Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe
-
Size
456KB
-
MD5
82a4e924db671a043ffd2c247cc2d2c2
-
SHA1
1f064ee11cd0adb3ade13a31a0c0233255c7c61c
-
SHA256
af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be
-
SHA512
d892e20088a46debb3e532b9b5337eb6dcc1dace7986ba8dfb47fd39400d522b2917e0ee27c87cf797213ec14dd6145ba403d7f320c5bbe1bae1e114a82fda03
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/1980-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-92-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2972-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-109-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1396-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2972-140-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1396-158-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1728-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-297-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2120-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-455-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1852-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-798-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1784-892-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-1035-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1548-1041-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1416-1105-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-1130-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2844-1156-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2440-1360-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2600 48662.exe 1796 5bnbnt.exe 1952 2646286.exe 2784 nnhntt.exe 2800 ntnnbh.exe 2844 7jjjv.exe 2976 604680.exe 2720 242466.exe 2804 btntht.exe 2712 e64088.exe 2972 k82800.exe 1308 xfflrxl.exe 1396 642840.exe 1848 6088888.exe 3036 9fxxxfl.exe 2028 hbnnbt.exe 1728 1dpvj.exe 1508 nhhhnt.exe 2508 xrxlrxl.exe 2148 pjdjp.exe 408 640448.exe 2672 hhbntn.exe 1340 lxxrxxx.exe 880 flxfrxf.exe 1652 dpvpj.exe 1536 20266.exe 1572 204400.exe 2196 2628888.exe 2640 9fxlrrx.exe 2488 jjvvd.exe 2776 bnhhnh.exe 2316 868400.exe 2604 5jdvj.exe 1796 1vpdj.exe 2120 3thhtb.exe 1984 vpddd.exe 2472 262622.exe 2820 e28046.exe 1156 5jjjv.exe 2228 jdvjp.exe 2432 s6006.exe 1372 tbtbhh.exe 2864 82620.exe 2968 xxflxlx.exe 2768 k66688.exe 2436 dddjp.exe 1248 o224280.exe 2896 rrflxxr.exe 3056 5nhnbt.exe 2908 bbbttt.exe 3008 44420.exe 2868 tnntht.exe 2144 thbbhb.exe 2372 ddvdj.exe 2556 0484842.exe 1852 04668.exe 1792 llfrlrx.exe 2304 22260.exe 1788 rxfxxfx.exe 1944 nbnttb.exe 1032 thbbhb.exe 1912 dvjpv.exe 1988 0802686.exe 2200 6828606.exe -
resource yara_rule behavioral1/memory/1980-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-1002-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-1035-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/1080-1043-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-1062-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-1131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-1157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-1184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-1203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-1283-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2488446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0484068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o688440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8688488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbthn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2600 1980 af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe 