Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 10:25
Behavioral task
behavioral1
Sample
5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe
Resource
win7-20241023-en
windows7-x64
9 signatures
120 seconds
General
-
Target
5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe
-
Size
3.7MB
-
MD5
b2c4e5410373864a8694f5e3aaee1e21
-
SHA1
0bff784fd0b215a22414f6ab941a58f2ffbcd805
-
SHA256
5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433
-
SHA512
6bc4bb815036cfa76b2cb531f99ecf5da4018ca831332203dca86ac461f7cd5c938cba73632d0f44bcdd0d792f947d051b2290bd5078000594372d580c714df2
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98Q:U6XLq/qPPslzKx/dJg1ErmNJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/1832-0-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-18-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/1760-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2800-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2120-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2988-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2364-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2532-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1768-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2928-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1084-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1032-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1604-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2288-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2116-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1388-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2324-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2556-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1964-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1964-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2840-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1508-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3028-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2596-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2596-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2040-435-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1724-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2464-462-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1804-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1804-483-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2548-557-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/968-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2952-594-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1148-596-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1148-602-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2096-625-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1148-624-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2164-772-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1964-841-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2184-911-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/3004-926-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/564-958-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-965-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2356 26402.exe 1760 rxxxffx.exe 2800 26628.exe 2120 vppdp.exe 2864 64684.exe 2988 648462.exe 2532 tnbnht.exe 2784 thtnbb.exe 2364 frxlxff.exe 1768 nbntbb.exe 2928 2862840.exe 476 0600884.exe 1084 ttbnnn.exe 1960 04806.exe 1032 xflxxxx.exe 3044 6862006.exe 1604 rlffflf.exe 2288 frlxlrr.exe 316 6262440.exe 2180 xrllrrx.exe 2116 426206.exe 444 c248400.exe 3016 3vpvj.exe 1388 6442028.exe 992 btbbhh.exe 1284 8480628.exe 904 7jvvv.exe 1792 660066.exe 2556 tbbbht.exe 2324 6202404.exe 2192 llffllr.exe 892 486226.exe 1600 q86284.exe 304 9xxxxfl.exe 2444 644620.exe 1964 jdppp.exe 2840 7hbntt.exe 2940 fxrflxr.exe 2120 40062.exe 2912 o444280.exe 2936 86840.exe 2780 8066824.exe 2520 0608062.exe 688 e48846.exe 840 4424028.exe 1508 vvdjv.exe 3028 046284.exe 476 fxffllx.exe 2768 086840.exe 2596 lrlrrfl.exe 2916 8462800.exe 2016 048402.exe 2040 xfxlxxf.exe 1724 6088468.exe 2112 tnhhtb.exe 2392 2606280.exe 2464 04466.exe 768 dvdpv.exe 1444 64400.exe 1804 20406.exe 2692 9jpjv.exe 2932 nnhbhn.exe 828 7xxxfxl.exe 860 264462.exe -
