Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 10:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe
-
Size
454KB
-
MD5
538f1a1627e2e404679d394911cc605a
-
SHA1
5b95f9a85b78128dd96a90b9193dab5dbf58ee51
-
SHA256
e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755
-
SHA512
e0b0c461a6667db735d66dbcb701caa09bff71acc147adb1059434fefc6aa68b6b3aaa4e8e6e37cf909e14255276e6096038d083a6e5e74aa725fa005bc12bac
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1J:q7Tc2NYHUrAwfMp3CD1J
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2372-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/808-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-231-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2552-251-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/1580-296-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2388-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-327-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2816-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-408-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/784-428-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1964-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-923-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2560-961-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1076-1004-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1076-1024-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2060-1240-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1860-1282-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2576 k04062.exe 2328 ntnbbt.exe 2508 26086.exe 1780 xxllflr.exe 2892 8202446.exe 2800 1lflrlx.exe 2836 i208008.exe 2700 82080.exe 2740 nhbhtt.exe 2748 20828.exe 2036 6080246.exe 2852 pjpdj.exe 2564 xrflrxl.exe 1724 k08062.exe 2936 268468.exe 2924 nhhnhh.exe 1728 nhnntt.exe 2772 m4846.exe 796 xrflxxr.exe 1772 8806844.exe 808 642866.exe 1324 7htbnn.exe 1700 1bthnt.exe 2556 k86844.exe 1976 2602842.exe 2552 268846.exe 2040 u644280.exe 2144 pjdjv.exe 888 hnhnhh.exe 2760 tnhhtt.exe 1580 8206880.exe 2388 ffxfllr.exe 2504 3jppv.exe 2768 0424022.exe 2508 48280.exe 2816 m4240.exe 2824 202400.exe 2140 04286.exe 2792 64280.exe 2836 jvvdv.exe 2844 m0882.exe 2692 020086.exe 2796 404008.exe 1612 646688.exe 3028 e64626.exe 1532 nhbnth.exe 784 5rlrxxf.exe 1616 m4228.exe 2960 42246.exe 3008 u024268.exe 2112 0484220.exe 2488 xrxflff.exe 1728 nnhnhn.exe 1964 8204064.exe 1496 vddjj.exe 1132 m2602.exe 680 dpdjp.exe 1320 bbhnhb.exe 1484 2606446.exe 1676 nhhnbn.exe 1696 jdjpd.exe 1344 7dvjp.exe 1648 424644.exe 1272 hthbhb.exe -
resource yara_rule behavioral1/memory/2372-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-313-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2768-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-750-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1696-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-1268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-1282-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1692-1332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-1339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-1371-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4868406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w20066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k86844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u024268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2024.