30 PID 1980 wrote to memory of 2600 1980 af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe 30 PID 1980 wrote to memory of 2600 1980 af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe 30 PID 1980 wrote to memory of 2600 1980 af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe 30 PID 2600 wrote to memory of 1796 2600 48662.exe 31 PID 2600 wrote to memory of 1796 2600 48662.exe 31 PID 2600 wrote to memory of 1796 2600 48662.exe 31 PID 2600 wrote to memory of 1796 2600 48662.exe 31 PID 1796 wrote to memory of 1952 1796 5bnbnt.exe 32 PID 1796 wrote to memory of 1952 1796 5bnbnt.exe 32 PID 1796 wrote to memory of 1952 1796 5bnbnt.exe 32 PID 1796 wrote to memory of 1952 1796 5bnbnt.exe 32 PID 1952 wrote to memory of 2784 1952 2646286.exe 33 PID 1952 wrote to memory of 2784 1952 2646286.exe 33 PID 1952 wrote to memory of 2784 1952 2646286.exe 33 PID 1952 wrote to memory of 2784 1952 2646286.exe 33 PID 2784 wrote to memory of 2800 2784 nnhntt.exe 34 PID 2784 wrote to memory of 2800 2784 nnhntt.exe 34 PID 2784 wrote to memory of 2800 2784 nnhntt.exe 34 PID 2784 wrote to memory of 2800 2784 nnhntt.exe 34 PID 2800 wrote to memory of 2844 2800 ntnnbh.exe 35 PID 2800 wrote to memory of 2844 2800 ntnnbh.exe 35 PID 2800 wrote to memory of 2844 2800 ntnnbh.exe 35 PID 2800 wrote to memory of 2844 2800 ntnnbh.exe 35 PID 2844 wrote to memory of 2976 2844 7jjjv.exe 36 PID 2844 wrote to memory of 2976 2844 7jjjv.exe 36 PID 2844 wrote to memory of 2976 2844 7jjjv.exe 36 PID 2844 wrote to memory of 2976 2844 7jjjv.exe 36 PID 2976 wrote to memory of 2720 2976 604680.exe 37 PID 2976 wrote to memory of 2720 2976 604680.exe 37 PID 2976 wrote to memory of 2720 2976 604680.exe 37 PID 2976 wrote to memory of 2720 2976 604680.exe 37 PID 2720 wrote to memory of 2804 2720 242466.exe 38 PID 2720 wrote to memory of 2804 2720 242466.exe 38 PID 2720 wrote to memory of 2804 2720 242466.exe 38 PID 2720 wrote to memory of 2804 2720 242466.exe 38 PID 2804 wrote to memory of 2712 2804 btntht.exe 39 PID 2804 wrote to memory of 2712 2804 btntht.exe 39 PID 2804 wrote to memory of 2712 2804 btntht.exe 39 PID 2804 wrote to memory of 2712 2804 btntht.exe 39 PID 2712 wrote to memory of 2972 2712 e64088.exe 40 PID 2712 wrote to memory of 2972 2712 e64088.exe 40 PID 2712 wrote to memory of 2972 2712 e64088.exe 40 PID 2712 wrote to memory of 2972 2712 e64088.exe 40 PID 2972 wrote to memory of 1308 2972 k82800.exe 41 PID 2972 wrote to memory of 1308 2972 k82800.exe 41 PID 2972 wrote to memory of 1308 2972 k82800.exe 41 PID 2972 wrote to memory of 1308 2972 k82800.exe 41 PID 1308 wrote to memory of 1396 1308 xfflrxl.exe 42 PID 1308 wrote to memory of 1396 1308 xfflrxl.exe 42 PID 1308 wrote to memory of 1396 1308 xfflrxl.exe 42 PID 1308 wrote to memory of 1396 1308 xfflrxl.exe 42 PID 1396 wrote to memory of 1848 1396 642840.exe 43 PID 1396 wrote to memory of 1848 1396 642840.exe 43 PID 1396 wrote to memory of 1848 1396 642840.exe 43 PID 1396 wrote to memory of 1848 1396 642840.exe 43 PID 1848 wrote to memory of 3036 1848 6088888.exe 44 PID 1848 wrote to memory of 3036 1848 6088888.exe 44 PID 1848 wrote to memory of 3036 1848 6088888.exe 44 PID 1848 wrote to memory of 3036 1848 6088888.exe 44 PID 3036 wrote to memory of 2028 3036 9fxxxfl.exe 45 PID 3036 wrote to memory of 2028 3036 9fxxxfl.exe 45 PID 3036 wrote to memory of 2028 3036 9fxxxfl.exe 45 PID 3036 wrote to memory of 2028 3036 9fxxxfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe"C:\Users\Admin\AppData\Local\Temp\af506e5239b196f3429224c4e6cb863d306702a1637fc2acab954a897922f2be.