resource yara_rule behavioral1/memory/1832-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1832-3-0x00000000005C0000-0x00000000005E7000-memory.dmp upx behavioral1/files/0x000c00000001202c-8.dat upx behavioral1/memory/2356-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d4b-15.dat upx behavioral1/memory/1760-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d54-29.dat upx behavioral1/memory/1760-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d67-39.dat upx behavioral1/memory/2800-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d6b-49.dat upx behavioral1/memory/2864-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2120-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2988-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016cf5-56.dat upx behavioral1/files/0x0007000000016d6f-69.dat upx behavioral1/memory/2988-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2784-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d77-79.dat upx behavioral1/memory/2364-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d9f-88.dat upx behavioral1/memory/2784-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2532-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018739-98.dat upx behavioral1/memory/1768-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2928-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018744-108.dat upx behavioral1/files/0x000500000001878e-117.dat upx behavioral1/files/0x00050000000187a8-124.dat upx behavioral1/files/0x0006000000018b4e-133.dat upx behavioral1/memory/1084-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018c16-141.dat upx behavioral1/files/0x0005000000019246-151.dat upx behavioral1/memory/1032-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3044-154-0x0000000000430000-0x0000000000457000-memory.dmp upx behavioral1/files/0x0005000000019250-159.dat upx behavioral1/files/0x0005000000019269-168.dat upx behavioral1/memory/1604-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019278-176.dat upx behavioral1/memory/2288-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019284-185.dat upx behavioral1/files/0x0005000000019297-192.dat upx behavioral1/memory/2116-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001933f-203.dat upx behavioral1/files/0x0005000000019360-211.dat upx behavioral1/memory/316-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1388-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193a6-219.dat upx behavioral1/files/0x00050000000193b6-227.dat upx behavioral1/files/0x00050000000193c4-235.dat upx behavioral1/memory/1284-237-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193df-245.dat upx behavioral1/files/0x0005000000019451-253.dat upx behavioral1/memory/2556-261-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019458-260.dat upx behavioral1/memory/2324-272-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194a9-271.dat upx behavioral1/files/0x00050000000194b9-280.dat upx behavioral1/memory/2556-270-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194c9-288.dat upx behavioral1/memory/1964-314-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2840-322-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1964-321-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2840-329-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4268206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4862440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u026222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4060284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0800628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0848228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6262440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2040268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8688444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e82226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28268.