Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 10:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f6dfbd075628b876b76f46a122f83d98c10e323b6a079d798d7f2ad500d205bfN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f6dfbd075628b876b76f46a122f83d98c10e323b6a079d798d7f2ad500d205bfN.exe
-
Size
454KB
-
MD5
299e44dbd8aa0f5d1f42f92c88fc4bc0
-
SHA1
ab20061d5af428a278dac9be3c0de406dfad713c
-
SHA256
f6dfbd075628b876b76f46a122f83d98c10e323b6a079d798d7f2ad500d205bf
-
SHA512
2d79c55e6dd37d6ba493539b15f8c6e781260c6cca90bb142abf1c074635e9b172ee1048b047014b90e5f831c40b9c9b8fa26df69ebcb5d8d9915f8289fe80e2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1996-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-86-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2752-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-75-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2916-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-142-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2112-162-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2252-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-512-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/548-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-538-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2160-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-580-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1376-702-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2076-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-730-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1488-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-493-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/944-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-405-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2352-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-371-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2812-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1380-206-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2088-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1112-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-956-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1704 22642.exe 1948 xrlrxlf.exe 2468 5xrrxfl.exe 2848 hbnthn.exe 2980 1vpvj.exe 2564 tbthnb.exe 2732 08668.exe 2752 40484.exe 2720 dvjpd.exe 2452 20886.exe 2916 7jdjp.exe 572 2006686.exe 1112 2022828.exe 3000 rfxfrrf.exe 2328 64606.exe 2112 5lllxxf.exe 1544 lllxffr.exe 2524 k04062.exe 2216 448022.exe 2088 3frxffr.exe 1380 20220.exe 2608 82440.exe 1832 pjjjp.exe 2252 jdppd.exe 1096 lllrflr.exe 548 264022.exe 2400 nhbntb.exe 2420 bnnnbh.exe 1036 664422.exe 1756 608084.exe 1688 1rrlxxl.exe 2432 ffxxffr.exe 2584 q26428.exe 2572 6440800.exe 2472 466486.exe 2468 1hbntt.exe 2812 ppjdj.exe 2852 220202.exe 2980 rrfrxfx.exe 2564 nnhhbn.exe 2344 s4462.exe 536 642400.exe 2780 xllfrrl.exe 2136 264406.exe 684 i828608.exe 2352 442462.exe 568 086682.exe 2704 4862468.exe 2052 642866.exe 2900 6020286.exe 2192 lfxlffr.exe 944 0806286.exe 808 5xrrxfl.exe 2096 ppdjv.exe 1160 4868468.exe 2644 04082.exe 2620 hhtthh.exe 1032 2268402.exe 1380 608084.exe 1040 tnbhht.exe 2276 004644.exe 1516 00842.exe 2252 jdvvp.exe 1608 dpjjp.exe -
