Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 03:55
Behavioral task
behavioral1
Sample
28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe
-
Size
65KB
-
MD5
852322870ee743d9424efc1451bf4f90
-
SHA1
3e7f874aa7baf702debd3fa32e371aaf773001f7
-
SHA256
28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4
-
SHA512
d9205e7253d2357f009d413741dd90b3f0a9656ba3292f001413b3c71122cfbed1ff8e8cb49a7a0ed590a1f7b7ff8517e4ca2c64ea956de03fed52630e3f9c7d
-
SSDEEP
1536:tvQBeOGtrYS3srx93UBWfwC6Ggnouy8gA2l5CcSgui36:thOmTsF93UYfwC6GIoutgVocSr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2036-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2044-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2788-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3012-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2804-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2944-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2736-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2944-92-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1256-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1164-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1484-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/492-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1744-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1708-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2056-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1404-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2148-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1524-284-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/1444-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/752-368-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/752-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1640-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1688-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1688-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1496-418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1084-430-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1084-432-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2536-446-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/372-478-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2288-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2516-531-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2820-608-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2744-637-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-651-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/336-664-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3048-672-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/940-749-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/940-748-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/564-756-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2020-783-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2328-797-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2328-798-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1492-931-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2552-1006-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2964-1124-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2964-1143-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2044 4240884.exe 1912 604800.exe 3012 4206228.exe 2788 48068.exe 2944 5fxfrxl.exe 2804 3dpdd.exe 2796 g2046.exe 2704 a8662.exe 2736 bbbbbn.exe 2356 hhbhtn.exe 2572 xffrrlf.exe 1256 2684628.exe 1164 0826240.exe 1496 vjppv.exe 2888 xrlflrx.exe 1484 86406.exe 492 m0602.exe 2560 jdppd.exe 2212 0860006.exe 2108 ppdjd.exe 1744 262884.exe 1708 40408.exe 2056 k86244.exe 2320 dpjvj.exe 1404 i228440.exe 