Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 04:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe
-
Size
456KB
-
MD5
24350ba08163567ec63cd309c58e589d
-
SHA1
e9152a58dce4d2c24ee3b28761c8f98063dc0be4
-
SHA256
d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566
-
SHA512
e32bcb23d953be145151ffd06c79908aa778af1416d5152605509dfec977af64da2040704d15688e5e9be2975376d02a66133594fb997232a7041a09bce75f8b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2484-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1468-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-230-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/564-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-333-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2772-335-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2800-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-357-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2276-462-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/1612-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/804-511-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1948-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-652-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/3064-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-744-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2140-916-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1148-990-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-1003-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/280-1055-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2284-1075-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2468-1118-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2680-1206-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1944-1213-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1944-1232-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2428 rfxrxfr.exe 2180 64068.exe 2248 1rflrrf.exe 2232 080062.exe 2860 jvddj.exe 2824 k86684.exe 1772 rlxlxxl.exe 2200 tnhthn.exe 2780 08662.exe 2716 9nbbhh.exe 2544 flflxlr.exe 3060 vppvd.exe 1468 ttnbtn.exe 2532 008022.exe 2224 5rlfrrx.exe 2756 48224.exe 3000 60468.exe 1124 26404.exe 2356 1vjpv.exe 1672 hbtbnt.exe 2368 226206.exe 1588 606200.exe 1044 62204.exe 1524 26824.exe 564 hbntbh.exe 1972 bthtbt.exe 2284 08068.exe 1916 648846.exe 1316 22024.exe 884 0424620.exe 2340 xfrlrfx.exe 2592 rxrxrlx.exe 1576 8828680.exe 2400 8408860.exe 2264 s2020.exe 848 c828664.exe 2772 s8286.exe 2944 rrlfrff.exe 2800 lrllrrf.exe 2984 26064.exe 2212 vpdpv.exe 2832 5nhtbh.exe 2740 ppdpj.exe 2732 7rlrxfl.exe 2688 66644.exe 3044 3rlxlrf.exe 1296 vjppv.exe 2912 5hbhtt.exe 1620 k26224.exe 3036 4244244.exe 2548 5rrfrxl.exe 2768 88042.exe 3024 082800.exe 2276 6220444.exe 2896 c626208.exe 1152 26684.exe 2364 268468.exe 1300 q04422.exe 1612 tnhnbh.exe 1704 202862.exe 852 9ffllfx.exe 640 644028.exe 688 ttnbtb.exe 1908 886468.exe -
resource yara_rule behavioral1/memory/2484-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-333-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2800-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-462-0x0000000001C60000-0x0000000001C8A000-memory.dmp upx behavioral1/memory/1612-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-652-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2720-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-744-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/1576-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-919-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-933-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-946-0x0000000001C50000-0x0000000001C7A000-memory.dmp upx