Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 07:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe
-
Size
454KB
-
MD5
2704c12738a490782606030e0da88d9c
-
SHA1
e3b8f4417a385cae75ffcff8f8abd3a4cf4e02bf
-
SHA256
afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef
-
SHA512
b96e4894df39b8ccc3ab116c2764bdbd510ebac38f21a5a13136ef9faa3370f146c538c6e180294fb1d827e8dc6552b8714b4bdfec87b47eba68bf9725231cfb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTx:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2920-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-77-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2056-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-331-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2836-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/480-345-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/264-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-256-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2080-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-184-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1032-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1840-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1840-130-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-96-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/584-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-59-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2716-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/808-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-405-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1888-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/952-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-546-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2644-561-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2968-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/604-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-1026-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2548-1149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-1166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1908-1237-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1032-1277-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2960 rflffrx.exe 2976 c466224.exe 2968 rflllxf.exe 2716 4288440.exe 2688 pvjvj.exe 2176 thtttt.exe 768 80608.exe 584 nbnbbt.exe 2056 7thbth.exe 2904 rffxfll.exe 2476 s6406.exe 760 0226088.exe 2120 0866600.exe 1840 08484.exe 2028 htbttt.exe 1888 5lrlfrx.exe 1488 u848828.exe 1032 7jvvv.exe 1796 xrlflff.exe 3040 46840.exe 2456 86266.exe 1052 c026644.exe 2624 846660.exe 772 5flfxrr.exe 1556 rxfxxrx.exe 1772 80268.exe 2080 dpvvd.exe 1156 pjpjp.exe 556 pdpvv.exe 1644 u266840.exe 1512 vjdjj.exe 2988 lxllrff.exe 2920 9hbhbh.exe 1608 xxfxfff.exe 2964 s0880.exe 2800 02400.exe 2716 864404.exe 2744 684484.exe 2836 xlflrll.exe 480 w46222.exe 264 3bnntb.exe 808 9dpjj.exe 2908 bnbtbn.exe 2708 80606.exe 2476 m6222.exe 760 9vvvv.exe 296 rfrllff.exe 1096 a6280.exe 1812 6484668.exe 2028 httntb.exe 1888 042266.exe 304 42286.exe 1032 s2002.exe 1676 g4628.exe 2480 i462888.exe 1828 w84466.exe 2556 6088480.exe 2296 vjpdv.exe 1260 ffxxrll.exe 952 pjjjp.exe 944 8240268.exe 1688 2646222.exe 2256 g0842.exe 3048 8688002.exe -