876 3rffllr.exe 2148 jdvjv.exe 1488 vppvv.exe 2364 c866284.exe 1796 fxfrfff.exe 1524 5dpvd.exe 2128 u666228.exe 1604 nbntbh.exe 1692 nnttbh.exe 1632 60840.exe 1444 1thnnt.exe 2416 jvdjp.exe 2812 lfrrrrx.exe 2784 hbtbnb.exe 2996 4428666.exe 3016 rlxxfff.exe 2840 64246.exe 2988 6040628.exe 752 04226.exe 2680 08400.exe 1640 hbthtt.exe 3036 400020.exe 1688 vjpjd.exe 776 vddvj.exe 2992 g4842.exe 1496 5hbbhn.exe 1128 hhnnnn.exe 1084 2680662.exe 2236 o422884.exe 2536 bnbbnn.exe 2400 422266.exe 2212 pjvdp.exe 2108 thntbb.exe 1780 i844662.exe 372 5xlrrll.exe 804 pjvjp.exe 644 9llfrrr.exe 2320 bbnhtb.exe 1620 1rllrlf.exe -
resource yara_rule behavioral1/memory/2036-1-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c00000001202c-8.dat upx behavioral1/memory/2036-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016dbc-15.dat upx behavioral1/memory/1912-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2044-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016dc0-27.dat upx behavioral1/memory/2788-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016dc8-37.dat upx behavioral1/memory/3012-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000017466-54.dat upx behavioral1/files/0x0007000000017021-46.dat upx behavioral1/memory/2796-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2804-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001746f-63.dat upx behavioral1/memory/2804-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2944-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2796-73-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/files/0x00080000000174aa-76.dat upx behavioral1/memory/2796-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2736-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0033000000018650-85.dat upx behavioral1/memory/2704-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195fe-105.dat upx behavioral1/memory/2356-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195fd-96.dat upx behavioral1/files/0x00050000000195ff-114.dat upx behavioral1/memory/1256-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1256-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019601-122.dat upx behavioral1/memory/1164-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019603-130.dat upx behavioral1/files/0x0005000000019605-139.dat upx behavioral1/files/0x0005000000019615-147.dat upx behavioral1/files/0x0005000000019659-156.dat upx behavioral1/memory/1484-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001969b-166.dat upx behavioral1/memory/492-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000196ed-173.dat upx behavioral1/files/0x0005000000019999-182.dat upx behavioral1/files/0x0005000000019c32-189.dat upx behavioral1/memory/1744-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c34-199.dat upx behavioral1/files/0x0005000000019c36-207.dat upx behavioral1/memory/1708-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c50-218.dat upx behavioral1/memory/2320-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2056-216-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1404-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016d46-226.dat upx behavioral1/files/0x0005000000019d18-235.dat upx behavioral1/files/0x0005000000019d40-242.dat upx behavioral1/files/0x0005000000019da9-252.dat upx behavioral1/memory/2148-250-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019db5-260.dat upx behavioral1/files/0x0005000000019f9a-267.dat upx behavioral1/files/0x0005000000019fb8-275.dat upx behavioral1/files/0x000500000001a071-286.dat upx