behavioral1/memory/1084-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-1004-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-1062-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-1149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-1174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-1245-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6602024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k26200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4248066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w46606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllxxf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2428 2484 d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe 30 PID 2484 wrote to memory of 2428 2484 d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe 30 PID 2484 wrote to memory of 2428 2484 d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe 30 PID 2484 wrote to memory of 2428 2484 d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe 30 PID 2428 wrote to memory of 2180 2428 rfxrxfr.exe 31 PID 2428 wrote to memory of 2180 2428 rfxrxfr.exe 31 PID 2428 wrote to memory of 2180 2428 rfxrxfr.exe 31 PID 2428 wrote to memory of 2180 2428 rfxrxfr.exe 31 PID 2180 wrote to memory of 2248 2180 64068.exe 32 PID 2180 wrote to memory of 2248 2180 64068.exe 32 PID 2180 wrote to memory of 2248 2180 64068.exe 32 PID 2180 wrote to memory of 2248 2180 64068.exe 32 PID 2248 wrote to memory of 2232 2248 1rflrrf.exe 33 PID 2248 wrote to memory of 2232 2248 1rflrrf.exe 33 PID 2248 wrote to memory of 2232 2248 1rflrrf.exe 33 PID 2248 wrote to memory of 2232 2248 1rflrrf.exe 33 PID 2232 wrote to memory of 2860 2232 080062.exe 34 PID 2232 wrote to memory of 2860 2232 080062.exe 34 PID 2232 wrote to memory of 2860 2232 080062.exe 34 PID 2232 wrote to memory of 2860 2232 080062.exe 34 PID 2860 wrote to memory of 2824 2860 jvddj.exe 35 PID 2860 wrote to memory of 2824 2860 jvddj.exe 35 PID 2860 wrote to memory of 2824 2860 jvddj.exe 35 PID 2860 wrote to memory of 2824 2860 jvddj.exe 35 PID 2824 wrote to memory of 1772 2824 k86684.exe 36 PID 2824 wrote to memory of 1772 2824 k86684.exe 36 PID 2824 wrote to memory of 1772 2824 k86684.exe 36 PID 2824 wrote to memory of 1772 2824 k86684.exe 36 PID 1772 wrote to memory of 2200 1772 rlxlxxl.exe 37 PID 1772 wrote to memory of 2200 1772 rlxlxxl.exe 37 PID 1772 wrote to memory of 2200 1772 rlxlxxl.exe 37 PID 1772 wrote to memory of 2200 1772 rlxlxxl.exe 37 PID 2200 wrote to memory of 2780 2200 tnhthn.exe 38 PID 2200 wrote to memory of 2780 2200 tnhthn.exe 38 PID 2200 wrote to memory of 2780 2200 tnhthn.exe 38 PID 2200 wrote to memory of 2780 2200 tnhthn.exe 38 PID 2780 wrote to memory of 2716 2780 08662.exe 39 PID 2780 wrote to memory of 2716 2780 08662.exe 39 PID 2780 wrote to memory of 2716 2780 08662.exe 39 PID 2780 wrote to memory of 2716 2780 08662.exe 39 PID 2716 wrote to memory of 2544 2716 9nbbhh.exe 40 PID 2716 wrote to memory of 2544 2716 9nbbhh.exe 40 PID 2716 wrote to memory of 2544 2716 9nbbhh.exe 40 PID 2716 wrote to memory of 2544 2716 9nbbhh.exe 40 PID 2544 wrote to memory of 3060 2544 flflxlr.exe 41 PID 2544 wrote to memory of 3060 2544 flflxlr.exe 41 PID 2544 wrote to memory of 3060 2544 flflxlr.exe 41 PID 2544 wrote to memory of 3060 2544 flflxlr.exe 41 PID 3060 wrote to memory of 1468 3060 vppvd.exe 42 PID 3060 wrote to memory of 1468 3060 vppvd.exe 42 PID 3060 wrote to memory of 1468 3060 vppvd.exe 42 PID 3060 wrote to memory of 1468 3060 vppvd.exe 42 PID 1468 wrote to memory of 2532 1468 ttnbtn.exe 43 PID 1468 wrote to memory of 2532 1468 ttnbtn.exe 43 PID 1468 wrote to memory of 2532 1468 ttnbtn.exe 43 PID 1468 wrote to memory of 2532 1468 ttnbtn.exe 43 PID 2532 wrote to memory of 2224 2532 008022.exe 44 PID 2532 wrote to