Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 04:29
Behavioral task
behavioral1
Sample
373c8790ab47d0db98fa504889ebdac29b6c46db05c1b1fba9211e913c95dd43N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
373c8790ab47d0db98fa504889ebdac29b6c46db05c1b1fba9211e913c95dd43N.exe
-
Size
332KB
-
MD5
7f4296ed797775b852a1a0ab3b047a30
-
SHA1
36a4eb32effcdb6503dbe16ae03124a09df8840b
-
SHA256
373c8790ab47d0db98fa504889ebdac29b6c46db05c1b1fba9211e913c95dd43
-
SHA512
796e8ec7c5202387fcad44855531a568f141e6e207714bb5af53f52ea2595f29c5d78597e9ff05b6bc4e135de418e5209dc0ff1f2a37ea2af4729674f749a76e
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeH9:R4wFHoSHYHUrAwfMp3CDH9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/532-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2388-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1728-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2840-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2420-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2944-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3068-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2812-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2272-103-0x00000000005C0000-0x00000000005E7000-memory.dmp family_blackmoon behavioral1/memory/2272-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2312-108-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2828-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1936-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2312-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1496-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1668-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2972-161-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2012-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2132-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/756-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1280-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2384-251-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2168-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2320-268-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2416-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/788-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2192-354-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2756-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2952-391-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2740-453-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1280-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1664-492-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1572-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-616-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2116-653-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/820-716-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1664-754-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2284-6251-0x00000000770C0000-0x00000000771DF000-memory.dmp family_blackmoon behavioral1/memory/2284-18212-0x00000000771E0000-0x00000000772DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2388 868888.exe 1728 rlxxfrf.exe 2840 3frrrrf.exe 2420 1vpjp.exe 2944 7bnnbb.exe 3024 64248.exe 3068 202206.exe 2824 dpvjv.exe 2812 llfxflx.exe 2676 dvddp.exe 2272 hbnnbh.exe 2312 vvpdp.exe 2828 88680.exe 1936 8202440.exe 2884 fxlrffr.exe 1496 rrlxllx.exe 1668 flfxflr.exe 2972 666824.exe 2012 1ntttt.exe 2132 1lrllrr.exe 756 5djjv.exe 704 64006.exe 1280 22840.exe 1920 26402.exe 2100 o480284.exe 2044 8248668.exe 1464 lxfxfxf.exe 1044 3vdjd.exe 2384 bthnbh.exe 2168 ffrrflr.exe 2320 e44620.exe 880 nhbbbh.exe 2416 xrlrxlx.exe 1488 2006286.exe 2332 xrrxrll.exe 2728 q64400.exe 788 a4686.exe 2736 frxxxrf.exe 2784 lxlflfl.exe 2932 xxrfxrf.exe 2928 g6828.exe 2652 tnnthb.exe 2192 60280.exe 2948 7btbbb.exe 3068 8262880.exe 2756 4206266.exe 2664 llrfllx.exe 2656 4202846.exe 3032 08662.exe 2456 82624.exe 2880 7lxfffl.exe 2952 4244046.exe 2632 080840.exe 1368 httnhb.exe 2300 e08428.exe 2884 hbnntn.exe 1908 266288.exe 2732 268406.exe 1864 262206.exe 2120 tthbhh.exe 664 btnhnn.exe 1352 tnbhtn.exe 236 260246.exe 2740 g6068.exe -
