Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 23:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe
-
Size
347KB
-
MD5
d39d1a14153143d31d0dbd9acad218e4
-
SHA1
7a4b7e3ca8a43a40ced6601fb98aecd6d742f2af
-
SHA256
e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3
-
SHA512
2127321eef7ce5afcf18231c2a5eb35a87cbe1d70ee839a6af41206d4faa4c13418fa6d0517bef71e923722d748a30dbb6bae2b1d6a88534e2a5bd279c28d7bc
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAu:l7TcbWXZshJX2VGdu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/2236-10-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2500-26-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2484-49-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1480-45-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2064-35-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2668-65-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2728-83-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2748-104-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2664-100-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2620-120-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/344-140-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1328-138-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1148-156-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/324-173-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1628-185-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/684-203-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2464-200-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1532-239-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2136-255-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1044-252-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2476-266-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/872-275-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2476-271-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1908-293-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1580-311-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2492-337-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2244-362-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2604-376-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2160-402-0x00000000003C0000-0x00000000003E8000-memory.dmp family_blackmoon behavioral1/memory/2160-401-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1156-475-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1660-493-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1764-506-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1764-527-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/872-552-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2308-584-0x0000000000430000-0x0000000000458000-memory.dmp family_blackmoon behavioral1/memory/2308-603-0x0000000000430000-0x0000000000458000-memory.dmp family_blackmoon behavioral1/memory/2676-637-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2676-638-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/2636-701-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2636-720-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1236-739-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1312-777-0x0000000000430000-0x0000000000458000-memory.dmp family_blackmoon behavioral1/memory/300-785-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2532-798-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2532-799-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1492-804-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/2656-810-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2656-817-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2496-827-0x0000000000430000-0x0000000000458000-memory.dmp family_blackmoon