memory of 2224 2532 008022.exe 44 PID 2532 wrote to memory of 2224 2532 008022.exe 44 PID 2532 wrote to memory of 2224 2532 008022.exe 44 PID 2224 wrote to memory of 2756 2224 5rlfrrx.exe 45 PID 2224 wrote to memory of 2756 2224 5rlfrrx.exe 45 PID 2224 wrote to memory of 2756 2224 5rlfrrx.exe 45 PID 2224 wrote to memory of 2756 2224 5rlfrrx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe"C:\Users\Admin\AppData\Local\Temp\d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\rfxrxfr.exec:\rfxrxfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\64068.exec:\64068.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\1rflrrf.exec:\1rflrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\080062.exec:\080062.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\jvddj.exec:\jvddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\k86684.exec:\k86684.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\rlxlxxl.exec:\rlxlxxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\tnhthn.exec:\tnhthn.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\08662.exec:\08662.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\9nbbhh.exec:\9nbbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\flflxlr.exec:\flflxlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\vppvd.exec:\vppvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\ttnbtn.exec:\ttnbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\008022.exec:\008022.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\5rlfrrx.exec:\5rlfrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\48224.exec:\48224.exe17⤵
- Executes dropped EXE
PID:2756 -
\??\c:\60468.exec:\60468.exe18⤵
- Executes dropped EXE
PID:3000 -
\??\c:\26404.exec:\26404.exe19⤵
- Executes dropped EXE
PID:1124 -
\??\c:\1vjpv.exec:\1vjpv.exe20⤵
- Executes dropped EXE
PID:2356 -
\??\c:\hbtbnt.exec:\hbtbnt.exe21⤵
- Executes dropped EXE
PID:1672 -
\??\c:\226206.exec:\226206.exe22⤵
- Executes dropped EXE
PID:2368 -
\??\c:\606200.exec:\606200.exe23⤵
- Executes dropped EXE
PID:1588 -
\??\c:\62204.exec:\62204.exe24⤵
- Executes dropped EXE
PID:1044 -
\??\c:\26824.exec:\26824.exe25⤵
- Executes dropped EXE
PID:1524 -
\??\c:\hbntbh.exec:\hbntbh.exe26⤵
- Executes dropped EXE
PID:564 -
\??\c:\bthtbt.exec:\bthtbt.exe27⤵
- Executes dropped EXE
PID:1972 -
\??\c:\08068.exec:\08068.exe28⤵
- Executes dropped EXE
PID:2284 -
\??\c:\648846.exec:\648846.exe29⤵
- Executes dropped EXE
PID:1916 -
\??\c:\22024.exec:\22024.exe30⤵
- Executes dropped EXE
PID:1316 -
\??\c:\0424620.exec:\0424620.exe31⤵
- Executes dropped EXE
PID:884 -
\??\c:\xfrlrfx.exec:\xfrlrfx.exe32⤵
- Executes dropped EXE
PID:2340 -
\??\c:\rxrxrlx.exec:\rxrxrlx.exe33⤵
- Executes dropped EXE
PID:2592 -
\??\c:\8828680.exec:\8828680.exe34⤵
- Executes dropped EXE
PID:1576 -
\??\c:\8408860.exec:\8408860.exe35⤵
- Executes dropped EXE
PID:2400 -
\??\c:\s2020.exec:\s2020.exe36⤵
- Executes dropped EXE
PID:2264 -
\??\c:\c828664.exec:\c828664.exe37⤵
- Executes dropped EXE
PID:848 -
\??\c:\s8286.exec:\s8286.exe38⤵
- Executes dropped EXE
PID:2772 -
\??\c:\rrlfrff.exec:\rrlfrff.exe39⤵
- Executes dropped EXE
PID:2944 -
\??\c:\lrllrrf.exec:\lrllrrf.exe40⤵
- Executes dropped EXE
PID:2800 -
\??\c:\26064.exec:\26064.exe41⤵
- Executes dropped EXE
PID:2984 -
\??\c:\vpdpv.exec:\vpdpv.exe42⤵
- Executes dropped EXE
PID:2212 -
\??\c:\5nhtbh.exec:\5nhtbh.exe43⤵
- Executes dropped EXE
PID:2832 -
\??\c:\ppdpj.exec:\ppdpj.exe44⤵
- Executes dropped EXE
PID:2740 -
\??\c:\7rlrxfl.exec:\7rlrxfl.exe45⤵
- Executes dropped EXE
PID:2732 -
\??\c:\66644.exec:\66644.exe46⤵
- Executes dropped EXE
PID:2688 -
\??\c:\3rlxlrf.exec:\3rlxlrf.exe47⤵
- Executes dropped EXE
PID:3044 -
\??\c:\vjppv.exec:\vjppv.exe48⤵
- Executes dropped EXE
PID:1296 -
