Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 05:10
Behavioral task
behavioral1
Sample
113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe
-
Size
378KB
-
MD5
ff6a31485fc178613ce9cd886a6343a6
-
SHA1
66a7fb935a0d73e068e3e630fb208b871e90dca8
-
SHA256
113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef
-
SHA512
4e8cb5c9cb4818a3c79c9774ddc297e163c93d2e31375105f68de60984e780eccc384569fcf74bc368df8ccd95983f2572886888c52714ac1526557c2ef39896
-
SSDEEP
6144:0cm4FmowdHoSHWVs+QEoD/dL/4oSlCIqbKRs4EkfRDaPRrnVkWHQrvD:C4wFHoS2Vs+IdMoSzqkR5RWVVWrL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2344-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2128-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2268-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1736-434-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2696-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2864-332-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/684-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/584-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/584-317-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2296-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/876-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/876-289-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/1152-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-271-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/1084-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2284-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2284-184-0x00000000001C0000-0x00000000001E7000-memory.dmp family_blackmoon behavioral1/memory/1780-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1960-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2956-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1632-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2996-450-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2688-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2712-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2996-452-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2684-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-77-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2788-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2376-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2176-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1920-464-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1920-466-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1544-478-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1544-480-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2696-628-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2272-758-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1580-959-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2444-1254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2200-1272-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/880-1366-0x0000000000320000-0x0000000000347000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2176 3rlrflf.exe 2376 486824.exe 2128 k86288.exe 2748 ffrrflx.exe 2856 jpddj.exe 2788 nhbhth.exe 2908 k68402.exe 2664 282448.exe 2684 g2246.exe 2712 w08226.exe 2688 20844.exe 1632 086688.exe 2956 g6280.exe 1996 68040.exe 1960 k64460.exe 2708 vvjjp.exe 864 6028066.exe 1780 bbbbnh.exe 2192 rlflxxl.exe 2284 6468406.exe 2352 48024.exe 2348 424244.exe 1084 fxrrxrf.exe 2224 ddpdj.exe 2496 nhbhnh.exe 676 u828668.exe 1656 tnnbbb.exe 2408 424466.exe 1712 6080668.exe 2612 2220646.exe 1152 44262.exe 876 2606808.exe 2184 xxrfrrf.exe 2556 42440.exe 2296 a4884.exe 584 bhhbbb.exe 684 pjpjp.exe 2864 a8286.exe 2268 hnnhhb.exe 2260 hhtnbh.exe 2828 lflxllx.exe 2860 rlrxffl.exe 2808 e44440.exe 2716 6268020.exe 2796 20880.exe 628 c640286.exe 2696 xflxfxf.exe 2652 vvjdj.exe 1824 ppjdv.exe 1616 1hbhnt.exe 1976 rlxflrx.exe 864 hhtbhh.exe 1476 0866442.exe 1736 e64648.exe 888 fxfrxxl.exe 2996 llflxxr.exe 1892 60880.exe 1920 40402.exe 1592 7rrrfxl.exe 1544 o428666.exe 1992 9pjpd.exe 1868 hbntbt.exe 1820 86880.exe 900 lxrrxxf.exe -