resource yara_rule behavioral1/memory/532-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c000000012263-5.dat upx behavioral1/memory/532-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2388-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019490-17.dat upx behavioral1/memory/1728-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001949d-25.dat upx behavioral1/files/0x00060000000194d0-34.dat upx behavioral1/memory/2840-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000194da-42.dat upx behavioral1/memory/2420-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2944-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000194e4-52.dat upx behavioral1/files/0x00070000000194e6-60.dat upx behavioral1/memory/3068-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019551-69.dat upx behavioral1/files/0x000500000001a495-78.dat upx behavioral1/memory/2812-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2824-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4a5-86.dat upx behavioral1/files/0x000500000001a4ab-93.dat upx behavioral1/memory/2312-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2272-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4ad-101.dat upx behavioral1/files/0x0008000000019429-114.dat upx behavioral1/memory/2828-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4af-121.dat upx behavioral1/files/0x000500000001a4b1-129.dat upx behavioral1/memory/2884-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1936-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2312-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b3-139.dat upx behavioral1/memory/1496-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b5-149.dat upx behavioral1/memory/1668-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b7-157.dat upx behavioral1/files/0x000500000001a4b9-167.dat upx behavioral1/memory/2012-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4bb-174.dat upx behavioral1/memory/2012-175-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2012-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2132-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4bd-183.dat upx behavioral1/memory/756-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/756-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4bf-193.dat upx behavioral1/files/0x000500000001a4c1-201.dat upx behavioral1/files/0x000500000001a4c3-208.dat upx behavioral1/memory/1280-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c5-215.dat upx behavioral1/memory/2100-216-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c7-223.dat upx behavioral1/memory/2044-224-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1280-232-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001a4c9-230.dat upx behavioral1/memory/1464-239-0x00000000003C0000-0x00000000003E7000-memory.dmp upx behavioral1/files/0x000500000001a4cb-240.dat upx behavioral1/files/0x000500000001a4cd-247.dat upx behavioral1/files/0x000500000001a4cf-255.dat upx behavioral1/files/0x000500000001a4d1-265.dat upx behavioral1/memory/2168-264-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4d4-272.dat upx behavioral1/memory/2416-284-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2332-290-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6084624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbntbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k68882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0804488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e42202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w24622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08006.