behavioral1/memory/1444-318-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2812-325-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/752-362-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/752-371-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1640-384-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1688-391-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w42862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i822884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8260606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c266440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2044 2036 28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe 30 PID 2036 wrote to memory of 2044 2036 28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe 30 PID 2036 wrote to memory of 2044 2036 28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe 30 PID 2036 wrote to memory of 2044 2036 28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe 30 PID 2044 wrote to memory of 1912 2044 4240884.exe 31 PID 2044 wrote to memory of 1912 2044 4240884.exe 31 PID 2044 wrote to memory of 1912 2044 4240884.exe 31 PID 2044 wrote to memory of 1912 2044 4240884.exe 31 PID 1912 wrote to memory of 3012 1912 604800.exe 32 PID 1912 wrote to memory of 3012 1912 604800.exe 32 PID 1912 wrote to memory of 3012 1912 604800.exe 32 PID 1912 wrote to memory of 3012 1912 604800.exe 32 PID 3012 wrote to memory of 2788 3012 4206228.exe 33 PID 3012 wrote to memory of 2788 3012 4206228.exe 33 PID 3012 wrote to memory of 2788 3012 4206228.exe 33 PID 3012 wrote to memory of 2788 3012 4206228.exe 33 PID 2788 wrote to memory of 2944 2788 48068.exe 34 PID 2788 wrote to memory of 2944 2788 48068.exe 34 PID 2788 wrote to memory of 2944 2788 48068.exe 34 PID 2788 wrote to memory of 2944 2788 48068.exe 34 PID 2944 wrote to memory of 2804 2944 5fxfrxl.exe 35 PID 2944 wrote to memory of 2804 2944 5fxfrxl.exe 35 PID 2944 wrote to memory of 2804 2944 5fxfrxl.exe 35 PID 2944 wrote to memory of 2804 2944 5fxfrxl.exe 35 PID 2804 wrote to memory of 2796 2804 3dpdd.exe 36 PID 2804 wrote to memory of 2796 2804 3dpdd.exe 36 PID 2804 wrote to memory of 2796 2804 3dpdd.exe 36 PID 2804 wrote to memory of 2796 2804 3dpdd.exe 36 PID 2796 wrote to memory of 2704 2796 g2046.exe 37 PID 2796 wrote to memory of 2704 2796 g2046.exe 37 PID 2796 wrote to memory of 2704 2796 g2046.exe 37 PID 2796 wrote to memory of 2704 2796 g2046.exe 37 PID 2704 wrote to memory of 2736 2704 a8662.exe 38 PID 2704 wrote to memory of 2736 2704 a8662.exe 38 PID 2704 wrote to memory of 2736 2704 a8662.exe 38 PID 2704 wrote to memory of 2736 2704 a8662.exe 38 PID 2736 wrote to memory of 2356 2736 bbbbbn.exe 39 PID 2736 wrote to memory of 2356 2736 bbbbbn.exe 39 PID 2736 wrote to memory of 2356 2736 bbbbbn.exe 39 PID 2736 wrote to memory of 2356 2736 bbbbbn.exe 39 PID 2356 wrote to memory of 2572 2356 hhbhtn.exe 40 PID 2356 wrote to memory of 2572 2356 hhbhtn.exe 40 PID 2356 wrote to memory of 2572 2356 hhbhtn.exe 40 PID 2356 wrote to memory of 2572 2356 hhbhtn.exe 40 PID 2572 wrote to memory of 1256 2572 xffrrlf.exe 41 PID 2572 wrote to memory of 1256 2572 xffrrlf.exe 41 PID 2572 wrote to memory of 1256 2572 xffrrlf.exe 41 PID 2572 wrote to memory of 1256 2572 xffrrlf.exe 41 PID 1256 wrote to memory of 1164 1256 2684628.exe 42 PID 1256 wrote to memory of 1164 1256 2684628.exe 42 PID 1256 wrote to memory of 1164 1256 2684628.exe 42 PID 1256 wrote to memory of 1164 1256 2684628.exe 42 PID 1164 wrote to memory of 1496 1164 0826240.exe 43 PID 1164 wrote to memory of 1496 1164 0826240.exe 43 PID 1164 wrote to memory of 1496 1164 0826240.exe 43 PID 1164 wrote to memory of 1496 1164 0826240.exe 43 PID 1496 wrote to memory of 2888 1496 vjppv.exe 44 PID 1496 wrote to memory of 2888 1496 vjppv.exe 44 PID 1496 wrote to memory of 2888 1496 vjppv.exe 44 PID 1496 wrote to memory of 2888 1496 vjppv.exe 44 PID 2888 wrote to memory of 1484 2888 xrlflrx.exe 45 PID 2888 wrote to memory of 1484 2888 xrlflrx.exe 45 PID 2888 wrote to memory of 1484 2888 xrlflrx.exe 45 PID 2888 wrote to memory of 1484 2888 xrlflrx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe"C:\Users\Admin\AppData\Local\Temp\28f10fa7529bb2460d3fb234abdca060fe95b3d0513fb0a69fbd2e9129e7dcc4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\4240884.exec:\4240884.