resource yara_rule behavioral1/memory/2920-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-77-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2056-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-256-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2080-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-130-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/584-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-546-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2968-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-851-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-876-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-901-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-1002-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-1064-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-1149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-1251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-1327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-1377-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 886004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q86622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o644400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c026644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2960 2920 afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe 30 PID 2920 wrote to memory of 2960 2920 afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe 30 PID 2920 wrote to memory of 2960 2920 afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe 30 PID 2920 wrote to memory of 2960 2920 afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe 30 PID 2960 wrote to memory of 2976 2960 rflffrx.exe 31 PID 2960 wrote to memory of 2976 2960 rflffrx.exe 31 PID 2960 wrote to memory of 2976 2960 rflffrx.exe 31 PID 2960 wrote to memory of 2976 2960 rflffrx.exe 31 PID 2976 wrote to memory of 2968 2976 c466224.exe 32 PID 2976 wrote to memory of 2968 2976 c466224.exe 32 PID 2976 wrote to memory of 2968 2976 c466224.exe 32 PID 2976 wrote to memory of 2968 2976 c466224.exe 32 PID 2968 wrote to memory of 2716 2968 rflllxf.exe 66 PID 2968 wrote to memory of 2716 2968 rflllxf.exe 66 PID 2968 wrote to memory of 2716 2968 rflllxf.exe 66 PID 2968 wrote to memory of 2716 2968 rflllxf.exe 66 PID 2716 wrote to memory of 2688 2716 4288440.exe 34 PID 2716 wrote to memory of 2688 2716 4288440.exe 34 PID 2716 wrote to memory of 2688 2716 4288440.exe 34 PID 2716 wrote to memory of 2688 2716 4288440.exe 34 PID 2688 wrote to memory of 2176 2688 pvjvj.exe 35 PID 2688 wrote to memory of 2176 2688 pvjvj.exe 35 PID 2688 wrote to memory of 2176 2688 pvjvj.exe 35 PID 2688 wrote to memory of 2176 2688 pvjvj.exe 35 PID 2176 wrote to memory of 768 2176 thtttt.exe 36 PID 2176 wrote to memory of 768 2176 thtttt.exe 36 PID 2176 wrote to memory of 768 2176 thtttt.exe 36 PID 2176 wrote to memory of 768 2176 thtttt.exe 36 PID 768 wrote to memory of 584 768 80608.exe 37 PID 768 wrote to memory of 584 768 80608.exe 37 PID 768 wrote to memory of 584 768 80608.exe 37 PID 768 wrote to memory of 584 768 80608.exe 37 PID 584 wrote to memory of 2056 584 nbnbbt.exe 38 PID 584 wrote to memory of 2056 584 nbnbbt.exe 38 PID 584 wrote to memory of 2056 584 nbnbbt.exe 38 PID 584 wrote to memory of 2056 584 nbnbbt.exe 38 PID 2056 wrote to memory of 2904 2056 7thbth.exe 39 PID 2056 wrote to memory of 2904 2056 7thbth.exe 39 PID 2056 wrote to memory of 2904 2056 7thbth.exe 39 PID 2056 wrote to memory of 2904 2056 7thbth.exe 39 PID 2904 wrote to memory of 2476 2904 rffxfll.exe 74 PID 2904 wrote to memory of 2476 2904 rffxfll.exe 74 PID 2904 wrote to memory of 2476 2904 rffxfll.exe 74 PID 2904 wrote to memory of 2476 2904 rffxfll.exe 74 PID 2476 wrote to memory of 760 2476 s6406.exe 75 PID 2476 wrote to memory of 760 2476 s6406.exe 75 PID 2476 wrote to memory of 760 2476 s6406.exe 75 PID 2476 wrote to memory of 760 2476 s6406.exe 75 PID 760 wrote to memory of 2120 760 0226088.exe 42 PID 760 wrote to memory of 2120 760 0226088.exe 42 PID 760 wrote to memory of 2120 760 0226088.exe 42 PID 760 wrote to memory of 2120 760 0226088.exe 42 PID 2120 wrote to memory of 1840 2120 0866600.exe 43 PID 2120 wrote to memory of 1840 2120 0866600.exe 43 PID 2120 wrote to memory of 1840 2120 0866600.exe 43 PID 2120 wrote to memory of 1840 2120 0866600.exe 43 PID 1840 