resource yara_rule behavioral1/memory/2344-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b000000012268-9.dat upx behavioral1/memory/2176-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2344-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019490-19.dat upx behavioral1/memory/2128-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001949d-28.dat upx behavioral1/files/0x00060000000194d0-37.dat upx behavioral1/files/0x00060000000194da-46.dat upx behavioral1/memory/2856-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000194e6-66.dat upx behavioral1/files/0x000500000001a495-84.dat upx behavioral1/files/0x000500000001a4a5-92.dat upx behavioral1/files/0x000500000001a4ab-101.dat upx behavioral1/files/0x000500000001a4af-120.dat upx behavioral1/files/0x000500000001a4b3-136.dat upx behavioral1/files/0x000500000001a4b7-155.dat upx behavioral1/files/0x000500000001a4bb-173.dat upx behavioral1/memory/2352-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c7-227.dat upx behavioral1/files/0x000500000001a4c5-218.dat upx behavioral1/files/0x000500000001a4d4-276.dat upx behavioral1/memory/2268-338-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2696-388-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2796-375-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2828-351-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2864-332-0x0000000000430000-0x0000000000457000-memory.dmp upx behavioral1/memory/684-324-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/584-322-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/584-317-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2296-309-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/876-294-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/876-289-0x00000000002A0000-0x00000000002C7000-memory.dmp upx behavioral1/files/0x000500000001a4d6-286.dat upx behavioral1/memory/1152-279-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4d1-268.dat upx behavioral1/files/0x000500000001a4cf-260.dat upx behavioral1/files/0x000500000001a4cd-251.dat upx behavioral1/files/0x000500000001a4cb-243.dat upx behavioral1/files/0x000500000001a4c9-235.dat upx behavioral1/memory/1084-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c3-209.dat upx behavioral1/files/0x000500000001a4c1-200.dat upx behavioral1/files/0x000500000001a4bf-191.dat upx behavioral1/memory/2284-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4bd-181.dat upx behavioral1/memory/1780-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b9-163.dat upx behavioral1/memory/2708-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b5-146.dat upx behavioral1/memory/1960-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b1-129.dat upx behavioral1/memory/2956-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1632-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4ad-111.dat upx behavioral1/memory/2688-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2712-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2996-452-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2684-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2664-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019551-74.dat upx behavioral1/memory/2788-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000194e4-56.dat