behavioral1/memory/2660-838-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1580-841-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/2708-901-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/3020-938-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1708-970-0x00000000002B0000-0x00000000002D8000-memory.dmp family_blackmoon behavioral1/memory/2124-1009-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/980-1042-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2100 7rfxrlf.exe 2500 4464286.exe 2064 bnnnhn.exe 1480 1lxxllr.exe 2484 c086066.exe 2668 5lxlrrx.exe 2776 644424.exe 2728 btnbnt.exe 2936 o480282.exe 2664 m8008.exe 2748 4480402.exe 2620 ntnhtt.exe 3020 c824280.exe 1328 q08464.exe 344 ddvjv.exe 1148 e44688.exe 1372 ppjdd.exe 324 ttthhn.exe 1904 260246.exe 1628 flrlffl.exe 2464 0462028.exe 684 0668284.exe 2768 jpdjd.exe 2380 ntthhn.exe 1576 88246.exe 1532 60408.exe 1044 82686.exe 2136 a6444.exe 2476 7hbhtb.exe 872 044462.exe 1964 62800.exe 1908 4284062.exe 2924 48408.exe 1580 fxlxffl.exe 1592 0484246.exe 1480 hbthnt.exe 2520 7tnntb.exe 2492 tbtnhh.exe 3044 nhnbth.exe 2824 8200202.exe 2212 nnntnt.exe 2244 rrfrflx.exe 2736 0080880.exe 2604 q44268.exe 2664 44620.exe 2652 5fxlrxf.exe 2572 7jdvj.exe 2160 82686.exe 2628 6266026.exe 1420 866266.exe 1896 vpjpv.exe 1992 1ppdd.exe 1440 tnhthn.exe 1688 hhntnt.exe 268 o046806.exe 2196 ppjvv.exe 1904 g8228.exe 2752 2222880.exe 1628 7jvjj.exe 1156 fxxrxlr.exe 492 xxflrfx.exe 1660 3frlrll.exe 1640 484028.exe 1764 i006468.exe -
resource yara_rule behavioral1/memory/2236-10-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2500-26-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2484-49-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1480-45-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2064-35-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2668-65-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2728-83-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2748-104-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/3020-121-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2620-120-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/344-140-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1328-138-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1148-156-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/324-173-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1628-185-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/684-203-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2464-200-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1532-239-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/2136-255-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1044-252-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/872-275-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2476-271-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1908-293-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1580-311-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2492-337-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/2244-362-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2604-376-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2160-402-0x00000000003C0000-0x00000000003E8000-memory.dmp upx behavioral1/memory/2160-401-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1420-409-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1420-416-0x00000000002A0000-0x00000000002C8000-memory.dmp upx behavioral1/memory/1688-435-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1660-486-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1660-493-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1532-513-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/872-552-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2488-553-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2676-637-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2640-682-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/1236-739-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/1312-770-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/300-785-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1756-784-0x0000000000430000-0x0000000000458000-memory.dmp