wrote to memory of 2028 1840 08484.exe 44 PID 1840 wrote to memory of 2028 1840 08484.exe 44 PID 1840 wrote to memory of 2028 1840 08484.exe 44 PID 1840 wrote to memory of 2028 1840 08484.exe 44 PID 2028 wrote to memory of 1888 2028 htbttt.exe 45 PID 2028 wrote to memory of 1888 2028 htbttt.exe 45 PID 2028 wrote to memory of 1888 2028 htbttt.exe 45 PID 2028 wrote to memory of 1888 2028 htbttt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe"C:\Users\Admin\AppData\Local\Temp\afac6183669fda99ac108b67d4d4a878a11d54c53932fa0173e0ee24479430ef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\rflffrx.exec:\rflffrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\c466224.exec:\c466224.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\rflllxf.exec:\rflllxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\4288440.exec:\4288440.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\pvjvj.exec:\pvjvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\thtttt.exec:\thtttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\80608.exec:\80608.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\nbnbbt.exec:\nbnbbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\7thbth.exec:\7thbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\rffxfll.exec:\rffxfll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\s6406.exec:\s6406.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\0226088.exec:\0226088.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\0866600.exec:\0866600.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\08484.exec:\08484.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\htbttt.exec:\htbttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\5lrlfrx.exec:\5lrlfrx.exe17⤵
- Executes dropped EXE
PID:1888 -
\??\c:\u848828.exec:\u848828.exe18⤵
- Executes dropped EXE
PID:1488 -
\??\c:\7jvvv.exec:\7jvvv.exe19⤵
- Executes dropped EXE
PID:1032 -
\??\c:\xrlflff.exec:\xrlflff.exe20⤵
- Executes dropped EXE
PID:1796 -
\??\c:\46840.exec:\46840.exe21⤵
- Executes dropped EXE
PID:3040 -
\??\c:\86266.exec:\86266.exe22⤵
- Executes dropped EXE
PID:2456 -
\??\c:\c026644.exec:\c026644.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1052 -
\??\c:\846660.exec:\846660.exe24⤵
- Executes dropped EXE
PID:2624 -
\??\c:\5flfxrr.exec:\5flfxrr.exe25⤵
- Executes dropped EXE
PID:772 -
\??\c:\rxfxxrx.exec:\rxfxxrx.exe26⤵
- Executes dropped EXE
PID:1556 -
\??\c:\80268.exec:\80268.exe27⤵
- Executes dropped EXE
PID:1772 -
\??\c:\dpvvd.exec:\dpvvd.exe28⤵
- Executes dropped EXE
PID:2080 -
\??\c:\pjpjp.exec:\pjpjp.exe29⤵
- Executes dropped EXE
PID:1156 -
\??\c:\pdpvv.exec:\pdpvv.exe30⤵
- Executes dropped EXE
PID:556 -
\??\c:\u266840.exec:\u266840.exe31⤵
- Executes dropped EXE
PID:1644 -
\??\c:\vjdjj.exec:\vjdjj.exe32⤵
- Executes dropped EXE
PID:1512 -
\??\c:\lxllrff.exec:\lxllrff.exe33⤵
- Executes dropped EXE
PID:2988 -
\??\c:\9hbhbh.exec:\9hbhbh.exe34⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xxfxfff.exec:\xxfxfff.exe35⤵
- Executes dropped EXE
PID:1608 -
\??\c:\s0880.exec:\s0880.exe36⤵
- Executes dropped EXE
PID:2964 -
\??\c:\02400.exec:\02400.exe37⤵
- Executes dropped EXE
PID:2800 -
\??\c:\864404.exec:\864404.exe38⤵
- Executes dropped EXE
PID:2716 -
\??\c:\684484.exec:\684484.exe39⤵
- Executes dropped EXE
PID:2744 -
\??\c:\xlflrll.exec:\xlflrll.exe40⤵
- Executes dropped EXE
PID:2836 -
\??\c:\w46222.exec:\w46222.exe41⤵
- Executes dropped EXE
PID:480 -
\??\c:\3bnntb.exec:\3bnntb.exe42⤵
- Executes dropped EXE
PID:264 -
\??\c:\9dpjj.exec:\9dpjj.exe43⤵
- Executes dropped EXE
PID:808 -
\??\c:\bnbtbn.exec:\bnbtbn.exe44⤵
- Executes dropped EXE
PID:2908 -
\??\c:\80606.exec:\80606.exe45⤵
- Executes dropped EXE
PID:2708 -
\??\c:\m6222.exec:\m6222.exe46⤵
- Executes dropped EXE
PID:2476 -
\??\c:\9vvvv.exec:\9vvvv.exe47⤵
- Executes dropped EXE
PID:760 -
\??\c:\rfrllff.exec:\rfrllff.exe48⤵