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\604800.exec:\604800.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\4206228.exec:\4206228.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\48068.exec:\48068.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\5fxfrxl.exec:\5fxfrxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\3dpdd.exec:\3dpdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\g2046.exec:\g2046.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\a8662.exec:\a8662.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\bbbbbn.exec:\bbbbbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\hhbhtn.exec:\hhbhtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\xffrrlf.exec:\xffrrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\2684628.exec:\2684628.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\0826240.exec:\0826240.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\vjppv.exec:\vjppv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\xrlflrx.exec:\xrlflrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\86406.exec:\86406.exe17⤵
- Executes dropped EXE
PID:1484 -
\??\c:\m0602.exec:\m0602.exe18⤵
- Executes dropped EXE
PID:492 -
\??\c:\jdppd.exec:\jdppd.exe19⤵
- Executes dropped EXE
PID:2560 -
\??\c:\0860006.exec:\0860006.exe20⤵
- Executes dropped EXE
PID:2212 -
\??\c:\ppdjd.exec:\ppdjd.exe21⤵
- Executes dropped EXE
PID:2108 -
\??\c:\262884.exec:\262884.exe22⤵
- Executes dropped EXE
PID:1744 -
\??\c:\40408.exec:\40408.exe23⤵
- Executes dropped EXE
PID:1708 -
\??\c:\k86244.exec:\k86244.exe24⤵
- Executes dropped EXE
PID:2056 -
\??\c:\dpjvj.exec:\dpjvj.exe25⤵
- Executes dropped EXE
PID:2320 -
\??\c:\i228440.exec:\i228440.exe26⤵
- Executes dropped EXE
PID:1404 -
\??\c:\3rffllr.exec:\3rffllr.exe27⤵
- Executes dropped EXE
PID:876 -
\??\c:\jdvjv.exec:\jdvjv.exe28⤵
- Executes dropped EXE
PID:2148 -
\??\c:\vppvv.exec:\vppvv.exe29⤵
- Executes dropped EXE
PID:1488 -
\??\c:\c866284.exec:\c866284.exe30⤵
- Executes dropped EXE
PID:2364 -
\??\c:\fxfrfff.exec:\fxfrfff.exe31⤵
- Executes dropped EXE
PID:1796 -
\??\c:\5dpvd.exec:\5dpvd.exe32⤵
- Executes dropped EXE
PID:1524 -
\??\c:\u666228.exec:\u666228.exe33⤵
- Executes dropped EXE
PID:2128 -
\??\c:\nbntbh.exec:\nbntbh.exe34⤵
- Executes dropped EXE
PID:1604 -
\??\c:\nnttbh.exec:\nnttbh.exe35⤵
- Executes dropped EXE
PID:1692 -
\??\c:\60840.exec:\60840.exe36⤵
- Executes dropped EXE
PID:1632 -
\??\c:\1thnnt.exec:\1thnnt.exe37⤵
- Executes dropped EXE
PID:1444 -
\??\c:\jvdjp.exec:\jvdjp.exe38⤵
- Executes dropped EXE
PID:2416 -
\??\c:\lfrrrrx.exec:\lfrrrrx.exe39⤵
- Executes dropped EXE
PID:2812 -
\??\c:\hbtbnb.exec:\hbtbnb.exe40⤵
- Executes dropped EXE
PID:2784 -
\??\c:\4428666.exec:\4428666.exe41⤵
- Executes dropped EXE
PID:2996 -
\??\c:\rlxxfff.exec:\rlxxfff.exe42⤵
- Executes dropped EXE
PID:3016 -
\??\c:\64246.exec:\64246.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\6040628.exec:\6040628.exe44⤵
- Executes dropped EXE
PID:2988 -
\??\c:\04226.exec:\04226.exe45⤵
- Executes dropped EXE
PID:752 -
\??\c:\08400.exec:\08400.exe46⤵
- Executes dropped EXE
PID:2680 -
\??\c:\hbthtt.exec:\hbthtt.exe47⤵
- Executes dropped EXE
PID:1640 -
\??\c:\400020.exec:\400020.exe48⤵
- Executes dropped EXE
PID:3036 -
\??\c:\vjpjd.exec:\vjpjd.exe49⤵
- Executes dropped EXE
PID:1688 -
\??\c:\vddvj.exec:\vddvj.exe50⤵