upx behavioral1/memory/2532-798-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/2532-799-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2656-810-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2656-817-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/2496-824-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2660-838-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2708-901-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/3020-938-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1432-957-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1708-970-0x00000000002B0000-0x00000000002D8000-memory.dmp upx behavioral1/memory/2412-977-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2124-1009-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/976-1028-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o468002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0484246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8680660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2100 2236 e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe 30 PID 2236 wrote to memory of 2100 2236 e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe 30 PID 2236 wrote to memory of 2100 2236 e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe 30 PID 2236 wrote to memory of 2100 2236 e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe 30 PID 2100 wrote to memory of 2500 2100 7rfxrlf.exe 31 PID 2100 wrote to memory of 2500 2100 7rfxrlf.exe 31 PID 2100 wrote to memory of 2500 2100 7rfxrlf.exe 31 PID 2100 wrote to memory of 2500 2100 7rfxrlf.exe 31 PID 2500 wrote to memory of 2064 2500 4464286.exe 32 PID 2500 wrote to memory of 2064 2500 4464286.exe 32 PID 2500 wrote to memory of 2064 2500 4464286.exe 32 PID 2500 wrote to memory of 2064 2500 4464286.exe 32 PID 2064 wrote to memory of 1480 2064 bnnnhn.exe 33 PID 2064 wrote to memory of 1480 2064 bnnnhn.exe 33 PID 2064 wrote to memory of 1480 2064 bnnnhn.exe 33 PID 2064 wrote to memory of 1480 2064 bnnnhn.exe 33 PID 1480 wrote to memory of 2484 1480 1lxxllr.exe 34 PID 1480 wrote to memory of 2484 1480 1lxxllr.exe 34 PID 1480 wrote to memory of 2484 1480 1lxxllr.exe 34 PID 1480 wrote to memory of 2484 1480 1lxxllr.exe 34 PID 2484 wrote to memory of 2668 2484 c086066.exe 35 PID 2484 wrote to memory of 2668 2484 c086066.exe 35 PID 2484 wrote to memory of 2668 2484 c086066.exe 35 PID 2484 wrote to memory of 2668 2484 c086066.exe 35 PID 2668 wrote to memory of 2776 2668 5lxlrrx.exe 36 PID 2668 wrote to memory of 2776 2668 5lxlrrx.exe 36 PID 2668 wrote to memory of 2776 2668 5lxlrrx.exe 36 PID 2668 wrote to memory of 2776 2668 5lxlrrx.exe 36 PID 2776 wrote to memory of 2728 2776 644424.exe 37 PID 2776 wrote to memory of 2728 2776 644424.exe 37 PID 2776 wrote to memory of 2728 2776 644424.exe 37 PID 2776 wrote to memory of 2728 2776 644424.exe 37 PID 2728 wrote to memory of 2936 2728 btnbnt.exe 38 PID 2728 wrote to memory of 2936 2728 btnbnt.exe 38 PID 2728 wrote to memory of 2936 2728 btnbnt.exe 38 PID 2728 wrote to memory of 2936 2728 btnbnt.exe 38 PID 2936 wrote to memory of 2664 2936 o480282.exe 39 PID 2936 wrote to memory of 2664 2936 o480282.exe 39 PID 2936 wrote to memory of 2664 2936 o480282.exe 39 PID 2936 wrote to memory of 2664 2936 o480282.exe 39 PID 2664 wrote to memory of 2748 2664 m8008.exe 40 PID 2664 wrote to memory of 2748 2664 m8008.exe 40 PID 2664 wrote to memory of 2748 2664 m8008.exe 40 PID 2664 wrote to memory of 2748 2664 m8008.exe 40 PID 2748 wrote to memory of 2620 2748 4480402.exe 41 PID 2748 wrote to memory of 2620 2748 4480402.exe 41 PID 2748 wrote to memory of 2620 2748 4480402.exe 41 PID 2748 wrote to memory of 2620 2748 4480402.exe 41 PID 2620 wrote to