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1832 wrote to memory of 2356 1832 5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe 30 PID 1832 wrote to memory of 2356 1832 5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe 30 PID 1832 wrote to memory of 2356 1832 5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe 30 PID 1832 wrote to memory of 2356 1832 5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe 30 PID 2356 wrote to memory of 1760 2356 26402.exe 31 PID 2356 wrote to memory of 1760 2356 26402.exe 31 PID 2356 wrote to memory of 1760 2356 26402.exe 31 PID 2356 wrote to memory of 1760 2356 26402.exe 31 PID 1760 wrote to memory of 2800 1760 rxxxffx.exe 32 PID 1760 wrote to memory of 2800 1760 rxxxffx.exe 32 PID 1760 wrote to memory of 2800 1760 rxxxffx.exe 32 PID 1760 wrote to memory of 2800 1760 rxxxffx.exe 32 PID 2800 wrote to memory of 2120 2800 26628.exe 68 PID 2800 wrote to memory of 2120 2800 26628.exe 68 PID 2800 wrote to memory of 2120 2800 26628.exe 68 PID 2800 wrote to memory of 2120 2800 26628.exe 68 PID 2120 wrote to memory of 2864 2120 vppdp.exe 34 PID 2120 wrote to memory of 2864 2120 vppdp.exe 34 PID 2120 wrote to memory of 2864 2120 vppdp.exe 34 PID 2120 wrote to memory of 2864 2120 vppdp.exe 34 PID 2864 wrote to memory of 2988 2864 64684.exe 35 PID 2864 wrote to memory of 2988 2864 64684.exe 35 PID 2864 wrote to memory of 2988 2864 64684.exe 35 PID 2864 wrote to memory of 2988 2864 64684.exe 35 PID 2988 wrote to memory of 2532 2988 648462.exe 36 PID 2988 wrote to memory of 2532 2988 648462.exe 36 PID 2988 wrote to memory of 2532 2988 648462.exe 36 PID 2988 wrote to memory of 2532 2988 648462.exe 36 PID 2532 wrote to memory of 2784 2532 tnbnht.exe 37 PID 2532 wrote to memory of 2784 2532 tnbnht.exe 37 PID 2532 wrote to memory of 2784 2532 tnbnht.exe 37 PID 2532 wrote to memory of 2784 2532 tnbnht.exe 37 PID 2784 wrote to memory of 2364 2784 thtnbb.exe 38 PID 2784 wrote to memory of 2364 2784 thtnbb.exe 38 PID 2784 wrote to memory of 2364 2784 thtnbb.exe 38 PID 2784 wrote to memory of 2364 2784 thtnbb.exe 38 PID 2364 wrote to memory of 1768 2364 frxlxff.exe 39 PID 2364 wrote to memory of 1768 2364 frxlxff.exe 39 PID 2364 wrote to memory of 1768 2364 frxlxff.exe 39 PID 2364 wrote to memory of 1768 2364 frxlxff.exe 39 PID 1768 wrote to memory of 2928 1768 nbntbb.exe 117 PID 1768 wrote to memory of 2928 1768 nbntbb.exe 117 PID 1768 wrote to memory of 2928 1768 nbntbb.exe 117 PID 1768 wrote to memory of 2928 1768 nbntbb.exe 117 PID 2928 wrote to memory of 476 2928 2862840.exe 77 PID 2928 wrote to memory of 476 2928 2862840.exe 77 PID 2928 wrote to memory of 476 2928 2862840.exe 77 PID 2928 wrote to memory of 476 2928 2862840.exe 77 PID 476 wrote to memory of 1084 476 0600884.exe 42 PID 476 wrote to memory of 1084 476 0600884.exe 42 PID 476 wrote to memory of 1084 476 0600884.exe 42 PID 476 wrote to memory of 1084 476 0600884.exe 42 PID 1084 wrote to memory of 1960 1084 ttbnnn.exe 43 PID 1084 wrote to memory of 1960 1084 ttbnnn.exe 43 PID 1084 wrote to memory of 1960 1084 ttbnnn.exe 43 PID 1084 wrote to memory of 1960 1084 ttbnnn.exe 43 PID 1960 wrote to memory of 1032 1960 04806.exe 44 PID 1960 wrote to memory of 1032 1960 04806.exe 44 PID 1960 wrote to memory of 1032 1960 04806.exe 44 PID 1960 wrote to memory of 1032 1960 04806.exe 44 PID 1032 wrote to memory of 3044 1032 xflxxxx.exe 45 PID 1032 wrote to memory of 3044 1032 xflxxxx.exe 45 PID 1032 wrote to memory of 3044 1032 xflxxxx.exe 45 PID 1032 wrote to memory of 3044 1032 xflxxxx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe"C:\Users\Admin\AppData\Local\Temp\5efbb62d1a0268309fcd2508ef9fad903dab119118acef18c9a496cb59e0a433.