\??\c:\5hbhtt.exec:\5hbhtt.exe49⤵
- Executes dropped EXE
PID:2912 -
\??\c:\k26224.exec:\k26224.exe50⤵
- Executes dropped EXE
PID:1620 -
\??\c:\4244244.exec:\4244244.exe51⤵
- Executes dropped EXE
PID:3036 -
\??\c:\5rrfrxl.exec:\5rrfrxl.exe52⤵
- Executes dropped EXE
PID:2548 -
\??\c:\88042.exec:\88042.exe53⤵
- Executes dropped EXE
PID:2768 -
\??\c:\082800.exec:\082800.exe54⤵
- Executes dropped EXE
PID:3024 -
\??\c:\6220444.exec:\6220444.exe55⤵
- Executes dropped EXE
PID:2276 -
\??\c:\c626208.exec:\c626208.exe56⤵
- Executes dropped EXE
PID:2896 -
\??\c:\26684.exec:\26684.exe57⤵
- Executes dropped EXE
PID:1152 -
\??\c:\268468.exec:\268468.exe58⤵
- Executes dropped EXE
PID:2364 -
\??\c:\q04422.exec:\q04422.exe59⤵
- Executes dropped EXE
PID:1300 -
\??\c:\tnhnbh.exec:\tnhnbh.exe60⤵
- Executes dropped EXE
PID:1612 -
\??\c:\202862.exec:\202862.exe61⤵
- Executes dropped EXE
PID:1704 -
\??\c:\9ffllfx.exec:\9ffllfx.exe62⤵
- Executes dropped EXE
PID:852 -
\??\c:\644028.exec:\644028.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:640 -
\??\c:\ttnbtb.exec:\ttnbtb.exe64⤵
- Executes dropped EXE
PID:688 -
\??\c:\886468.exec:\886468.exe65⤵
- Executes dropped EXE
PID:1908 -
\??\c:\a0402.exec:\a0402.exe66⤵PID:804
-
\??\c:\3llrflx.exec:\3llrflx.exe67⤵PID:2612
-
\??\c:\82464.exec:\82464.exe68⤵PID:1948
-
\??\c:\ppjdp.exec:\ppjdp.exe69⤵PID:1512
-
\??\c:\vpddv.exec:\vpddv.exe70⤵PID:1552
-
\??\c:\pjdjd.exec:\pjdjd.exe71⤵PID:2736
-
\??\c:\8426420.exec:\8426420.exe72⤵PID:324
-
\??\c:\dvjpd.exec:\dvjpd.exe73⤵PID:1252
-
\??\c:\004084.exec:\004084.exe74⤵PID:1720
-
\??\c:\ppdjp.exec:\ppdjp.exe75⤵PID:2484
-
\??\c:\222802.exec:\222802.exe76⤵PID:1572
-
\??\c:\2646802.exec:\2646802.exe77⤵PID:2156
-
\??\c:\420688.exec:\420688.exe78⤵PID:2432
-
\??\c:\8206880.exec:\8206880.exe79⤵PID:2856
-
\??\c:\flrxrrl.exec:\flrxrrl.exe80⤵PID:2240
-
\??\c:\jjvjd.exec:\jjvjd.exe81⤵PID:2772
-
\??\c:\nnhnbt.exec:\nnhnbt.exe82⤵PID:2792
-
\??\c:\606688.exec:\606688.exe83⤵PID:2800
-
\??\c:\ntttth.exec:\ntttth.exe84⤵PID:2984
-
\??\c:\5dvjp.exec:\5dvjp.exe85⤵PID:2996
-
\??\c:\2802088.exec:\2802088.exe86⤵PID:2724
-
\??\c:\04228.exec:\04228.exe87⤵PID:2540
-
\??\c:\vvjjv.exec:\vvjjv.exe88⤵PID:2980
-
\??\c:\lfllrrr.exec:\lfllrrr.exe89⤵PID:2720
-
\??\c:\9djjj.exec:\9djjj.exe90⤵PID:1284
-
\??\c:\rlffrlx.exec:\rlffrlx.exe91⤵PID:3060
-
\??\c:\2022866.exec:\2022866.exe92⤵PID:2516
-
\??\c:\ttntnn.exec:\ttntnn.exe93⤵PID:3064
-
\??\c:\xfrlfrf.exec:\xfrlfrf.exe94⤵PID:3008
-
\??\c:\064028.exec:\064028.exe95⤵PID:2224
-
\??\c:\082844.exec:\082844.exe96⤵PID:2768
-
\??\c:\44246.exec:\44246.exe97⤵PID:2904
-
\??\c:\6602024.exec:\6602024.exe98⤵
- System Location Discovery: System Language Discovery
PID:1752 -
\??\c:\9nhntb.exec:\9nhntb.exe99⤵PID:2764
-
\??\c:\u424664.exec:\u424664.exe100⤵PID:2256
-
\??\c:\642888.exec:\642888.exe101⤵PID:1304
-
\??\c:\888082.exec:\888082.exe102⤵PID:468
-
\??\c:\hbbnbb.exec:\hbbnbb.exe103⤵PID:2368
-
\??\c:\ttbhhn.exec:\ttbhhn.exe104⤵PID:1704
-
\??\c:\g0280.exec:\g0280.exe105⤵PID:828
-
\??\c:\u624800.exec:\u624800.exe106⤵PID:2304
-
\??\c:\vjdjj.exec:\vjdjj.exe107⤵PID:1636
-
\??\c:\xrfrffx.exec:\xrfrffx.exe108⤵PID:1092
-
\??\c:\hbnbhh.exec:\hbnbhh.exe109⤵PID:564
-
\??\c:\42440.exec:\42440.exe110⤵PID:1700
-
\??\c:\nbnhhh.exec:\nbnhhh.exe111⤵PID:2624
-
\??\c:\2646884.exec:\2646884.exe112⤵PID:1192
-
\??\c:\nbhhnn.exec:\nbhhnn.exe113⤵PID:2628
-
\??\c:\m0284.exec:\m0284.exe114⤵PID:2124
-
\??\c:\6088468.exec:\6088468.exe115⤵PID:304
-
\??\c:\ppjvp.exec:\ppjvp.exe116⤵PID:2496
-
\??\c:\7htntt.exec:\7htntt.exe117⤵PID:2340
-
\??\c:\m4628.exec:\m4628.exe118⤵PID:2460
-
\??\c:\7frfrxr.exec:\7frfrxr.exe119⤵PID:1576
-
\??\c:\9vjjv.exec:\9vjjv.exe120⤵PID:2260
-
\??\c:\nhtttt.exec:\nhtttt.exe121⤵PID:2776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-