memory of 3020 2620 ntnhtt.exe 42 PID 2620 wrote to memory of 3020 2620 ntnhtt.exe 42 PID 2620 wrote to memory of 3020 2620 ntnhtt.exe 42 PID 2620 wrote to memory of 3020 2620 ntnhtt.exe 42 PID 3020 wrote to memory of 1328 3020 c824280.exe 43 PID 3020 wrote to memory of 1328 3020 c824280.exe 43 PID 3020 wrote to memory of 1328 3020 c824280.exe 43 PID 3020 wrote to memory of 1328 3020 c824280.exe 43 PID 1328 wrote to memory of 344 1328 q08464.exe 44 PID 1328 wrote to memory of 344 1328 q08464.exe 44 PID 1328 wrote to memory of 344 1328 q08464.exe 44 PID 1328 wrote to memory of 344 1328 q08464.exe 44 PID 344 wrote to memory of 1148 344 ddvjv.exe 45 PID 344 wrote to memory of 1148 344 ddvjv.exe 45 PID 344 wrote to memory of 1148 344 ddvjv.exe 45 PID 344 wrote to memory of 1148 344 ddvjv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe"C:\Users\Admin\AppData\Local\Temp\e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\7rfxrlf.exec:\7rfxrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\4464286.exec:\4464286.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\bnnnhn.exec:\bnnnhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\1lxxllr.exec:\1lxxllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\c086066.exec:\c086066.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\5lxlrrx.exec:\5lxlrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\644424.exec:\644424.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\btnbnt.exec:\btnbnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\o480282.exec:\o480282.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\m8008.exec:\m8008.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\4480402.exec:\4480402.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\ntnhtt.exec:\ntnhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\c824280.exec:\c824280.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\q08464.exec:\q08464.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\ddvjv.exec:\ddvjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:344 -
\??\c:\e44688.exec:\e44688.exe17⤵
- Executes dropped EXE
PID:1148 -
\??\c:\ppjdd.exec:\ppjdd.exe18⤵
- Executes dropped EXE
PID:1372 -
\??\c:\ttthhn.exec:\ttthhn.exe19⤵
- Executes dropped EXE
PID:324 -
\??\c:\260246.exec:\260246.exe20⤵
- Executes dropped EXE
PID:1904 -
\??\c:\flrlffl.exec:\flrlffl.exe21⤵
- Executes dropped EXE
PID:1628 -
\??\c:\0462028.exec:\0462028.exe22⤵
- Executes dropped EXE
PID:2464 -
\??\c:\0668284.exec:\0668284.exe23⤵
- Executes dropped EXE
PID:684 -
\??\c:\jpdjd.exec:\jpdjd.exe24⤵
- Executes dropped EXE
PID:2768 -
\??\c:\ntthhn.exec:\ntthhn.exe25⤵
- Executes dropped EXE
PID:2380 -
\??\c:\88246.exec:\88246.exe26⤵
- Executes dropped EXE
PID:1576 -
\??\c:\60408.exec:\60408.exe27⤵
- Executes dropped EXE
PID:1532 -
\??\c:\82686.exec:\82686.exe28⤵
- Executes dropped EXE
PID:1044 -
\??\c:\a6444.exec:\a6444.exe29⤵
- Executes dropped EXE
PID:2136 -
\??\c:\7hbhtb.exec:\7hbhtb.exe30⤵
- Executes dropped EXE
PID:2476 -
\??\c:\044462.exec:\044462.exe31⤵
- Executes dropped EXE
PID:872 -
\??\c:\62800.exec:\62800.exe32⤵
- Executes dropped EXE
PID:1964 -
\??\c:\4284062.exec:\4284062.exe33⤵
- Executes dropped EXE
PID:1908 -
\??\c:\48408.exec:\48408.exe34⤵
- Executes dropped EXE
PID:2924 -
\??\c:\fxlxffl.exec:\fxlxffl.exe35⤵
- Executes dropped EXE
PID:1580 -
\??\c:\0484246.exec:\0484246.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592 -
\??\c:\hbthnt.exec:\hbthnt.exe37⤵
- Executes dropped EXE
PID:1480 -
\??\c:\7tnntb.exec:\7tnntb.exe38⤵
- Executes dropped EXE
PID:2520 -
\??\c:\tbtnhh.exec:\tbtnhh.exe39⤵
- Executes dropped EXE
PID:2492 -
\??\c:\nhnbth.exec:\nhnbth.exe40⤵
- Executes dropped EXE
PID:3044 -
\??\c:\8200202.exec:\8200202.exe41⤵
- Executes dropped EXE
PID:2824 -
\??\c:\nnntnt.exec:\nnntnt.exe42⤵
- Executes dropped EXE
PID:2212 -
\??\c:\rrfrflx.exec:\rrfrflx.exe43⤵
- Executes dropped EXE
PID:2244 -