resource yara_rule behavioral1/memory/1996-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-75-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2916-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-599-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2272-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1112-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-931-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1648-956-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-1072-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-1139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-1171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-1264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/720-1295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/552-1344-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0462046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u228400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4868468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4484026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e20028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1704 1996 f6dfbd075628b876b76f46a122f83d98c10e323b6a079d798d7f2ad500d205bfN.exe 30 PID 1996 wrote to memory of 1704 1996 f6dfbd075628b876b76f46a122f83d98c10e323b6a079d798d7f2ad500d205bfN.exe 30 PID 1996 wrote to memory of 1704 1996 f6dfbd075628b876b76f46a122f83d98c10e323b6a079d798d7f2ad500d205bfN.exe 30 PID 1996 wrote to memory of 1704 1996 f6dfbd075628b876b76f46a122f83d98c10e323b6a079d798d7f2ad500d205bfN.exe 30 PID 1704 wrote to memory of 1948 1704 22642.exe 31 PID 1704 wrote to memory of 1948 1704 22642.exe 31 PID 1704 wrote to memory of 1948 1704 22642.exe 31 PID 1704 wrote to memory of 1948 1704 22642.exe 31 PID 1948 wrote to memory of 2468 1948 xrlrxlf.exe 65 PID 1948 wrote to memory of 2468 1948 xrlrxlf.exe 65 PID 1948 wrote to memory of 2468 1948 xrlrxlf.exe 65 PID 1948 wrote to memory of 2468 1948 xrlrxlf.exe 65 PID 2468 wrote to memory of 2848 2468 5xrrxfl.exe 33 PID 2468 wrote to memory of 2848 2468 5xrrxfl.exe 33 PID 2468 wrote to memory of 2848 2468 5xrrxfl.exe 33 PID 2468 wrote to memory of 2848 2468 5xrrxfl.exe 33 PID 2848 wrote to memory of 2980 2848 hbnthn.exe 68 PID 2848 wrote to memory of 2980 2848 hbnthn.exe 68 PID 2848 wrote to memory of 2980 2848 hbnthn.exe 68 PID 2848 wrote to memory of 2980 2848 hbnthn.exe 68 PID 2980 wrote to memory of 2564 2980 1vpvj.exe 69 PID 2980 wrote to memory of 2564 2980 1vpvj.exe 69 PID 2980 wrote to memory of 2564 2980 1vpvj.exe 69 PID 2980 wrote to memory of 2564 2980 1vpvj.exe 69 PID 2564 wrote to memory of 2732 2564 tbthnb.exe 36 PID 2564 wrote to memory of 2732 2564 tbthnb.exe 36 PID 2564 wrote to memory of 2732 2564 tbthnb.exe 36 PID 2564 wrote to memory of 2732 2564 tbthnb.exe 36 