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 532 wrote to memory of 2388 532 373c8790ab47d0db98fa504889ebdac29b6c46db05c1b1fba9211e913c95dd43N.exe 31 PID 532 wrote to memory of 2388 532 373c8790ab47d0db98fa504889ebdac29b6c46db05c1b1fba9211e913c95dd43N.exe 31 PID 532 wrote to memory of 2388 532 373c8790ab47d0db98fa504889ebdac29b6c46db05c1b1fba9211e913c95dd43N.exe 31 PID 532 wrote to memory of 2388 532 373c8790ab47d0db98fa504889ebdac29b6c46db05c1b1fba9211e913c95dd43N.exe 31 PID 2388 wrote to memory of 1728 2388 868888.exe 32 PID 2388 wrote to memory of 1728 2388 868888.exe 32 PID 2388 wrote to memory of 1728 2388 868888.exe 32 PID 2388 wrote to memory of 1728 2388 868888.exe 32 PID 1728 wrote to memory of 2840 1728 rlxxfrf.exe 33 PID 1728 wrote to memory of 2840 1728 rlxxfrf.exe 33 PID 1728 wrote to memory of 2840 1728 rlxxfrf.exe 33 PID 1728 wrote to memory of 2840 1728 rlxxfrf.exe 33 PID 2840 wrote to memory of 2420 2840 3frrrrf.exe 34 PID 2840 wrote to memory of 2420 2840 3frrrrf.exe 34 PID 2840 wrote to memory of 2420 2840 3frrrrf.exe 34 PID 2840 wrote to memory of 2420 2840 3frrrrf.exe 34 PID 2420 wrote to memory of 2944 2420 1vpjp.exe 35 PID 2420 wrote to memory of 2944 2420 1vpjp.exe 35 PID 2420 wrote to memory of 2944 2420 1vpjp.exe 35 PID 2420 wrote to memory of 2944 2420 1vpjp.exe 35 PID 2944 wrote to memory of 3024 2944 7bnnbb.exe 36 PID 2944 wrote to memory of 3024 2944 7bnnbb.exe 36 PID 2944 wrote to memory of 3024 2944 7bnnbb.exe 36 PID 2944 wrote to memory of 3024 2944 7bnnbb.exe 36 PID 3024 wrote to memory of 3068 3024 64248.exe 37 PID 3024 wrote to memory of 3068 3024 64248.exe 37 PID 3024 wrote to memory of 3068 3024 64248.exe 37 PID 3024 wrote to memory of 3068 3024 64248.exe 37 PID 3068 wrote to memory of 2824 3068 202206.exe 38 PID 3068 wrote to memory of 2824 3068 202206.exe 38 PID 3068 wrote to memory of 2824 3068 202206.exe 38 PID 3068 wrote to memory of 2824 3068 202206.exe 38 PID 2824 wrote to memory of 2812 2824 dpvjv.exe 39 PID 2824 wrote to memory of 2812 2824 dpvjv.exe 39 PID 2824 wrote to memory of 2812 2824 dpvjv.exe 39 PID 2824 wrote to memory of 2812 2824 dpvjv.exe 39 PID 2812 wrote to memory of 2676 2812 llfxflx.exe 40 PID 2812 wrote to memory of 2676 2812 llfxflx.exe 40 PID 2812 wrote to memory of 2676 2812 llfxflx.exe 40 PID 2812 wrote to memory of 2676 2812 llfxflx.exe 40 PID 2676 wrote to memory of 2272 2676 dvddp.exe 41 PID 2676 wrote to memory of 2272 2676 dvddp.exe 41 PID 2676 wrote to memory of 2272 2676 dvddp.exe 41 PID 2676 wrote to memory of 2272 2676 dvddp.exe 41 PID 2272 wrote to memory of 2312 2272 hbnnbh.exe 42 PID 2272 wrote to memory of 2312 2272 hbnnbh.exe 42 PID 2272 wrote to memory of 2312 2272 hbnnbh.exe 42 PID 2272 wrote to memory of 2312 2272 hbnnbh.exe 42 PID 2312 wrote to memory of 2828 2312 vvpdp.exe 43 PID 2312 wrote to memory of 2828 2312 vvpdp.exe 43 PID 2312 wrote to memory of 2828 2312 vvpdp.exe 43 PID 2312 wrote to memory of 2828 2312 vvpdp.exe 43 PID 2828 wrote to memory of 1936 2828 88680.exe 44 PID 2828 wrote to memory of 1936 2828 88680.exe 44 PID 2828 wrote to memory of 1936 2828 88680.exe 44 PID 2828 wrote to memory of 1936 2828 88680.exe 44 PID 1936 wrote to memory of 2884 1936 8202440.exe 45 PID 1936 wrote to memory of 2884 1936 8202440.exe 45 PID 1936 wrote to memory of 2884 1936 8202440.exe 45 PID 1936 wrote to memory of 2884 1936 8202440.exe 45 PID 2884 wrote to memory of 1496 2884 fxlrffr.exe 46 PID 2884 wrote to memory of 1496 2884 fxlrffr.exe 46 PID 2884 wrote to memory of 1496 2884 fxlrffr.exe 46 PID 2884 wrote to memory of 1496 2884 fxlrffr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\373c8790ab47d0db98fa504889ebdac29b6c46db05c1b1fba9211e913c95dd43N.exe"C:\Users\Admin\AppData\Local\Temp\373c8790ab47d0db98fa504889ebdac29b6c46db05c1b1fba9211e913c95dd43N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\868888.exec:\868888.