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\26402.exec:\26402.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\rxxxffx.exec:\rxxxffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\26628.exec:\26628.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\vppdp.exec:\vppdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\64684.exec:\64684.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\648462.exec:\648462.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\tnbnht.exec:\tnbnht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\thtnbb.exec:\thtnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\frxlxff.exec:\frxlxff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\nbntbb.exec:\nbntbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\2862840.exec:\2862840.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\0600884.exec:\0600884.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:476 -
\??\c:\ttbnnn.exec:\ttbnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\04806.exec:\04806.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\xflxxxx.exec:\xflxxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\6862006.exec:\6862006.exe17⤵
- Executes dropped EXE
PID:3044 -
\??\c:\rlffflf.exec:\rlffflf.exe18⤵
- Executes dropped EXE
PID:1604 -
\??\c:\frlxlrr.exec:\frlxlrr.exe19⤵
- Executes dropped EXE
PID:2288 -
\??\c:\6262440.exec:\6262440.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:316 -
\??\c:\xrllrrx.exec:\xrllrrx.exe21⤵
- Executes dropped EXE
PID:2180 -
\??\c:\426206.exec:\426206.exe22⤵
- Executes dropped EXE
PID:2116 -
\??\c:\c248400.exec:\c248400.exe23⤵
- Executes dropped EXE
PID:444 -
\??\c:\3vpvj.exec:\3vpvj.exe24⤵
- Executes dropped EXE
PID:3016 -
\??\c:\6442028.exec:\6442028.exe25⤵
- Executes dropped EXE
PID:1388 -
\??\c:\btbbhh.exec:\btbbhh.exe26⤵
- Executes dropped EXE
PID:992 -
\??\c:\8480628.exec:\8480628.exe27⤵
- Executes dropped EXE
PID:1284 -
\??\c:\7jvvv.exec:\7jvvv.exe28⤵
- Executes dropped EXE
PID:904 -
\??\c:\660066.exec:\660066.exe29⤵
- Executes dropped EXE
PID:1792 -
\??\c:\tbbbht.exec:\tbbbht.exe30⤵
- Executes dropped EXE
PID:2556 -
\??\c:\6202404.exec:\6202404.exe31⤵
- Executes dropped EXE
PID:2324 -
\??\c:\llffllr.exec:\llffllr.exe32⤵
- Executes dropped EXE
PID:2192 -
\??\c:\486226.exec:\486226.exe33⤵
- Executes dropped EXE
PID:892 -
\??\c:\q86284.exec:\q86284.exe34⤵
- Executes dropped EXE
PID:1600 -
\??\c:\9xxxxfl.exec:\9xxxxfl.exe35⤵
- Executes dropped EXE
PID:304 -
\??\c:\644620.exec:\644620.exe36⤵
- Executes dropped EXE
PID:2444 -
\??\c:\jdppp.exec:\jdppp.exe37⤵
- Executes dropped EXE
PID:1964 -
\??\c:\7hbntt.exec:\7hbntt.exe38⤵
- Executes dropped EXE
PID:2840 -
\??\c:\fxrflxr.exec:\fxrflxr.exe39⤵
- Executes dropped EXE
PID:2940 -
\??\c:\40062.exec:\40062.exe40⤵
- Executes dropped EXE
PID:2120 -
\??\c:\o444280.exec:\o444280.exe41⤵
- Executes dropped EXE
PID:2912 -
\??\c:\86840.exec:\86840.exe42⤵
- Executes dropped EXE
PID:2936 -
\??\c:\8066824.exec:\8066824.exe43⤵
- Executes dropped EXE
PID:2780 -
\??\c:\0608062.exec:\0608062.exe44⤵
- Executes dropped EXE
PID:2520 -
\??\c:\e48846.exec:\e48846.exe45⤵
- Executes dropped EXE
PID:688 -
\??\c:\4424028.exec:\4424028.exe46⤵
- Executes dropped EXE
PID:840 -
\??\c:\vvdjv.exec:\vvdjv.exe47⤵
- Executes dropped EXE
PID:1508 -
\??\c:\046284.exec:\046284.exe48⤵
- Executes dropped EXE
PID:3028 -
\??\c:\fxffllx.exec:\fxffllx.exe49⤵
- Executes dropped EXE
PID:476 -
\??\c:\086840.exec:\086840.exe50⤵