upx behavioral1/memory/2748-45-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k64462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w60060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4862880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4466680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2176 2344 113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe 31 PID 2344 wrote to memory of 2176 2344 113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe 31 PID 2344 wrote to memory of 2176 2344 113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe 31 PID 2344 wrote to memory of 2176 2344 113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe 31 PID 2176 wrote to memory of 2376 2176 3rlrflf.exe 32 PID 2176 wrote to memory of 2376 2176 3rlrflf.exe 32 PID 2176 wrote to memory of 2376 2176 3rlrflf.exe 32 PID 2176 wrote to memory of 2376 2176 3rlrflf.exe 32 PID 2376 wrote to memory of 2128 2376 486824.exe 33 PID 2376 wrote to memory of 2128 2376 486824.exe 33 PID 2376 wrote to memory of 2128 2376 486824.exe 33 PID 2376 wrote to memory of 2128 2376 486824.exe 33 PID 2128 wrote to memory of 2748 2128 k86288.exe 34 PID 2128 wrote to memory of 2748 2128 k86288.exe 34 PID 2128 wrote to memory of 2748 2128 k86288.exe 34 PID 2128 wrote to memory of 2748 2128 k86288.exe 34 PID 2748 wrote to memory of 2856 2748 ffrrflx.exe 35 PID 2748 wrote to memory of 2856 2748 ffrrflx.exe 35 PID 2748 wrote to memory of 2856 2748 ffrrflx.exe 35 PID 2748 wrote to memory of 2856 2748 ffrrflx.exe 35 PID 2856 wrote to memory of 2788 2856 jpddj.exe 36 PID 2856 wrote to memory of 2788 2856 jpddj.exe 36 PID 2856 wrote to memory of 2788 2856 jpddj.exe 36 PID 2856 wrote to memory of 2788 2856 jpddj.exe 36 PID 2788 wrote to memory of 2908 2788 nhbhth.exe 37 PID 2788 wrote to memory of 2908 2788 nhbhth.exe 37 PID 2788 wrote to memory of 2908 2788 nhbhth.exe 37 PID 2788 wrote to memory of 2908 2788 nhbhth.exe 37 PID 2908 wrote to memory of 2664 2908 k68402.exe 38 PID 2908 wrote to memory of 2664 2908 k68402.exe 38 PID 2908 wrote to memory of 2664 2908 k68402.exe 38 PID 2908 wrote to memory of 2664 2908 k68402.exe 38 PID 2664 wrote to memory of 2684 2664 282448.exe 39 PID 2664 wrote to memory of 2684 2664 282448.exe 39 PID 2664 wrote to memory of 2684 2664 282448.exe 39 PID 2664 wrote to memory of 2684 2664 282448.exe 39 PID 2684 wrote to memory of 2712 2684 g2246.exe 40 PID 2684 wrote to memory of 2712 2684 g2246.exe 40 PID 2684 wrote to memory of 2712 2684 g2246.exe 40 PID 2684 wrote to memory of 2712 2684 g2246.exe 40 PID 2712 wrote to memory of 2688 2712 w08226.exe 41 PID 2712 wrote to memory of 2688 2712 w08226.exe 41 PID 2712 wrote to memory of 2688 2712 w08226.exe 41 PID 2712 wrote to memory of 2688 2712 w08226.exe 41 PID 2688 wrote to memory of 1632 2688 20844.exe 42 PID 2688 wrote to memory of 1632 2688 20844.exe 42 PID 2688 wrote to memory of 1632 2688 20844.exe 42 PID 2688 wrote to memory of 1632 2688 20844.exe 42 PID 1632 wrote to memory of 2956 1632 086688.exe 43 PID 1632 wrote to memory of 2956 1632 086688.exe 43 PID 1632 wrote to memory of 2956 1632 086688.exe 43 PID 1632 wrote to memory of 2956 1632 086688.exe 43 PID 2956 wrote to memory of 1996 2956 g6280.exe 44 PID 2956 wrote to memory of 1996 2956 g6280.exe 44 PID 2956 wrote to memory of 1996 2956 g6280.exe 44 PID 2956 wrote to memory of 1996 2956 g6280.exe 44 PID 1996 wrote to memory of 1960 1996 68040.exe 45 PID 1996 wrote to memory of 1960 1996 68040.exe 45 PID 1996 wrote to memory of 1960 1996 68040.exe 45 PID 1996 wrote to memory of 1960 1996 68040.exe 45 PID 1960 wrote to memory of 2708 1960 k64460.exe 46 PID 1960 wrote to memory of 2708 1960 k64460.exe 46 PID 1960 wrote to memory of 2708 1960 k64460.exe 46 PID 1960 wrote to memory of 2708 1960 k64460.