PID 2732 wrote to memory of 2752 2732 08668.exe 37 PID 2732 wrote to memory of 2752 2732 08668.exe 37 PID 2732 wrote to memory of 2752 2732 08668.exe 37 PID 2732 wrote to memory of 2752 2732 08668.exe 37 PID 2752 wrote to memory of 2720 2752 40484.exe 38 PID 2752 wrote to memory of 2720 2752 40484.exe 38 PID 2752 wrote to memory of 2720 2752 40484.exe 38 PID 2752 wrote to memory of 2720 2752 40484.exe 38 PID 2720 wrote to memory of 2452 2720 dvjpd.exe 39 PID 2720 wrote to memory of 2452 2720 dvjpd.exe 39 PID 2720 wrote to memory of 2452 2720 dvjpd.exe 39 PID 2720 wrote to memory of 2452 2720 dvjpd.exe 39 PID 2452 wrote to memory of 2916 2452 20886.exe 40 PID 2452 wrote to memory of 2916 2452 20886.exe 40 PID 2452 wrote to memory of 2916 2452 20886.exe 40 PID 2452 wrote to memory of 2916 2452 20886.exe 40 PID 2916 wrote to memory of 572 2916 7jdjp.exe 41 PID 2916 wrote to memory of 572 2916 7jdjp.exe 41 PID 2916 wrote to memory of 572 2916 7jdjp.exe 41 PID 2916 wrote to memory of 572 2916 7jdjp.exe 41 PID 572 wrote to memory of 1112 572 2006686.exe 42 PID 572 wrote to memory of 1112 572 2006686.exe 42 PID 572 wrote to memory of 1112 572 2006686.exe 42 PID 572 wrote to memory of 1112 572 2006686.exe 42 PID 1112 wrote to memory of 3000 1112 2022828.exe 43 PID 1112 wrote to memory of 3000 1112 2022828.exe 43 PID 1112 wrote to memory of 3000 1112 2022828.exe 43 PID 1112 wrote to memory of 3000 1112 2022828.exe 43 PID 3000 wrote to memory of 2328 3000 rfxfrrf.exe 44 PID 3000 wrote to memory of 2328 3000 rfxfrrf.exe 44 PID 3000 wrote to memory of 2328 3000 rfxfrrf.exe 44 PID 3000 wrote to memory of 2328 3000 rfxfrrf.exe 44 PID 2328 wrote to memory of 2112 2328 64606.exe 45 PID 2328 wrote to memory of 2112 2328 64606.exe 45 PID 2328 wrote to memory of 2112 2328 64606.exe 45 PID 2328 wrote to memory of 2112 2328 64606.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6dfbd075628b876b76f46a122f83d98c10e323b6a079d798d7f2ad500d205bfN.exe"C:\Users\Admin\AppData\Local\Temp\f6dfbd075628b876b76f46a122f83d98c10e323b6a079d798d7f2ad500d205bfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\22642.exec:\22642.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\xrlrxlf.exec:\xrlrxlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\5xrrxfl.exec:\5xrrxfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\hbnthn.exec:\hbnthn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\1vpvj.exec:\1vpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\tbthnb.exec:\tbthnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\08668.exec:\08668.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\40484.exec:\40484.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\dvjpd.exec:\dvjpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\20886.exec:\20886.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\7jdjp.exec:\7jdjp.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\2006686.exec:\2006686.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\2022828.exec:\2022828.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\rfxfrrf.exec:\rfxfrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\64606.exec:\64606.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\5lllxxf.exec:\5lllxxf.exe17⤵