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\48662.exec:\48662.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\5bnbnt.exec:\5bnbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\2646286.exec:\2646286.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\nnhntt.exec:\nnhntt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\ntnnbh.exec:\ntnnbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\7jjjv.exec:\7jjjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\604680.exec:\604680.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\242466.exec:\242466.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\btntht.exec:\btntht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\e64088.exec:\e64088.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\k82800.exec:\k82800.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\xfflrxl.exec:\xfflrxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\642840.exec:\642840.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\6088888.exec:\6088888.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\9fxxxfl.exec:\9fxxxfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\hbnnbt.exec:\hbnnbt.exe17⤵
- Executes dropped EXE
PID:2028 -
\??\c:\1dpvj.exec:\1dpvj.exe18⤵
- Executes dropped EXE
PID:1728 -
\??\c:\nhhhnt.exec:\nhhhnt.exe19⤵
- Executes dropped EXE
PID:1508 -
\??\c:\xrxlrxl.exec:\xrxlrxl.exe20⤵
- Executes dropped EXE
PID:2508 -
\??\c:\pjdjp.exec:\pjdjp.exe21⤵
- Executes dropped EXE
PID:2148 -
\??\c:\640448.exec:\640448.exe22⤵
- Executes dropped EXE
PID:408 -
\??\c:\hhbntn.exec:\hhbntn.exe23⤵
- Executes dropped EXE
PID:2672 -
\??\c:\lxxrxxx.exec:\lxxrxxx.exe24⤵
- Executes dropped EXE
PID:1340 -
\??\c:\flxfrxf.exec:\flxfrxf.exe25⤵
- Executes dropped EXE
PID:880 -
\??\c:\dpvpj.exec:\dpvpj.exe26⤵
- Executes dropped EXE
PID:1652 -
\??\c:\20266.exec:\20266.exe27⤵
- Executes dropped EXE
PID:1536 -
\??\c:\204400.exec:\204400.exe28⤵
- Executes dropped EXE
PID:1572 -
\??\c:\2628888.exec:\2628888.exe29⤵
- Executes dropped EXE
PID:2196 -
\??\c:\9fxlrrx.exec:\9fxlrrx.exe30⤵
- Executes dropped EXE
PID:2640 -
\??\c:\jjvvd.exec:\jjvvd.exe31⤵
- Executes dropped EXE
PID:2488 -
\??\c:\bnhhnh.exec:\bnhhnh.exe32⤵
- Executes dropped EXE
PID:2776 -
\??\c:\868400.exec:\868400.exe33⤵
- Executes dropped EXE
PID:2316 -
\??\c:\5jdvj.exec:\5jdvj.exe34⤵
- Executes dropped EXE
PID:2604 -
\??\c:\1vpdj.exec:\1vpdj.exe35⤵
- Executes dropped EXE
PID:1796 -
\??\c:\3thhtb.exec:\3thhtb.exe36⤵
- Executes dropped EXE
PID:2120 -
\??\c:\vpddd.exec:\vpddd.exe37⤵
- Executes dropped EXE
PID:1984 -
\??\c:\262622.exec:\262622.exe38⤵
- Executes dropped EXE
PID:2472 -
\??\c:\e28046.exec:\e28046.exe39⤵
- Executes dropped EXE
PID:2820 -
\??\c:\5jjjv.exec:\5jjjv.exe40⤵
- Executes dropped EXE
PID:1156 -
\??\c:\jdvjp.exec:\jdvjp.exe41⤵
- Executes dropped EXE
PID:2228 -
\??\c:\s6006.exec:\s6006.exe42⤵
- Executes dropped EXE
PID:2432 -
\??\c:\tbtbhh.exec:\tbtbhh.exe43⤵
- Executes dropped EXE
PID:1372 -
\??\c:\82620.exec:\82620.exe44⤵
- Executes dropped EXE
PID:2864 -
\??\c:\xxflxlx.exec:\xxflxlx.exe45⤵
- Executes dropped EXE
PID:2968 -
\??\c:\k66688.exec:\k66688.exe46⤵
- Executes dropped EXE
PID:2768 -
\??\c:\dddjp.exec:\dddjp.exe47⤵
- Executes dropped EXE
PID:2436 -
\??\c:\o224280.exec:\o224280.exe48⤵
- Executes dropped EXE
PID:1248 -
\??\c:\rrflxxr.exec:\rrflxxr.exe49⤵
- Executes dropped EXE
PID:2896 -
\??\c:\5nhnbt.exec:\5nhnbt.exe50⤵
- Executes dropped EXE
PID:3056 -
\??\c:\bbbttt.exec:\bbbttt.exe51⤵
- Executes dropped EXE
PID:2908 -
\??\c:\44420.exec:\44420.exe52⤵
- Executes dropped EXE
PID:3008 -