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\rlxxfrf.exec:\rlxxfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\3frrrrf.exec:\3frrrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\1vpjp.exec:\1vpjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\7bnnbb.exec:\7bnnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\64248.exec:\64248.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\202206.exec:\202206.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\dpvjv.exec:\dpvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\llfxflx.exec:\llfxflx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\dvddp.exec:\dvddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\hbnnbh.exec:\hbnnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\vvpdp.exec:\vvpdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\88680.exec:\88680.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\8202440.exec:\8202440.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\fxlrffr.exec:\fxlrffr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\rrlxllx.exec:\rrlxllx.exe17⤵
- Executes dropped EXE
PID:1496 -
\??\c:\flfxflr.exec:\flfxflr.exe18⤵
- Executes dropped EXE
PID:1668 -
\??\c:\666824.exec:\666824.exe19⤵
- Executes dropped EXE
PID:2972 -
\??\c:\1ntttt.exec:\1ntttt.exe20⤵
- Executes dropped EXE
PID:2012 -
\??\c:\1lrllrr.exec:\1lrllrr.exe21⤵
- Executes dropped EXE
PID:2132 -
\??\c:\5djjv.exec:\5djjv.exe22⤵
- Executes dropped EXE
PID:756 -
\??\c:\64006.exec:\64006.exe23⤵
- Executes dropped EXE
PID:704 -
\??\c:\22840.exec:\22840.exe24⤵
- Executes dropped EXE
PID:1280 -
\??\c:\26402.exec:\26402.exe25⤵
- Executes dropped EXE
PID:1920 -
\??\c:\o480284.exec:\o480284.exe26⤵
- Executes dropped EXE
PID:2100 -
\??\c:\8248668.exec:\8248668.exe27⤵
- Executes dropped EXE
PID:2044 -
\??\c:\lxfxfxf.exec:\lxfxfxf.exe28⤵
- Executes dropped EXE
PID:1464 -
\??\c:\3vdjd.exec:\3vdjd.exe29⤵
- Executes dropped EXE
PID:1044 -
\??\c:\bthnbh.exec:\bthnbh.exe30⤵
- Executes dropped EXE
PID:2384 -
\??\c:\ffrrflr.exec:\ffrrflr.exe31⤵
- Executes dropped EXE
PID:2168 -
\??\c:\e44620.exec:\e44620.exe32⤵
- Executes dropped EXE
PID:2320 -
\??\c:\nhbbbh.exec:\nhbbbh.exe33⤵
- Executes dropped EXE
PID:880 -
\??\c:\xrlrxlx.exec:\xrlrxlx.exe34⤵
- Executes dropped EXE
PID:2416 -
\??\c:\2006286.exec:\2006286.exe35⤵
- Executes dropped EXE
PID:1488 -
\??\c:\xrrxrll.exec:\xrrxrll.exe36⤵
- Executes dropped EXE
PID:2332 -
\??\c:\q64400.exec:\q64400.exe37⤵
- Executes dropped EXE
PID:2728 -
\??\c:\a4686.exec:\a4686.exe38⤵
- Executes dropped EXE
PID:788 -
\??\c:\frxxxrf.exec:\frxxxrf.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\lxlflfl.exec:\lxlflfl.exe40⤵
- Executes dropped EXE
PID:2784 -
\??\c:\xxrfxrf.exec:\xxrfxrf.exe41⤵
- Executes dropped EXE
PID:2932 -
\??\c:\g6828.exec:\g6828.exe42⤵
- Executes dropped EXE
PID:2928 -
\??\c:\tnnthb.exec:\tnnthb.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\60280.exec:\60280.exe44⤵
- Executes dropped EXE
PID:2192 -
\??\c:\7btbbb.exec:\7btbbb.exe45⤵
- Executes dropped EXE
PID:2948 -
\??\c:\8262880.exec:\8262880.exe46⤵
- Executes dropped EXE
PID:3068 -
\??\c:\4206266.exec:\4206266.exe47⤵
- Executes dropped EXE
PID:2756 -
\??\c:\llrfllx.exec:\llrfllx.exe48⤵
- Executes dropped EXE
PID:2664 -
\??\c:\4202846.exec:\4202846.exe49⤵