- Executes dropped EXE
PID:2112 -
\??\c:\lllxffr.exec:\lllxffr.exe18⤵
- Executes dropped EXE
PID:1544 -
\??\c:\k04062.exec:\k04062.exe19⤵
- Executes dropped EXE
PID:2524 -
\??\c:\448022.exec:\448022.exe20⤵
- Executes dropped EXE
PID:2216 -
\??\c:\3frxffr.exec:\3frxffr.exe21⤵
- Executes dropped EXE
PID:2088 -
\??\c:\20220.exec:\20220.exe22⤵
- Executes dropped EXE
PID:1380 -
\??\c:\82440.exec:\82440.exe23⤵
- Executes dropped EXE
PID:2608 -
\??\c:\pjjjp.exec:\pjjjp.exe24⤵
- Executes dropped EXE
PID:1832 -
\??\c:\jdppd.exec:\jdppd.exe25⤵
- Executes dropped EXE
PID:2252 -
\??\c:\lllrflr.exec:\lllrflr.exe26⤵
- Executes dropped EXE
PID:1096 -
\??\c:\264022.exec:\264022.exe27⤵
- Executes dropped EXE
PID:548 -
\??\c:\nhbntb.exec:\nhbntb.exe28⤵
- Executes dropped EXE
PID:2400 -
\??\c:\bnnnbh.exec:\bnnnbh.exe29⤵
- Executes dropped EXE
PID:2420 -
\??\c:\664422.exec:\664422.exe30⤵
- Executes dropped EXE
PID:1036 -
\??\c:\608084.exec:\608084.exe31⤵
- Executes dropped EXE
PID:1756 -
\??\c:\1rrlxxl.exec:\1rrlxxl.exe32⤵
- Executes dropped EXE
PID:1688 -
\??\c:\ffxxffr.exec:\ffxxffr.exe33⤵
- Executes dropped EXE
PID:2432 -
\??\c:\q26428.exec:\q26428.exe34⤵
- Executes dropped EXE
PID:2584 -
\??\c:\6440800.exec:\6440800.exe35⤵
- Executes dropped EXE
PID:2572 -
\??\c:\466486.exec:\466486.exe36⤵
- Executes dropped EXE
PID:2472 -
\??\c:\1hbntt.exec:\1hbntt.exe37⤵
- Executes dropped EXE
PID:2468 -
\??\c:\ppjdj.exec:\ppjdj.exe38⤵
- Executes dropped EXE
PID:2812 -
\??\c:\220202.exec:\220202.exe39⤵
- Executes dropped EXE
PID:2852 -
\??\c:\rrfrxfx.exec:\rrfrxfx.exe40⤵
- Executes dropped EXE
PID:2980 -
\??\c:\nnhhbn.exec:\nnhhbn.exe41⤵
- Executes dropped EXE
PID:2564 -
\??\c:\s4462.exec:\s4462.exe42⤵
- Executes dropped EXE
PID:2344 -
\??\c:\642400.exec:\642400.exe43⤵
- Executes dropped EXE
PID:536 -
\??\c:\xllfrrl.exec:\xllfrrl.exe44⤵
- Executes dropped EXE
PID:2780 -
\??\c:\264406.exec:\264406.exe45⤵
- Executes dropped EXE
PID:2136 -
\??\c:\i828608.exec:\i828608.exe46⤵
- Executes dropped EXE
PID:684 -
\??\c:\442462.exec:\442462.exe47⤵
- Executes dropped EXE
PID:2352 -
\??\c:\086682.exec:\086682.exe48⤵
- Executes dropped EXE
PID:568 -
\??\c:\4862468.exec:\4862468.exe49⤵
- Executes dropped EXE
PID:2704 -
\??\c:\642866.exec:\642866.exe50⤵
- Executes dropped EXE
PID:2052 -
\??\c:\6020286.exec:\6020286.exe51⤵
- Executes dropped EXE
PID:2900 -
\??\c:\lfxlffr.exec:\lfxlffr.exe52⤵
- Executes dropped EXE
PID:2192 -
\??\c:\0806286.exec:\0806286.exe53⤵
- Executes dropped EXE
PID:944 -
\??\c:\5xrrxfl.exec:\5xrrxfl.exe54⤵
- Executes dropped EXE
PID:808 -
\??\c:\ppdjv.exec:\ppdjv.exe55⤵
- Executes dropped EXE
PID:2096 -
\??\c:\4868468.exec:\4868468.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1160 -
\??\c:\04082.exec:\04082.exe57⤵
- Executes dropped EXE
PID:2644 -
\??\c:\hhtthh.exec:\hhtthh.exe58⤵
- Executes dropped EXE
PID:2620 -
