\84408.exec:\84408.exe53⤵
- Executes dropped EXE
PID:1272 -
\??\c:\224484.exec:\224484.exe54⤵
- Executes dropped EXE
PID:1756 -
\??\c:\4828626.exec:\4828626.exe55⤵
- Executes dropped EXE
PID:112 -
\??\c:\pjvdj.exec:\pjvdj.exe56⤵
- Executes dropped EXE
PID:1376 -
\??\c:\3vpdv.exec:\3vpdv.exe57⤵
- Executes dropped EXE
PID:2752 -
\??\c:\886864.exec:\886864.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2448 -
\??\c:\htbtbt.exec:\htbtbt.exe59⤵
- Executes dropped EXE
PID:2352 -
\??\c:\04286.exec:\04286.exe60⤵
- Executes dropped EXE
PID:1076 -
\??\c:\6602686.exec:\6602686.exe61⤵
- Executes dropped EXE
PID:1508 -
\??\c:\8268020.exec:\8268020.exe62⤵
- Executes dropped EXE
PID:1796 -
\??\c:\0008622.exec:\0008622.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424 -
\??\c:\0082002.exec:\0082002.exe64⤵
- Executes dropped EXE
PID:1684 -
\??\c:\fxrxxxr.exec:\fxrxxxr.exe65⤵
- Executes dropped EXE
PID:864 -
\??\c:\hhhnbb.exec:\hhhnbb.exe66⤵PID:2488
-
\??\c:\4266846.exec:\4266846.exe67⤵PID:1888
-
\??\c:\rfrlrrx.exec:\rfrlrrx.exe68⤵PID:896
-
\??\c:\3pvpj.exec:\3pvpj.exe69⤵PID:2492
-
\??\c:\486260.exec:\486260.exe70⤵PID:2368
-
\??\c:\3frxrfl.exec:\3frxrfl.exe71⤵PID:2516
-
\??\c:\1htnht.exec:\1htnht.exe72⤵PID:2532
-
\??\c:\4822680.exec:\4822680.exe73⤵PID:2384
-
\??\c:\bnhtbh.exec:\bnhtbh.exe74⤵PID:2508
-
\??\c:\8246880.exec:\8246880.exe75⤵PID:1556
-
\??\c:\5nnthn.exec:\5nnthn.exe76⤵PID:2332
-
\??\c:\fllfxrx.exec:\fllfxrx.exe77⤵PID:1520
-
\??\c:\q22468.exec:\q22468.exe78⤵PID:1528
-
\??\c:\268484.exec:\268484.exe79⤵PID:2732
-
\??\c:\608480.exec:\608480.exe80⤵PID:2736
-
\??\c:\pjvdj.exec:\pjvdj.exe81⤵PID:2772
-
\??\c:\226466.exec:\226466.exe82⤵PID:2600
-
\??\c:\2848260.exec:\2848260.exe83⤵PID:1532
-
\??\c:\48662.exec:\48662.exe84⤵PID:2640
-
\??\c:\ttbntn.exec:\ttbntn.exe85⤵PID:2636
-
\??\c:\ttnthn.exec:\ttnthn.exe86⤵PID:2696
-
\??\c:\q80624.exec:\q80624.exe87⤵PID:1424
-
\??\c:\jddjp.exec:\jddjp.exe88⤵PID:592
-
\??\c:\a6024.exec:\a6024.exe89⤵PID:984
-
\??\c:\6088664.exec:\6088664.exe90⤵PID:2432
-
\??\c:\jvpdp.exec:\jvpdp.exe91⤵PID:2164
-
\??\c:\rlxlrxl.exec:\rlxlrxl.exe92⤵PID:2820
-
\??\c:\1hbbbh.exec:\1hbbbh.exe93⤵PID:1732
-
\??\c:\1vddd.exec:\1vddd.exe94⤵PID:1752
-
\??\c:\4840280.exec:\4840280.exe95⤵PID:2004
-
\??\c:\dvpvd.exec:\dvpvd.exe96⤵PID:1452
-
\??\c:\2602620.exec:\2602620.exe97⤵PID:2756
-
\??\c:\bbbbtb.exec:\bbbbtb.exe98⤵PID:852
-
\??\c:\bbbbnb.exec:\bbbbnb.exe99⤵PID:2064
-
\??\c:\60808.exec:\60808.exe100⤵PID:1736
-
\??\c:\4240668.exec:\4240668.exe101⤵PID:1740
-
\??\c:\nhnbth.exec:\nhnbth.exe102⤵PID:2752
-
\??\c:\0028680.exec:\0028680.exe103⤵PID:2112
-
\??\c:\u262024.exec:\u262024.exe104⤵PID:1472
-
\??\c:\7dpdv.exec:\7dpdv.exe105⤵PID:1508
-
\??\c:\1ddpd.exec:\1ddpd.exe106⤵PID:688
-
\??\c:\rrrxflx.exec:\rrrxflx.exe107⤵PID:2424
-
\??\c:\m6404.exec:\m6404.exe108⤵PID:1804
-
\??\c:\820044.exec:\820044.exe109⤵PID:864
-
\??\c:\lllrlll.exec:\lllrlll.exe110⤵PID:1364
-
\??\c:\0464228.exec:\0464228.exe111⤵PID:1848
-
\??\c:\m0448.exec:\m0448.exe112⤵PID:2972
-
\??\c:\s2064.exec:\s2064.exe113⤵PID:932
-
\??\c:\2220024.exec:\2220024.exe114⤵PID:1808
-
\??\c:\jvjdd.exec:\jvjdd.exe115⤵PID:2496
-
\??\c:\ppjdp.exec:\ppjdp.exe116⤵PID:1676
-
\??\c:\ffflxxf.exec:\ffflxxf.exe117⤵PID:2388
-
\??\c:\nhhtbn.exec:\nhhtbn.exe118⤵PID:1228
-
\??\c:\hhbnbn.exec:\hhbnbn.exe119⤵PID:2332
-
\??\c:\bttbtt.exec:\bttbtt.exe120⤵PID:1520
-
\??\c:\5vvpd.exec:\5vvpd.exe121⤵PID:1992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-