- Executes dropped EXE
PID:2768 -
\??\c:\lrlrrfl.exec:\lrlrrfl.exe51⤵
- Executes dropped EXE
PID:2596 -
\??\c:\8462800.exec:\8462800.exe52⤵
- Executes dropped EXE
PID:2916 -
\??\c:\048402.exec:\048402.exe53⤵
- Executes dropped EXE
PID:2016 -
\??\c:\xfxlxxf.exec:\xfxlxxf.exe54⤵
- Executes dropped EXE
PID:2040 -
\??\c:\6088468.exec:\6088468.exe55⤵
- Executes dropped EXE
PID:1724 -
\??\c:\tnhhtb.exec:\tnhhtb.exe56⤵
- Executes dropped EXE
PID:2112 -
\??\c:\2606280.exec:\2606280.exe57⤵
- Executes dropped EXE
PID:2392 -
\??\c:\04466.exec:\04466.exe58⤵
- Executes dropped EXE
PID:2464 -
\??\c:\dvdpv.exec:\dvdpv.exe59⤵
- Executes dropped EXE
PID:768 -
\??\c:\64400.exec:\64400.exe60⤵
- Executes dropped EXE
PID:1444 -
\??\c:\20406.exec:\20406.exe61⤵
- Executes dropped EXE
PID:1804 -
\??\c:\9jpjv.exec:\9jpjv.exe62⤵
- Executes dropped EXE
PID:2692 -
\??\c:\nnhbhn.exec:\nnhbhn.exe63⤵
- Executes dropped EXE
PID:2932 -
\??\c:\7xxxfxl.exec:\7xxxfxl.exe64⤵
- Executes dropped EXE
PID:828 -
\??\c:\264462.exec:\264462.exe65⤵
- Executes dropped EXE
PID:860 -
\??\c:\tnntbh.exec:\tnntbh.exe66⤵PID:3036
-
\??\c:\vpdvj.exec:\vpdvj.exe67⤵PID:2304
-
\??\c:\xfxlllx.exec:\xfxlllx.exe68⤵PID:1816
-
\??\c:\hbtbnb.exec:\hbtbnb.exe69⤵PID:1700
-
\??\c:\248868.exec:\248868.exe70⤵PID:2324
-
\??\c:\jpddd.exec:\jpddd.exe71⤵PID:2644
-
\??\c:\jdvdp.exec:\jdvdp.exe72⤵PID:2548
-
\??\c:\082462.exec:\082462.exe73⤵PID:624
-
\??\c:\nbhnth.exec:\nbhnth.exe74⤵PID:2636
-
\??\c:\xxxlrrx.exec:\xxxlrrx.exe75⤵PID:968
-
\??\c:\000480.exec:\000480.exe76⤵PID:2252
-
\??\c:\0440408.exec:\0440408.exe77⤵PID:2500
-
\??\c:\jvpjj.exec:\jvpjj.exe78⤵PID:2952
-
\??\c:\tbhttn.exec:\tbhttn.exe79⤵PID:1148
-
\??\c:\646284.exec:\646284.exe80⤵PID:2584
-
\??\c:\4682608.exec:\4682608.exe81⤵PID:2904
-
\??\c:\6062480.exec:\6062480.exe82⤵PID:2340
-
\??\c:\vjddj.exec:\vjddj.exe83⤵PID:2096
-
\??\c:\hthnbh.exec:\hthnbh.exe84⤵PID:2140
-
\??\c:\8228062.exec:\8228062.exe85⤵PID:700
-
\??\c:\k00280.exec:\k00280.exe86⤵PID:840
-
\??\c:\u206680.exec:\u206680.exe87⤵PID:772
-
\??\c:\ppddp.exec:\ppddp.exe88⤵PID:2928
-
\??\c:\bthttt.exec:\bthttt.exe89⤵PID:2036
-
\??\c:\pjjpd.exec:\pjjpd.exe90⤵PID:1744
-
\??\c:\dvvvd.exec:\dvvvd.exe91⤵
- System Location Discovery: System Language Discovery
PID:1544 -
\??\c:\u446244.exec:\u446244.exe92⤵PID:1988
-
\??\c:\bthhnt.exec:\bthhnt.exe93⤵PID:1836
-
\??\c:\hhbnnb.exec:\hhbnnb.exe94⤵PID:2460
-
\??\c:\088402.exec:\088402.exe95⤵
- System Location Discovery: System Language Discovery
PID:2592 -
\??\c:\686864.exec:\686864.exe96⤵PID:2056
-
\??\c:\622802.exec:\622802.exe97⤵PID:2824
-
\??\c:\68686.exec:\68686.exe98⤵
- System Location Discovery: System Language Discovery
PID:2392 -
\??\c:\dvddd.exec:\dvddd.exe99⤵PID:3056
-
\??\c:\24068.exec:\24068.exe100⤵PID:1568
-
\??\c:\g8660.exec:\g8660.exe101⤵PID:2456
-
\??\c:\628486.exec:\628486.exe102⤵PID:1376
-
\??\c:\dpjdp.exec:\dpjdp.exe103⤵PID:1828
-
\??\c:\ttnhtb.exec:\ttnhtb.exe104⤵PID:1572
-
\??\c:\m2062.exec:\m2062.exe105⤵PID:2164
-
\??\c:\ffxlrfl.exec:\ffxlrfl.exe106⤵PID:1640
-
\??\c:\08228.exec:\08228.exe107⤵
- System Location Discovery: System Language Discovery
PID:2228 -
\??\c:\1bbhnt.exec:\1bbhnt.exe108⤵
- System Location Discovery: System Language Discovery
PID:2376 -
\??\c:\lrlxfxf.exec:\lrlxfxf.exe109⤵PID:1728
-
\??\c:\pvdjj.exec:\pvdjj.exe110⤵PID:2388
-
\??\c:\rllxfrf.exec:\rllxfrf.exe111⤵PID:1700
-
\??\c:\fxrxrrl.exec:\fxrxrrl.exe112⤵PID:2192
-
\??\c:\2424068.exec:\2424068.exe113⤵PID:1280
-
\??\c:\8446884.exec:\8446884.exe114⤵PID:2104
-
\??\c:\ppvvj.exec:\ppvvj.exe115⤵PID:1704
-
\??\c:\664282.exec:\664282.exe116⤵PID:2892
-
\??\c:\26846.exec:\26846.exe117⤵PID:1964
-
\??\c:\3dvdp.exec:\3dvdp.exe118⤵PID:2964
-
\??\c:\pvddj.exec:\pvddj.exe119⤵PID:2900
-
\??\c:\400246.exec:\400246.exe120⤵PID:2148
-
\??\c:\5dppd.exec:\5dppd.exe121⤵PID:2952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-