- Executes dropped EXE
PID:776 -
\??\c:\g4842.exec:\g4842.exe51⤵
- Executes dropped EXE
PID:2992 -
\??\c:\5hbbhn.exec:\5hbbhn.exe52⤵
- Executes dropped EXE
PID:1496 -
\??\c:\hhnnnn.exec:\hhnnnn.exe53⤵
- Executes dropped EXE
PID:1128 -
\??\c:\2680662.exec:\2680662.exe54⤵
- Executes dropped EXE
PID:1084 -
\??\c:\o422884.exec:\o422884.exe55⤵
- Executes dropped EXE
PID:2236 -
\??\c:\bnbbnn.exec:\bnbbnn.exe56⤵
- Executes dropped EXE
PID:2536 -
\??\c:\422266.exec:\422266.exe57⤵
- Executes dropped EXE
PID:2400 -
\??\c:\pjvdp.exec:\pjvdp.exe58⤵
- Executes dropped EXE
PID:2212 -
\??\c:\thntbb.exec:\thntbb.exe59⤵
- Executes dropped EXE
PID:2108 -
\??\c:\i844662.exec:\i844662.exe60⤵
- Executes dropped EXE
PID:1780 -
\??\c:\5xlrrll.exec:\5xlrrll.exe61⤵
- Executes dropped EXE
PID:372 -
\??\c:\pjvjp.exec:\pjvjp.exe62⤵
- Executes dropped EXE
PID:804 -
\??\c:\9llfrrr.exec:\9llfrrr.exe63⤵
- Executes dropped EXE
PID:644 -
\??\c:\bbnhtb.exec:\bbnhtb.exe64⤵
- Executes dropped EXE
PID:2320 -
\??\c:\1rllrlf.exec:\1rllrlf.exe65⤵
- Executes dropped EXE
PID:1620 -
\??\c:\nnbbhh.exec:\nnbbhh.exe66⤵PID:2372
-
\??\c:\rlxlxlx.exec:\rlxlxlx.exe67⤵PID:756
-
\??\c:\lfrxrrf.exec:\lfrxrrf.exe68⤵PID:2288
-
\??\c:\rrflllx.exec:\rrflllx.exe69⤵PID:2516
-
\??\c:\048020.exec:\048020.exe70⤵
- System Location Discovery: System Language Discovery
PID:2364 -
\??\c:\680800.exec:\680800.exe71⤵PID:1516
-
\??\c:\42286.exec:\42286.exe72⤵PID:2388
-
\??\c:\xfxfxxx.exec:\xfxfxxx.exe73⤵PID:2436
-
\??\c:\26886.exec:\26886.exe74⤵PID:1828
-
\??\c:\hbhtht.exec:\hbhtht.exe75⤵PID:1704
-
\??\c:\o244666.exec:\o244666.exe76⤵PID:2592
-
\??\c:\428806.exec:\428806.exe77⤵PID:2628
-
\??\c:\3dpvj.exec:\3dpvj.exe78⤵PID:2820
-
\??\c:\c266440.exec:\c266440.exe79⤵
- System Location Discovery: System Language Discovery
PID:2944 -
\??\c:\bththh.exec:\bththh.exe80⤵PID:2416
-
\??\c:\vjvvd.exec:\vjvvd.exe81⤵PID:2804
-
\??\c:\1btnbh.exec:\1btnbh.exe82⤵PID:2716
-
\??\c:\s0224.exec:\s0224.exe83⤵PID:2968
-
\??\c:\8606662.exec:\8606662.exe84⤵PID:2816
-
\??\c:\644882.exec:\644882.exe85⤵PID:2692
-
\??\c:\2080624.exec:\2080624.exe86⤵PID:2744
-
\??\c:\64084.exec:\64084.exe87⤵PID:2544
-
\??\c:\26284.exec:\26284.exe88⤵PID:2576
-
\??\c:\9llrrxr.exec:\9llrrxr.exe89⤵PID:2900
-
\??\c:\i468462.exec:\i468462.exe90⤵PID:336
-
\??\c:\886866.exec:\886866.exe91⤵PID:3048
-
\??\c:\42068.exec:\42068.exe92⤵PID:2916
-
\??\c:\0406286.exec:\0406286.exe93⤵PID:2912
-
\??\c:\04240.exec:\04240.exe94⤵PID:2872
-
\??\c:\lffxxlx.exec:\lffxxlx.exe95⤵PID:2780
-
\??\c:\lxlxlxf.exec:\lxlxlxf.exe96⤵PID:1724
-
\??\c:\6062886.exec:\6062886.exe97⤵PID:2560
-
\??\c:\04220.exec:\04220.exe98⤵PID:2496
-
\??\c:\646644.exec:\646644.exe99⤵PID:2160
-
\??\c:\202062.exec:\202062.exe100⤵PID:2448
-
\??\c:\ppjdv.exec:\ppjdv.exe101⤵PID:852
-
\??\c:\484444.exec:\484444.exe102⤵PID:1752
-
\??\c:\ffxffll.exec:\ffxffll.exe103⤵
- System Location Discovery: System Language Discovery
PID:940 -
\??\c:\4822462.exec:\4822462.exe104⤵PID:564
-
\??\c:\5ddpd.exec:\5ddpd.exe105⤵PID:644
-
\??\c:\646282.exec:\646282.exe106⤵PID:1548
-
\??\c:\hbtbnt.exec:\hbtbnt.exe107⤵PID:2040
-
\??\c:\g4064.exec:\g4064.exe108⤵PID:2020
-
\??\c:\0084668.exec:\0084668.exe109⤵PID:1644
-
\??\c:\bbtbhh.exec:\bbtbhh.exe110⤵PID:2328
-
\??\c:\1rrllll.exec:\1rrllll.exe111⤵PID:1616
-
\??\c:\5dvpd.exec:\5dvpd.exe112⤵PID:1308
-
\??\c:\xrfflrf.exec:\xrfflrf.exe113⤵PID:2452
-
\??\c:\m0806.exec:\m0806.exe114⤵PID:2388
-
\??\c:\420028.exec:\420028.exe115⤵PID:1940
-
\??\c:\864022.exec:\864022.exe116⤵PID:1608
-
\??\c:\q48066.exec:\q48066.exe117⤵PID:1680
-
\??\c:\q24066.exec:\q24066.exe118⤵PID:2592
-
\??\c:\djppv.exec:\djppv.exe119⤵PID:2828
-
\??\c:\pjjjv.exec:\pjjjv.exe120⤵PID:2860
-
\??\c:\824062.exec:\824062.exe121⤵PID:2984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-