\??\c:\2268402.exec:\2268402.exe59⤵
- Executes dropped EXE
PID:1032 -
\??\c:\608084.exec:\608084.exe60⤵
- Executes dropped EXE
PID:1380 -
\??\c:\tnbhht.exec:\tnbhht.exe61⤵
- Executes dropped EXE
PID:1040 -
\??\c:\004644.exec:\004644.exe62⤵
- Executes dropped EXE
PID:2276 -
\??\c:\00842.exec:\00842.exe63⤵
- Executes dropped EXE
PID:1516 -
\??\c:\jdvvp.exec:\jdvvp.exe64⤵
- Executes dropped EXE
PID:2252 -
\??\c:\dpjjp.exec:\dpjjp.exe65⤵
- Executes dropped EXE
PID:1608 -
\??\c:\o040226.exec:\o040226.exe66⤵PID:1560
-
\??\c:\ntntnt.exec:\ntntnt.exe67⤵PID:548
-
\??\c:\u084268.exec:\u084268.exe68⤵PID:1656
-
\??\c:\dddpd.exec:\dddpd.exe69⤵PID:1652
-
\??\c:\g6028.exec:\g6028.exe70⤵PID:1988
-
\??\c:\q08028.exec:\q08028.exe71⤵PID:1756
-
\??\c:\hbtbnb.exec:\hbtbnb.exe72⤵PID:1588
-
\??\c:\6480228.exec:\6480228.exe73⤵PID:2160
-
\??\c:\264062.exec:\264062.exe74⤵PID:2584
-
\??\c:\886288.exec:\886288.exe75⤵PID:2140
-
\??\c:\2606406.exec:\2606406.exe76⤵PID:2472
-
\??\c:\vdpjd.exec:\vdpjd.exe77⤵PID:2808
-
\??\c:\tbtnbh.exec:\tbtnbh.exe78⤵PID:2860
-
\??\c:\hhbbnh.exec:\hhbbnh.exe79⤵PID:2976
-
\??\c:\llxlrrf.exec:\llxlrrf.exe80⤵PID:2960
-
\??\c:\btnbhn.exec:\btnbhn.exe81⤵PID:2728
-
\??\c:\dvdjp.exec:\dvdjp.exe82⤵PID:2828
-
\??\c:\9pjjv.exec:\9pjjv.exe83⤵PID:2876
-
\??\c:\g6060.exec:\g6060.exe84⤵PID:1584
-
\??\c:\dvppd.exec:\dvppd.exe85⤵PID:2356
-
\??\c:\nnbhth.exec:\nnbhth.exe86⤵PID:2780
-
\??\c:\2824848.exec:\2824848.exe87⤵PID:2764
-
\??\c:\04220.exec:\04220.exe88⤵PID:1488
-
\??\c:\82624.exec:\82624.exe89⤵PID:2492
-
\??\c:\608466.exec:\608466.exe90⤵PID:2936
-
\??\c:\nnbhhn.exec:\nnbhhn.exe91⤵PID:3028
-
\??\c:\3rffrxf.exec:\3rffrxf.exe92⤵PID:3008
-
\??\c:\vpjdp.exec:\vpjdp.exe93⤵PID:2920
-
\??\c:\bbthbh.exec:\bbthbh.exe94⤵PID:2336
-
\??\c:\82624.exec:\82624.exe95⤵PID:1376
-
\??\c:\tnhhnn.exec:\tnhhnn.exe96⤵PID:2272
-
\??\c:\btntnn.exec:\btntnn.exe97⤵PID:2556
-
\??\c:\48466.exec:\48466.exe98⤵PID:2076
-
\??\c:\7dvdp.exec:\7dvdp.exe99⤵PID:1792
-
\??\c:\flflxfr.exec:\flflxfr.exe100⤵PID:2580
-
\??\c:\4428064.exec:\4428064.exe101⤵PID:2608
-
\??\c:\vpdjp.exec:\vpdjp.exe102⤵PID:2448
-
\??\c:\hhhhnt.exec:\hhhhnt.exe103⤵PID:1832
-
\??\c:\pdjjv.exec:\pdjjv.exe104⤵PID:1604
-
\??\c:\8606406.exec:\8606406.exe105⤵PID:1516
-
\??\c:\pjvjj.exec:\pjvjj.exe106⤵PID:2252
-
\??\c:\660240.exec:\660240.exe107⤵PID:1096
-
\??\c:\s2022.exec:\s2022.exe108⤵PID:1560
-
\??\c:\ffrxrfx.exec:\ffrxrfx.exe109⤵PID:548
-
\??\c:\486284.exec:\486284.exe110⤵PID:1348
-
\??\c:\822840.exec:\822840.exe111⤵PID:2008
-
\??\c:\4806408.exec:\4806408.exe112⤵PID:2024
-
\??\c:\482028.exec:\482028.exe113⤵PID:2640
-
\??\c:\00068.exec:\00068.exe114⤵
- System Location Discovery: System Language Discovery
PID:2432 -
\??\c:\9xrrflf.exec:\9xrrflf.exe115⤵PID:880
-
\??\c:\djdvj.exec:\djdvj.exe116⤵PID:2364
-
\??\c:\e64028.exec:\e64028.exe117⤵PID:2948
-
\??\c:\00246.exec:\00246.exe118⤵PID:2848
-
\??\c:\xxlflrx.exec:\xxlflrx.exe119⤵PID:1620
-
\??\c:\hbntnt.exec:\hbntnt.exe120⤵PID:2296
-
\??\c:\44246.exec:\44246.exe121⤵PID:2588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-