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2576 2372 e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe 30 PID 2372 wrote to memory of 2576 2372 e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe 30 PID 2372 wrote to memory of 2576 2372 e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe 30 PID 2372 wrote to memory of 2576 2372 e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe 30 PID 2576 wrote to memory of 2328 2576 k04062.exe 32 PID 2576 wrote to memory of 2328 2576 k04062.exe 32 PID 2576 wrote to memory of 2328 2576 k04062.exe 32 PID 2576 wrote to memory of 2328 2576 k04062.exe 32 PID 2328 wrote to memory of 2508 2328 ntnbbt.exe 33 PID 2328 wrote to memory of 2508 2328 ntnbbt.exe 33 PID 2328 wrote to memory of 2508 2328 ntnbbt.exe 33 PID 2328 wrote to memory of 2508 2328 ntnbbt.exe 33 PID 2508 wrote to memory of 1780 2508 26086.exe 34 PID 2508 wrote to memory of 1780 2508 26086.exe 34 PID 2508 wrote to memory of 1780 2508 26086.exe 34 PID 2508 wrote to memory of 1780 2508 26086.exe 34 PID 1780 wrote to memory of 2892 1780 xxllflr.exe 35 PID 1780 wrote to memory of 2892 1780 xxllflr.exe 35 PID 1780 wrote to memory of 2892 1780 xxllflr.exe 35 PID 1780 wrote to memory of 2892 1780 xxllflr.exe 35 PID 2892 wrote to memory of 2800 2892 8202446.exe 36 PID 2892 wrote to memory of 2800 2892 8202446.exe 36 PID 2892 wrote to memory of 2800 2892 8202446.exe 36 PID 2892 wrote to memory of 2800 2892 8202446.exe 36 PID 2800 wrote to memory of 2836 2800 1lflrlx.exe 37 PID 2800 wrote to memory of 2836 2800 1lflrlx.exe 37 PID 2800 wrote to memory of 2836 2800 1lflrlx.exe 37 PID 2800 wrote to memory of 2836 2800 1lflrlx.exe 37 PID 2836 wrote to memory of 2700 2836 i208008.exe 38 PID 2836 wrote to memory of 2700 2836 i208008.exe 38 PID 2836 wrote to memory of 2700 2836 i208008.exe 38 PID 2836 wrote to memory of 2700 2836 i208008.exe 38 PID 2700 wrote to memory of 2740 2700 82080.exe 39 PID 2700 wrote to memory of 2740 2700 82080.exe 39 PID 2700 wrote to memory of 2740 2700 82080.exe 39 PID 2700 wrote to memory of 2740 2700 82080.exe 39 PID 2740 wrote to memory of 2748 2740 nhbhtt.exe 40 PID 2740 wrote to memory of 2748 2740 nhbhtt.exe 40 PID 2740 wrote to memory of 2748 2740 nhbhtt.exe 40 PID 2740 wrote to memory of 2748 2740 nhbhtt.exe 40 PID 2748 wrote to memory of 2036 2748 20828.exe 41 PID 2748 wrote to memory of 2036 2748 20828.exe 41 PID 2748 wrote to memory of 2036 2748 20828.exe 41 PID 2748 wrote to memory of 2036 2748 20828.exe 41 PID 2036 wrote to memory of 2852 2036 6080246.exe 42 PID 2036 wrote to memory of 2852 2036 6080246.exe 42 PID 2036 wrote to memory of 2852 2036 6080246.exe 42 PID 2036 wrote to memory of 2852 2036 6080246.exe 42 PID 2852 wrote to memory of 2564 2852 pjpdj.exe 43 PID 2852 wrote to memory of 2564 2852 pjpdj.exe 43 PID 2852 wrote to memory of 2564 2852 pjpdj.exe 43 PID 2852 wrote to memory of 2564 2852 pjpdj.exe 43 PID 2564 wrote to memory of 1724 2564 xrflrxl.exe 44 PID 2564 wrote to memory of 1724 2564 xrflrxl.exe 44 PID 2564 wrote to memory of 1724 2564 xrflrxl.exe 44 PID 2564 wrote to memory of 1724 2564 xrflrxl.exe 44 PID 1724 wrote to memory of 2936 1724 k08062.exe 45 PID 1724 wrote to memory of 2936 1724 k08062.exe 45 PID 1724 wrote to memory of 2936 1724 k08062.exe 45 PID 1724 wrote to memory of 2936 1724 k08062.exe 45 PID 2936 wrote to memory of 2924 2936 268468.exe 46 PID 2936 wrote to memory of 2924 2936 268468.exe 46 PID 2936 wrote to memory of 2924 2936 268468.exe 46 PID 2936 wrote to memory of 2924 2936 268468.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe"C:\Users\Admin\AppData\Local\Temp\e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\k04062.exec:\k04062.