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe"C:\Users\Admin\AppData\Local\Temp\113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\3rlrflf.exec:\3rlrflf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\486824.exec:\486824.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\k86288.exec:\k86288.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\ffrrflx.exec:\ffrrflx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\jpddj.exec:\jpddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\nhbhth.exec:\nhbhth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\k68402.exec:\k68402.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\282448.exec:\282448.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\g2246.exec:\g2246.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\w08226.exec:\w08226.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\20844.exec:\20844.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\086688.exec:\086688.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\g6280.exec:\g6280.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\68040.exec:\68040.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\k64460.exec:\k64460.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\vvjjp.exec:\vvjjp.exe17⤵
- Executes dropped EXE
PID:2708 -
\??\c:\6028066.exec:\6028066.exe18⤵
- Executes dropped EXE
PID:864 -
\??\c:\bbbbnh.exec:\bbbbnh.exe19⤵
- Executes dropped EXE
PID:1780 -
\??\c:\rlflxxl.exec:\rlflxxl.exe20⤵
- Executes dropped EXE
PID:2192 -
\??\c:\6468406.exec:\6468406.exe21⤵
- Executes dropped EXE
PID:2284 -
\??\c:\48024.exec:\48024.exe22⤵
- Executes dropped EXE
PID:2352 -
\??\c:\424244.exec:\424244.exe23⤵
- Executes dropped EXE
PID:2348 -
\??\c:\fxrrxrf.exec:\fxrrxrf.exe24⤵
- Executes dropped EXE
PID:1084 -
\??\c:\ddpdj.exec:\ddpdj.exe25⤵
- Executes dropped EXE
PID:2224 -
\??\c:\nhbhnh.exec:\nhbhnh.exe26⤵
- Executes dropped EXE
PID:2496 -
\??\c:\u828668.exec:\u828668.exe27⤵
- Executes dropped EXE
PID:676 -
\??\c:\tnnbbb.exec:\tnnbbb.exe28⤵
- Executes dropped EXE
PID:1656 -
\??\c:\424466.exec:\424466.exe29⤵
- Executes dropped EXE
PID:2408 -
\??\c:\6080668.exec:\6080668.exe30⤵
- Executes dropped EXE
PID:1712 -
\??\c:\2220646.exec:\2220646.exe31⤵
- Executes dropped EXE
PID:2612 -
\??\c:\44262.exec:\44262.exe32⤵
- Executes dropped EXE
PID:1152 -
\??\c:\2606808.exec:\2606808.exe33⤵
- Executes dropped EXE
PID:876 -
\??\c:\xxrfrrf.exec:\xxrfrrf.exe34⤵
- Executes dropped EXE
PID:2184 -
\??\c:\42440.exec:\42440.exe35⤵
- Executes dropped EXE
PID:2556 -
\??\c:\a4884.exec:\a4884.exe36⤵
- Executes dropped EXE
PID:2296 -
\??\c:\bhhbbb.exec:\bhhbbb.exe37⤵
- Executes dropped EXE
PID:584 -
\??\c:\pjpjp.exec:\pjpjp.exe38⤵
- Executes dropped EXE
PID:684 -
\??\c:\a8286.exec:\a8286.exe39⤵
- Executes dropped EXE
PID:2864 -
\??\c:\hnnhhb.exec:\hnnhhb.exe40⤵
- Executes dropped EXE
PID:2268 -
\??\c:\hhtnbh.exec:\hhtnbh.exe41⤵
- Executes dropped EXE
PID:2260 -
\??\c:\lflxllx.exec:\lflxllx.exe42⤵
- Executes dropped EXE
PID:2828 -
\??\c:\rlrxffl.exec:\rlrxffl.exe43⤵
- Executes dropped EXE
PID:2860 -
\??\c:\e44440.exec:\e44440.exe44⤵
- Executes dropped EXE
PID:2808 -
\??\c:\6268020.exec:\6268020.exe45⤵
- Executes dropped EXE
PID:2716 -
\??\c:\20880.exec:\20880.exe46⤵
- Executes dropped EXE
PID:2796 -
\??\c:\c640286.exec:\c640286.exe47⤵
- Executes dropped EXE
PID:628 -
\??\c:\xflxfxf.exec:\xflxfxf.exe48⤵
- Executes dropped EXE
PID:2696 -
\??\c:\vvjdj.exec:\vvjdj.exe49⤵
- Executes dropped EXE
PID:2652 -
\??\c:\ppjdv.exec:\ppjdv.exe50⤵
- Executes dropped EXE
PID:1824 -
\??\c:\1hbhnt.exec:\1hbhnt.exe51⤵