- Executes dropped EXE
PID:296 -
\??\c:\a6280.exec:\a6280.exe49⤵
- Executes dropped EXE
PID:1096 -
\??\c:\6484668.exec:\6484668.exe50⤵
- Executes dropped EXE
PID:1812 -
\??\c:\httntb.exec:\httntb.exe51⤵
- Executes dropped EXE
PID:2028 -
\??\c:\042266.exec:\042266.exe52⤵
- Executes dropped EXE
PID:1888 -
\??\c:\42286.exec:\42286.exe53⤵
- Executes dropped EXE
PID:304 -
\??\c:\s2002.exec:\s2002.exe54⤵
- Executes dropped EXE
PID:1032 -
\??\c:\g4628.exec:\g4628.exe55⤵
- Executes dropped EXE
PID:1676 -
\??\c:\i462888.exec:\i462888.exe56⤵
- Executes dropped EXE
PID:2480 -
\??\c:\w84466.exec:\w84466.exe57⤵
- Executes dropped EXE
PID:1828 -
\??\c:\6088480.exec:\6088480.exe58⤵
- Executes dropped EXE
PID:2556 -
\??\c:\vjpdv.exec:\vjpdv.exe59⤵
- Executes dropped EXE
PID:2296 -
\??\c:\ffxxrll.exec:\ffxxrll.exe60⤵
- Executes dropped EXE
PID:1260 -
\??\c:\pjjjp.exec:\pjjjp.exe61⤵
- Executes dropped EXE
PID:952 -
\??\c:\8240268.exec:\8240268.exe62⤵
- Executes dropped EXE
PID:944 -
\??\c:\2646222.exec:\2646222.exe63⤵
- Executes dropped EXE
PID:1688 -
\??\c:\g0842.exec:\g0842.exe64⤵
- Executes dropped EXE
PID:2256 -
\??\c:\8688002.exec:\8688002.exe65⤵
- Executes dropped EXE
PID:3048 -
\??\c:\08062.exec:\08062.exe66⤵PID:2264
-
\??\c:\nhbbbh.exec:\nhbbbh.exe67⤵PID:2324
-
\??\c:\202244.exec:\202244.exe68⤵PID:2652
-
\??\c:\nhbhhh.exec:\nhbhhh.exe69⤵PID:1724
-
\??\c:\tnnnbb.exec:\tnnnbb.exe70⤵PID:1704
-
\??\c:\5hnnhh.exec:\5hnnhh.exe71⤵PID:1736
-
\??\c:\8640228.exec:\8640228.exe72⤵PID:2820
-
\??\c:\pppdj.exec:\pppdj.exe73⤵PID:2644
-
\??\c:\84864.exec:\84864.exe74⤵PID:3024
-
\??\c:\0804440.exec:\0804440.exe75⤵PID:2980
-
\??\c:\824628.exec:\824628.exe76⤵PID:2604
-
\??\c:\frlfllr.exec:\frlfllr.exe77⤵PID:2968
-
\??\c:\3lxfllr.exec:\3lxfllr.exe78⤵PID:1192
-
\??\c:\hhtbbb.exec:\hhtbbb.exe79⤵PID:604
-
\??\c:\rflrffl.exec:\rflrffl.exe80⤵PID:2240
-
\??\c:\dpddj.exec:\dpddj.exe81⤵PID:2792
-
\??\c:\8644040.exec:\8644040.exe82⤵PID:2832
-
\??\c:\86000.exec:\86000.exe83⤵PID:2408
-
\??\c:\vjddj.exec:\vjddj.exe84⤵PID:1784
-
\??\c:\jpdjp.exec:\jpdjp.exe85⤵PID:1660
-
\??\c:\80602.exec:\80602.exe86⤵PID:2160
-
\??\c:\60884.exec:\60884.exe87⤵PID:2992
-
\??\c:\4244668.exec:\4244668.exe88⤵PID:2204
-
\??\c:\1lxflrr.exec:\1lxflrr.exe89⤵PID:712
-
\??\c:\8222880.exec:\8222880.exe90⤵PID:1648
-
\??\c:\thntbb.exec:\thntbb.exe91⤵PID:2568
-
\??\c:\jdppp.exec:\jdppp.exe92⤵PID:1840
-
\??\c:\8644040.exec:\8644040.exe93⤵PID:1908
-
\??\c:\xlfrxxl.exec:\xlfrxxl.exe94⤵PID:1516
-
\??\c:\btnntb.exec:\btnntb.exe95⤵PID:1476
-
\??\c:\20884.exec:\20884.exe96⤵PID:2068
-
\??\c:\9lxfflx.exec:\9lxfflx.exe97⤵PID:1428
-
\??\c:\886004.exec:\886004.exe98⤵
- System Location Discovery: System Language Discovery
PID:2184 -
\??\c:\8886084.exec:\8886084.exe99⤵PID:656
-
\??\c:\lfllxfr.exec:\lfllxfr.exe100⤵PID:620
-
\??\c:\bbnnnn.exec:\bbnnnn.exe101⤵PID:2060
-
\??\c:\3dpvj.exec:\3dpvj.exe102⤵PID:1028
-
\??\c:\dvjjp.exec:\dvjjp.exe103⤵PID:2296
-
\??\c:\o066444.exec:\o066444.exe104⤵PID:1920
-
\??\c:\dvpjj.exec:\dvpjj.exe105⤵PID:1556
-
\??\c:\g4280.exec:\g4280.exe106⤵PID:1772
-
\??\c:\8266884.exec:\8266884.exe107⤵PID:1688
-
\??\c:\w42244.exec:\w42244.exe108⤵PID:2256
-
\??\c:\4866606.exec:\4866606.exe109⤵PID:2388
-
\??\c:\642284.exec:\642284.exe110⤵PID:3060
-
\??\c:\7thhht.exec:\7thhht.exe111⤵PID:3064
-
\??\c:\s2008.exec:\s2008.exe112⤵
- System Location Discovery: System Language Discovery
PID:2492 -
\??\c:\btbhnn.exec:\btbhnn.exe113⤵PID:2252
-
\??\c:\e80448.exec:\e80448.exe114⤵PID:2496
-
\??\c:\tnbbnt.exec:\tnbbnt.exe115⤵PID:1732
-
\??\c:\jdvdv.exec:\jdvdv.exe116⤵PID:2820
-
\??\c:\lfrrffr.exec:\lfrrffr.exe117⤵PID:2952
-
\??\c:\3djjp.exec:\3djjp.exe118⤵PID:2828
-
\??\c:\46046.exec:\46046.exe119⤵PID:2692
-
\??\c:\nhbnbh.exec:\nhbnbh.exe120⤵PID:2748
-
\??\c:\a6002.exec:\a6002.exe121⤵PID:2724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-