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\ntnbbt.exec:\ntnbbt.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\26086.exec:\26086.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\xxllflr.exec:\xxllflr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\8202446.exec:\8202446.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\1lflrlx.exec:\1lflrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\i208008.exec:\i208008.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\82080.exec:\82080.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\nhbhtt.exec:\nhbhtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\20828.exec:\20828.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\6080246.exec:\6080246.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\pjpdj.exec:\pjpdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\xrflrxl.exec:\xrflrxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\k08062.exec:\k08062.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\268468.exec:\268468.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\nhhnhh.exec:\nhhnhh.exe17⤵
- Executes dropped EXE
PID:2924 -
\??\c:\nhnntt.exec:\nhnntt.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728 -
\??\c:\m4846.exec:\m4846.exe19⤵
- Executes dropped EXE
PID:2772 -
\??\c:\xrflxxr.exec:\xrflxxr.exe20⤵
- Executes dropped EXE
PID:796 -
\??\c:\8806844.exec:\8806844.exe21⤵
- Executes dropped EXE
PID:1772 -
\??\c:\642866.exec:\642866.exe22⤵
- Executes dropped EXE
PID:808 -
\??\c:\7htbnn.exec:\7htbnn.exe23⤵
- Executes dropped EXE
PID:1324 -
\??\c:\1bthnt.exec:\1bthnt.exe24⤵
- Executes dropped EXE
PID:1700 -
\??\c:\k86844.exec:\k86844.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556 -
\??\c:\2602842.exec:\2602842.exe26⤵
- Executes dropped EXE
PID:1976 -
\??\c:\268846.exec:\268846.exe27⤵
- Executes dropped EXE
PID:2552 -
\??\c:\u644280.exec:\u644280.exe28⤵
- Executes dropped EXE
PID:2040 -
\??\c:\pjdjv.exec:\pjdjv.exe29⤵
- Executes dropped EXE
PID:2144 -
\??\c:\hnhnhh.exec:\hnhnhh.exe30⤵
- Executes dropped EXE
PID:888 -
\??\c:\tnhhtt.exec:\tnhhtt.exe31⤵
- Executes dropped EXE
PID:2760 -
\??\c:\8206880.exec:\8206880.exe32⤵
- Executes dropped EXE
PID:1580 -
\??\c:\ffxfllr.exec:\ffxfllr.exe33⤵
- Executes dropped EXE
PID:2388 -
\??\c:\3jppv.exec:\3jppv.exe34⤵
- Executes dropped EXE
PID:2504 -
\??\c:\0424022.exec:\0424022.exe35⤵
- Executes dropped EXE
PID:2768 -
\??\c:\48280.exec:\48280.exe36⤵
- Executes dropped EXE
PID:2508 -
\??\c:\m4240.exec:\m4240.exe37⤵
- Executes dropped EXE
PID:2816 -
\??\c:\202400.exec:\202400.exe38⤵
- Executes dropped EXE
PID:2824 -
\??\c:\04286.exec:\04286.exe39⤵
- Executes dropped EXE
PID:2140 -
\??\c:\64280.exec:\64280.exe40⤵
- Executes dropped EXE
PID:2792 -
\??\c:\jvvdv.exec:\jvvdv.exe41⤵
- Executes dropped EXE
PID:2836 -
\??\c:\m0882.exec:\m0882.exe42⤵
- Executes dropped EXE
PID:2844 -
\??\c:\020086.exec:\020086.exe43⤵
- Executes dropped EXE
PID:2692 -
\??\c:\404008.exec:\404008.exe44⤵
- Executes dropped EXE
PID:2796 -
\??\c:\646688.exec:\646688.exe45⤵
- Executes dropped EXE
PID:1612 -
\??\c:\e64626.exec:\e64626.exe46⤵
- Executes dropped EXE
PID:3028 -
\??\c:\nhbnth.exec:\nhbnth.exe47⤵
- Executes dropped EXE
PID:1532 -
\??\c:\5rlrxxf.exec:\5rlrxxf.exe48⤵
- Executes dropped EXE
PID:784 -
\??\c:\m4228.exec:\m4228.exe49⤵
- Executes dropped EXE
PID:1616 -
\??\c:\42246.exec:\42246.exe50⤵
- Executes dropped EXE
PID:2960 -
\??\c:\u024268.exec:\u024268.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