\??\c:\tnntht.exec:\tnntht.exe53⤵
- Executes dropped EXE
PID:2868 -
\??\c:\thbbhb.exec:\thbbhb.exe54⤵
- Executes dropped EXE
PID:2144 -
\??\c:\ddvdj.exec:\ddvdj.exe55⤵
- Executes dropped EXE
PID:2372 -
\??\c:\0484842.exec:\0484842.exe56⤵
- Executes dropped EXE
PID:2556 -
\??\c:\04668.exec:\04668.exe57⤵
- Executes dropped EXE
PID:1852 -
\??\c:\llfrlrx.exec:\llfrlrx.exe58⤵
- Executes dropped EXE
PID:1792 -
\??\c:\22260.exec:\22260.exe59⤵
- Executes dropped EXE
PID:2304 -
\??\c:\rxfxxfx.exec:\rxfxxfx.exe60⤵
- Executes dropped EXE
PID:1788 -
\??\c:\nbnttb.exec:\nbnttb.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944 -
\??\c:\thbbhb.exec:\thbbhb.exe62⤵
- Executes dropped EXE
PID:1032 -
\??\c:\dvjpv.exec:\dvjpv.exe63⤵
- Executes dropped EXE
PID:1912 -
\??\c:\0802686.exec:\0802686.exe64⤵
- Executes dropped EXE
PID:1988 -
\??\c:\6828606.exec:\6828606.exe65⤵
- Executes dropped EXE
PID:2200 -
\??\c:\20688.exec:\20688.exe66⤵PID:1636
-
\??\c:\2602402.exec:\2602402.exe67⤵PID:2220
-
\??\c:\pdjdd.exec:\pdjdd.exe68⤵PID:1572
-
\??\c:\hhntth.exec:\hhntth.exe69⤵PID:2196
-
\??\c:\82024.exec:\82024.exe70⤵PID:2232
-
\??\c:\820668.exec:\820668.exe71⤵PID:2248
-
\??\c:\ntnbht.exec:\ntnbht.exe72⤵PID:2336
-
\??\c:\dvpvd.exec:\dvpvd.exe73⤵PID:888
-
\??\c:\448600.exec:\448600.exe74⤵PID:2040
-
\??\c:\thttbb.exec:\thttbb.exe75⤵PID:2444
-
\??\c:\5fxlllx.exec:\5fxlllx.exe76⤵PID:1416
-
\??\c:\7rrrllx.exec:\7rrrllx.exe77⤵PID:1588
-
\??\c:\xrffrfl.exec:\xrffrfl.exe78⤵PID:2124
-
\??\c:\bthnhn.exec:\bthnhn.exe79⤵
- System Location Discovery: System Language Discovery
PID:1600 -
\??\c:\06682.exec:\06682.exe80⤵PID:580
-
\??\c:\tbtthn.exec:\tbtthn.exe81⤵PID:2948
-
\??\c:\820206.exec:\820206.exe82⤵PID:2268
-
\??\c:\1xlrxfl.exec:\1xlrxfl.exe83⤵PID:2844
-
\??\c:\vvvvd.exec:\vvvvd.exe84⤵PID:2888
-
\??\c:\i828020.exec:\i828020.exe85⤵PID:576
-
\??\c:\5rrrxfr.exec:\5rrrxfr.exe86⤵PID:2964
-
\??\c:\26068.exec:\26068.exe87⤵PID:2724
-
\??\c:\dvpdj.exec:\dvpdj.exe88⤵PID:1648
-
\??\c:\djdpd.exec:\djdpd.exe89⤵PID:2736
-
\??\c:\7bbtht.exec:\7bbtht.exe90⤵PID:2520
-
\??\c:\q20628.exec:\q20628.exe91⤵PID:1308
-
\??\c:\202840.exec:\202840.exe92⤵PID:1900
-
\??\c:\444084.exec:\444084.exe93⤵PID:2680
-
\??\c:\8206402.exec:\8206402.exe94⤵PID:612
-
\??\c:\s6482.exec:\s6482.exe95⤵PID:1820
-
\??\c:\rfffrrr.exec:\rfffrrr.exe96⤵PID:768
-
\??\c:\jjjpd.exec:\jjjpd.exe97⤵PID:3040
-
\??\c:\2680246.exec:\2680246.exe98⤵PID:1552
-
\??\c:\pjvdp.exec:\pjvdp.exe99⤵PID:2568
-
\??\c:\g6882.exec:\g6882.exe100⤵PID:1224
-
\??\c:\vvjdd.exec:\vvjdd.exe101⤵PID:2152
-
\??\c:\22624.exec:\22624.exe102⤵
- System Location Discovery: System Language Discovery
PID:2088 -
\??\c:\0284002.exec:\0284002.exe103⤵PID:2676
-
\??\c:\8828680.exec:\8828680.exe104⤵PID:1608
-
\??\c:\602848.exec:\602848.exe105⤵PID:1996
-
\??\c:\lffrflr.exec:\lffrflr.exe106⤵PID:2012
-
\??\c:\pjjpv.exec:\pjjpv.exe107⤵PID:2016
-
\??\c:\606066.exec:\606066.exe108⤵PID:2464
-
\??\c:\5dvjp.exec:\5dvjp.exe109⤵PID:912
-
\??\c:\hbtthn.exec:\hbtthn.exe110⤵PID:2308
-
\??\c:\q22266.exec:\q22266.exe111⤵PID:1940
-
\??\c:\llflxrl.exec:\llflxrl.exe112⤵PID:1716
-
\??\c:\hbnthh.exec:\hbnthh.exe113⤵PID:2176
-
\??\c:\lxxxxrr.exec:\lxxxxrr.exe114⤵PID:1752
-
\??\c:\s8224.exec:\s8224.exe115⤵PID:2112
-
\??\c:\608062.exec:\608062.exe116⤵PID:2776
-
\??\c:\5lfrfrl.exec:\5lfrfrl.exe117⤵PID:2108
-
\??\c:\xrflrlr.exec:\xrflrlr.exe118⤵PID:1712
-
\??\c:\0484068.exec:\0484068.exe119⤵
- System Location Discovery: System Language Discovery
PID:1568 -
\??\c:\0866842.exec:\0866842.exe120⤵PID:2368
-
\??\c:\fllflrf.exec:\fllflrf.exe121⤵PID:780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-