- Executes dropped EXE
PID:1616 -
\??\c:\rlxflrx.exec:\rlxflrx.exe52⤵
- Executes dropped EXE
PID:1976 -
\??\c:\hhtbhh.exec:\hhtbhh.exe53⤵
- Executes dropped EXE
PID:864 -
\??\c:\0866442.exec:\0866442.exe54⤵
- Executes dropped EXE
PID:1476 -
\??\c:\e64648.exec:\e64648.exe55⤵
- Executes dropped EXE
PID:1736 -
\??\c:\fxfrxxl.exec:\fxfrxxl.exe56⤵
- Executes dropped EXE
PID:888 -
\??\c:\llflxxr.exec:\llflxxr.exe57⤵
- Executes dropped EXE
PID:2996 -
\??\c:\60880.exec:\60880.exe58⤵
- Executes dropped EXE
PID:1892 -
\??\c:\40402.exec:\40402.exe59⤵
- Executes dropped EXE
PID:1920 -
\??\c:\7rrrfxl.exec:\7rrrfxl.exe60⤵
- Executes dropped EXE
PID:1592 -
\??\c:\o428666.exec:\o428666.exe61⤵
- Executes dropped EXE
PID:1544 -
\??\c:\9pjpd.exec:\9pjpd.exe62⤵
- Executes dropped EXE
PID:1992 -
\??\c:\hbntbt.exec:\hbntbt.exe63⤵
- Executes dropped EXE
PID:1868 -
\??\c:\86880.exec:\86880.exe64⤵
- Executes dropped EXE
PID:1820 -
\??\c:\lxrrxxf.exec:\lxrrxxf.exe65⤵
- Executes dropped EXE
PID:900 -
\??\c:\646828.exec:\646828.exe66⤵PID:1788
-
\??\c:\xrrxllf.exec:\xrrxllf.exe67⤵PID:2620
-
\??\c:\btbhhn.exec:\btbhhn.exe68⤵PID:1132
-
\??\c:\86840.exec:\86840.exe69⤵PID:316
-
\??\c:\202840.exec:\202840.exe70⤵PID:792
-
\??\c:\jjppp.exec:\jjppp.exe71⤵PID:496
-
\??\c:\262228.exec:\262228.exe72⤵PID:2304
-
\??\c:\pjvjp.exec:\pjvjp.exe73⤵PID:1608
-
\??\c:\2084220.exec:\2084220.exe74⤵PID:1768
-
\??\c:\nhtbnn.exec:\nhtbnn.exe75⤵PID:1680
-
\??\c:\462002.exec:\462002.exe76⤵PID:2872
-
\??\c:\8688440.exec:\8688440.exe77⤵PID:2744
-
\??\c:\820662.exec:\820662.exe78⤵PID:2100
-
\??\c:\w80400.exec:\w80400.exe79⤵PID:1308
-
\??\c:\0862446.exec:\0862446.exe80⤵PID:2852
-
\??\c:\hbttbb.exec:\hbttbb.exe81⤵PID:2868
-
\??\c:\dvjjv.exec:\dvjjv.exe82⤵PID:2716
-
\??\c:\q80622.exec:\q80622.exe83⤵PID:1520
-
\??\c:\i084602.exec:\i084602.exe84⤵PID:2644
-
\??\c:\pjdvj.exec:\pjdvj.exe85⤵
- System Location Discovery: System Language Discovery
PID:2696 -
\??\c:\e80480.exec:\e80480.exe86⤵PID:2652
-
\??\c:\5jdjj.exec:\5jdjj.exe87⤵PID:1512
-
\??\c:\04628.exec:\04628.exe88⤵PID:2384
-
\??\c:\djpvd.exec:\djpvd.exe89⤵PID:1616
-
\??\c:\8640662.exec:\8640662.exe90⤵PID:1960
-
\??\c:\q20684.exec:\q20684.exe91⤵PID:2656
-
\??\c:\60284.exec:\60284.exe92⤵PID:2532
-
\??\c:\s6484.exec:\s6484.exe93⤵PID:1272
-
\??\c:\048462.exec:\048462.exe94⤵PID:1652
-
\??\c:\4040624.exec:\4040624.exe95⤵PID:540
-
\??\c:\xrxrfrf.exec:\xrxrfrf.exe96⤵PID:3020
-
\??\c:\7htbhn.exec:\7htbhn.exe97⤵PID:2156
-
\??\c:\thttnn.exec:\thttnn.exe98⤵PID:2192
-
\??\c:\q80684.exec:\q80684.exe99⤵PID:1488
-
\??\c:\9ddjp.exec:\9ddjp.exe100⤵PID:2564
-
\??\c:\64228.exec:\64228.exe101⤵PID:2572
-
\??\c:\486240.exec:\486240.exe102⤵PID:620
-
\??\c:\08280.exec:\08280.exe103⤵PID:2440
-
\??\c:\2084624.exec:\2084624.exe104⤵PID:1920
-
\??\c:\4240220.exec:\4240220.exe105⤵PID:1676
-
\??\c:\s0402.exec:\s0402.exe106⤵PID:2272
-
\??\c:\208840.exec:\208840.exe107⤵PID:676
-
\??\c:\42440.exec:\42440.exe108⤵
- System Location Discovery: System Language Discovery
PID:1908 -
\??\c:\0806062.exec:\0806062.exe109⤵PID:1548
-
\??\c:\rlxxffl.exec:\rlxxffl.exe110⤵
- System Location Discovery: System Language Discovery
PID:1940 -
\??\c:\4228008.exec:\4228008.exe111⤵PID:1792
-
\??\c:\dvjpd.exec:\dvjpd.exe112⤵PID:880
-
\??\c:\tnnttt.exec:\tnnttt.exe113⤵PID:1348
-
\??\c:\lrflxxf.exec:\lrflxxf.exe114⤵PID:2592
-
\??\c:\fxrrflr.exec:\fxrrflr.exe115⤵PID:2504
-
\??\c:\o642446.exec:\o642446.exe116⤵PID:2296
-
\??\c:\5rxrxxf.exec:\5rxrxxf.exe117⤵PID:1884
-
\??\c:\2680284.exec:\2680284.exe118⤵PID:3004
-
\??\c:\080622.exec:\080622.exe119⤵PID:1576
-
\??\c:\lfxfxff.exec:\lfxfxff.exe120⤵PID:348
-
\??\c:\fxxxffr.exec:\fxxxffr.exe121⤵PID:1904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-