- Executes dropped EXE
PID:2656 -
\??\c:\08662.exec:\08662.exe50⤵
- Executes dropped EXE
PID:3032 -
\??\c:\82624.exec:\82624.exe51⤵
- Executes dropped EXE
PID:2456 -
\??\c:\7lxfffl.exec:\7lxfffl.exe52⤵
- Executes dropped EXE
PID:2880 -
\??\c:\4244046.exec:\4244046.exe53⤵
- Executes dropped EXE
PID:2952 -
\??\c:\080840.exec:\080840.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
\??\c:\httnhb.exec:\httnhb.exe55⤵
- Executes dropped EXE
PID:1368 -
\??\c:\e08428.exec:\e08428.exe56⤵
- Executes dropped EXE
PID:2300 -
\??\c:\hbnntn.exec:\hbnntn.exe57⤵
- Executes dropped EXE
PID:2884 -
\??\c:\266288.exec:\266288.exe58⤵
- Executes dropped EXE
PID:1908 -
\??\c:\268406.exec:\268406.exe59⤵
- Executes dropped EXE
PID:2732 -
\??\c:\262206.exec:\262206.exe60⤵
- Executes dropped EXE
PID:1864 -
\??\c:\tthbhh.exec:\tthbhh.exe61⤵
- Executes dropped EXE
PID:2120 -
\??\c:\btnhnn.exec:\btnhnn.exe62⤵
- Executes dropped EXE
PID:664 -
\??\c:\tnbhtn.exec:\tnbhtn.exe63⤵
- Executes dropped EXE
PID:1352 -
\??\c:\260246.exec:\260246.exe64⤵
- Executes dropped EXE
PID:236 -
\??\c:\g6068.exec:\g6068.exe65⤵
- Executes dropped EXE
PID:2740 -
\??\c:\m6402.exec:\m6402.exe66⤵PID:2324
-
\??\c:\2608402.exec:\2608402.exe67⤵PID:2268
-
\??\c:\ntnbnb.exec:\ntnbnb.exe68⤵PID:2232
-
\??\c:\0480246.exec:\0480246.exe69⤵PID:1280
-
\??\c:\8228006.exec:\8228006.exe70⤵PID:348
-
\??\c:\btnbhn.exec:\btnbhn.exe71⤵PID:2108
-
\??\c:\bbtntb.exec:\bbtntb.exe72⤵PID:1664
-
\??\c:\o484406.exec:\o484406.exe73⤵PID:888
-
\??\c:\jdpdj.exec:\jdpdj.exe74⤵PID:2440
-
\??\c:\bbbhnn.exec:\bbbhnn.exe75⤵PID:2372
-
\??\c:\7nbbbh.exec:\7nbbbh.exe76⤵PID:2444
-
\??\c:\48002.exec:\48002.exe77⤵PID:2452
-
\??\c:\2606464.exec:\2606464.exe78⤵PID:996
-
\??\c:\xrxlxxl.exec:\xrxlxxl.exe79⤵PID:2292
-
\??\c:\486084.exec:\486084.exe80⤵PID:908
-
\??\c:\60806.exec:\60806.exe81⤵PID:880
-
\??\c:\882684.exec:\882684.exe82⤵PID:1572
-
\??\c:\w86844.exec:\w86844.exe83⤵PID:1488
-
\??\c:\4284668.exec:\4284668.exe84⤵PID:1720
-
\??\c:\608400.exec:\608400.exe85⤵PID:1728
-
\??\c:\bbntnn.exec:\bbntnn.exe86⤵PID:788
-
\??\c:\9nhbnt.exec:\9nhbnt.exe87⤵PID:2488
-
\??\c:\4868028.exec:\4868028.exe88⤵PID:2940
-
\??\c:\7lxxxfr.exec:\7lxxxfr.exe89⤵PID:2752
-
\??\c:\s8680.exec:\s8680.exe90⤵PID:2796
-
\??\c:\086602.exec:\086602.exe91⤵PID:2652
-
\??\c:\xrfrrlr.exec:\xrfrrlr.exe92⤵PID:2820
-
\??\c:\jdpvj.exec:\jdpvj.exe93⤵PID:2900
-
\??\c:\lxrfrlx.exec:\lxrfrlx.exe94⤵PID:2744
-
\??\c:\1jvpd.exec:\1jvpd.exe95⤵PID:2668
-
\??\c:\llflrrf.exec:\llflrrf.exe96⤵PID:1656
-
\??\c:\606844.exec:\606844.exe97⤵PID:2084
-
\??\c:\dvdjd.exec:\dvdjd.exe98⤵PID:2116
-
\??\c:\k60240.exec:\k60240.exe99⤵PID:2456
-
\??\c:\1dvdj.exec:\1dvdj.exe100⤵PID:2960
-
\??\c:\pjpjp.exec:\pjpjp.exe101⤵PID:1952
-
\??\c:\4268062.exec:\4268062.exe102⤵PID:2936
-
\??\c:\280868.exec:\280868.exe103⤵PID:1644
-
\??\c:\246644.exec:\246644.exe104⤵PID:2848
-
\??\c:\824622.exec:\824622.exe105⤵PID:2968
-
\??\c:\rrlrfrl.exec:\rrlrfrl.exe106⤵PID:1908
-
\??\c:\u468628.exec:\u468628.exe107⤵PID:2988
-
\??\c:\ttnbhh.exec:\ttnbhh.exe108⤵PID:1668
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe109⤵PID:2992
-
\??\c:\pdjpp.exec:\pdjpp.exe110⤵PID:1768
-
\??\c:\bhthth.exec:\bhthth.exe111⤵PID:1352
-
\??\c:\7pjpv.exec:\7pjpv.exe112⤵
- System Location Discovery: System Language Discovery
PID:236 -
\??\c:\7bthnt.exec:\7bthnt.exe113⤵PID:2740
-
\??\c:\tnbbnt.exec:\tnbbnt.exe114⤵PID:820
-
\??\c:\jdjdp.exec:\jdjdp.exe115⤵PID:2268
-
\??\c:\486840.exec:\486840.exe116⤵PID:704
-
\??\c:\82446.exec:\82446.exe117⤵PID:1280
-
\??\c:\jjjjv.exec:\jjjjv.exe118⤵PID:348
-
\??\c:\4864668.exec:\4864668.exe119⤵PID:2160
-
\??\c:\w28822.exec:\w28822.exe120⤵PID:1664
-
\??\c:\42822.exec:\42822.exe121⤵PID:2008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-