\??\c:\0484220.exec:\0484220.exe52⤵
- Executes dropped EXE
PID:2112 -
\??\c:\xrxflff.exec:\xrxflff.exe53⤵
- Executes dropped EXE
PID:2488 -
\??\c:\nnhnhn.exec:\nnhnhn.exe54⤵
- Executes dropped EXE
PID:1728 -
\??\c:\8204064.exec:\8204064.exe55⤵
- Executes dropped EXE
PID:1964 -
\??\c:\vddjj.exec:\vddjj.exe56⤵
- Executes dropped EXE
PID:1496 -
\??\c:\m2602.exec:\m2602.exe57⤵
- Executes dropped EXE
PID:1132 -
\??\c:\dpdjp.exec:\dpdjp.exe58⤵
- Executes dropped EXE
PID:680 -
\??\c:\bbhnhb.exec:\bbhnhb.exe59⤵
- Executes dropped EXE
PID:1320 -
\??\c:\2606446.exec:\2606446.exe60⤵
- Executes dropped EXE
PID:1484 -
\??\c:\nhhnbn.exec:\nhhnbn.exe61⤵
- Executes dropped EXE
PID:1676 -
\??\c:\jdjpd.exec:\jdjpd.exe62⤵
- Executes dropped EXE
PID:1696 -
\??\c:\7dvjp.exec:\7dvjp.exe63⤵
- Executes dropped EXE
PID:1344 -
\??\c:\424644.exec:\424644.exe64⤵
- Executes dropped EXE
PID:1648 -
\??\c:\hthbhb.exec:\hthbhb.exe65⤵
- Executes dropped EXE
PID:1272 -
\??\c:\2848686.exec:\2848686.exe66⤵PID:2520
-
\??\c:\5rlxlxr.exec:\5rlxlxr.exe67⤵PID:2132
-
\??\c:\nnhtbh.exec:\nnhtbh.exe68⤵PID:1640
-
\??\c:\3rfffxf.exec:\3rfffxf.exe69⤵PID:872
-
\??\c:\u688428.exec:\u688428.exe70⤵PID:828
-
\??\c:\8688044.exec:\8688044.exe71⤵PID:1028
-
\??\c:\djddd.exec:\djddd.exe72⤵PID:2760
-
\??\c:\dpvvv.exec:\dpvvv.exe73⤵PID:2640
-
\??\c:\1bnbnn.exec:\1bnbnn.exe74⤵PID:2064
-
\??\c:\dvdjp.exec:\dvdjp.exe75⤵PID:2300
-
\??\c:\9xllrrx.exec:\9xllrrx.exe76⤵PID:2196
-
\??\c:\bbthbb.exec:\bbthbb.exe77⤵PID:2784
-
\??\c:\xrlrxxf.exec:\xrlrxxf.exe78⤵PID:2900
-
\??\c:\206666.exec:\206666.exe79⤵PID:1780
-
\??\c:\jjvvv.exec:\jjvvv.exe80⤵PID:2712
-
\??\c:\w40682.exec:\w40682.exe81⤵PID:2800
-
\??\c:\60028.exec:\60028.exe82⤵PID:2912
-
\??\c:\pvddj.exec:\pvddj.exe83⤵PID:2680
-
\??\c:\xlxxrxx.exec:\xlxxrxx.exe84⤵PID:2872
-
\??\c:\0822884.exec:\0822884.exe85⤵PID:2312
-
\??\c:\468800.exec:\468800.exe86⤵PID:2920
-
\??\c:\5hnhbb.exec:\5hnhbb.exe87⤵PID:2240
-
\??\c:\1ntnhb.exec:\1ntnhb.exe88⤵PID:2296
-
\??\c:\hhttnh.exec:\hhttnh.exe89⤵PID:1652
-
\??\c:\642844.exec:\642844.exe90⤵
- System Location Discovery: System Language Discovery
PID:1856 -
\??\c:\bntnnh.exec:\bntnnh.exe91⤵PID:3056
-
\??\c:\i644666.exec:\i644666.exe92⤵PID:2956
-
\??\c:\rrrxflx.exec:\rrrxflx.exe93⤵PID:2960
-
\??\c:\084022.exec:\084022.exe94⤵PID:2044
-
\??\c:\64802.exec:\64802.exe95⤵PID:760
-
\??\c:\8600842.exec:\8600842.exe96⤵PID:2348
-
\??\c:\5nnnbb.exec:\5nnnbb.exe97⤵PID:1732
-
\??\c:\008062.exec:\008062.exe98⤵PID:1100
-
\??\c:\xfrfrrl.exec:\xfrfrrl.exe99⤵PID:1072
-
\??\c:\tnhtbn.exec:\tnhtbn.exe100⤵PID:2856
-
\??\c:\648462.exec:\648462.exe101⤵PID:696
-
\??\c:\826800.exec:\826800.exe102⤵PID:1860
-
\??\c:\1pjvd.exec:\1pjvd.exe103⤵PID:2224
-
\??\c:\fllxxlx.exec:\fllxxlx.exe104⤵PID:1676
-
\??\c:\864406.exec:\864406.exe105⤵PID:1696
-
\??\c:\vvpvj.exec:\vvpvj.exe106⤵PID:2180
-
\??\c:\w26844.exec:\w26844.exe107⤵PID:1648
-
\??\c:\vjpdj.exec:\vjpdj.exe108⤵PID:1272
-
\??\c:\9bnbtn.exec:\9bnbtn.exe109⤵PID:2520
-
\??\c:\8402624.exec:\8402624.exe110⤵PID:2132
-
\??\c:\20842.exec:\20842.exe111⤵PID:568
-
\??\c:\488440.exec:\488440.exe112⤵PID:888
-
\??\c:\3thnbn.exec:\3thnbn.exe113⤵PID:828
-
\??\c:\hbntbb.exec:\hbntbb.exe114⤵PID:2000
-
\??\c:\o868446.exec:\o868446.exe115⤵PID:2352
-
\??\c:\7dvvv.exec:\7dvvv.exe116⤵PID:1508
-
\??\c:\ddvvj.exec:\ddvvj.exe117⤵PID:3000
-
\??\c:\7ppjj.exec:\7ppjj.exe118⤵PID:2380
-
\??\c:\8248280.exec:\8248280.exe119⤵PID:2196
-
\??\c:\rrxfrfl.exec:\rrxfrfl.exe120⤵PID:2876
-
\??\c:\442028.exec:\442028.exe121⤵PID:2976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-