\??\c:\0080880.exec:\0080880.exe44⤵
- Executes dropped EXE
PID:2736 -
\??\c:\q44268.exec:\q44268.exe45⤵
- Executes dropped EXE
PID:2604 -
\??\c:\44620.exec:\44620.exe46⤵
- Executes dropped EXE
PID:2664 -
\??\c:\5fxlrxf.exec:\5fxlrxf.exe47⤵
- Executes dropped EXE
PID:2652 -
\??\c:\7jdvj.exec:\7jdvj.exe48⤵
- Executes dropped EXE
PID:2572 -
\??\c:\82686.exec:\82686.exe49⤵
- Executes dropped EXE
PID:2160 -
\??\c:\6266026.exec:\6266026.exe50⤵
- Executes dropped EXE
PID:2628 -
\??\c:\866266.exec:\866266.exe51⤵
- Executes dropped EXE
PID:1420 -
\??\c:\vpjpv.exec:\vpjpv.exe52⤵
- Executes dropped EXE
PID:1896 -
\??\c:\1ppdd.exec:\1ppdd.exe53⤵
- Executes dropped EXE
PID:1992 -
\??\c:\tnhthn.exec:\tnhthn.exe54⤵
- Executes dropped EXE
PID:1440 -
\??\c:\hhntnt.exec:\hhntnt.exe55⤵
- Executes dropped EXE
PID:1688 -
\??\c:\o046806.exec:\o046806.exe56⤵
- Executes dropped EXE
PID:268 -
\??\c:\ppjvv.exec:\ppjvv.exe57⤵
- Executes dropped EXE
PID:2196 -
\??\c:\g8228.exec:\g8228.exe58⤵
- Executes dropped EXE
PID:1904 -
\??\c:\2222880.exec:\2222880.exe59⤵
- Executes dropped EXE
PID:2752 -
\??\c:\7jvjj.exec:\7jvjj.exe60⤵
- Executes dropped EXE
PID:1628 -
\??\c:\fxxrxlr.exec:\fxxrxlr.exe61⤵
- Executes dropped EXE
PID:1156 -
\??\c:\xxflrfx.exec:\xxflrfx.exe62⤵
- Executes dropped EXE
PID:492 -
\??\c:\3frlrll.exec:\3frlrll.exe63⤵
- Executes dropped EXE
PID:1660 -
\??\c:\484028.exec:\484028.exe64⤵
- Executes dropped EXE
PID:1640 -
\??\c:\i006468.exec:\i006468.exe65⤵
- Executes dropped EXE
PID:1764 -
\??\c:\66008.exec:\66008.exe66⤵PID:1756
-
\??\c:\6080828.exec:\6080828.exe67⤵PID:1532
-
\??\c:\rrlxlfx.exec:\rrlxlfx.exe68⤵PID:292
-
\??\c:\26808.exec:\26808.exe69⤵PID:828
-
\??\c:\86446.exec:\86446.exe70⤵PID:880
-
\??\c:\3vddj.exec:\3vddj.exe71⤵PID:768
-
\??\c:\ddjpv.exec:\ddjpv.exe72⤵PID:872
-
\??\c:\606244.exec:\606244.exe73⤵PID:2488
-
\??\c:\rrxfrlx.exec:\rrxfrlx.exe74⤵PID:1912
-
\??\c:\00246.exec:\00246.exe75⤵PID:2460
-
\??\c:\08682.exec:\08682.exe76⤵PID:1680
-
\??\c:\1vjpv.exec:\1vjpv.exe77⤵PID:2308
-
\??\c:\9rrxlxl.exec:\9rrxlxl.exe78⤵PID:2928
-
\??\c:\i820880.exec:\i820880.exe79⤵PID:2240
-
\??\c:\vvpvp.exec:\vvpvp.exe80⤵PID:2232
-
\??\c:\dvpvj.exec:\dvpvj.exe81⤵PID:2724
-
\??\c:\220688.exec:\220688.exe82⤵PID:2808
-
\??\c:\lfxfxfr.exec:\lfxfxfr.exe83⤵PID:2680
-
\??\c:\vdpjp.exec:\vdpjp.exe84⤵PID:2692
-
\??\c:\vpjjp.exec:\vpjjp.exe85⤵PID:2676
-
\??\c:\llrxffr.exec:\llrxffr.exe86⤵PID:2712
-
\??\c:\pvjdj.exec:\pvjdj.exe87⤵PID:2748
-
\??\c:\886262.exec:\886262.exe88⤵PID:2364
-
\??\c:\2640246.exec:\2640246.exe89⤵PID:2640
-
\??\c:\864466.exec:\864466.exe90⤵PID:2592
-
\??\c:\rrrxrrf.exec:\rrrxrrf.exe91⤵PID:1952
-
\??\c:\c082806.exec:\c082806.exe92⤵PID:2004
-
\??\c:\4606286.exec:\4606286.exe93⤵PID:2324
-
\??\c:\jjdvd.exec:\jjdvd.exe94⤵PID:1432
-
\??\c:\dvpdv.exec:\dvpdv.exe95⤵PID:2636
-
\??\c:\jjvdv.exec:\jjvdv.exe96⤵PID:1440
-
\??\c:\vpdjp.exec:\vpdjp.exe97⤵PID:324
-
\??\c:\pppjv.exec:\pppjv.exe98⤵PID:2880
-
\??\c:\i606224.exec:\i606224.exe99⤵PID:440
-
\??\c:\jdvdv.exec:\jdvdv.exe100⤵
- System Location Discovery: System Language Discovery
PID:1784 -
\??\c:\ttnhbt.exec:\ttnhbt.exe101⤵PID:1236
-
\??\c:\llxfxxl.exec:\llxfxxl.exe102⤵PID:684
-
\??\c:\604466.exec:\604466.exe103⤵PID:1672
-
\??\c:\608866.exec:\608866.exe104⤵PID:2040
-
\??\c:\886246.exec:\886246.exe105⤵PID:1520
-
\??\c:\hnbhtt.exec:\hnbhtt.exe106⤵PID:832
-
\??\c:\k66800.exec:\k66800.exe107⤵PID:1312
-
\??\c:\1dpdp.exec:\1dpdp.exe108⤵PID:1756
-
\??\c:\u428408.exec:\u428408.exe109⤵PID:300
-
\??\c:\bbtbbh.exec:\bbtbbh.exe110⤵PID:2532
-
\??\c:\00802.exec:\00802.exe111⤵PID:1492
-
\??\c:\0640888.exec:\0640888.exe112⤵PID:2352
-
\??\c:\9dvpd.exec:\9dvpd.exe113⤵PID:2656
-
\??\c:\82408.exec:\82408.exe114⤵PID:2292
-
\??\c:\ffxrflf.exec:\ffxrflf.exe115⤵PID:2496
-
\??\c:\2046802.exec:\2046802.exe116⤵PID:2660
-
\??\c:\0862406.exec:\0862406.exe117⤵PID:1580
-
\??\c:\a4280.exec:\a4280.exe118⤵PID:2188
-
\??\c:\8204620.exec:\8204620.exe119⤵PID:2300
-
\??\c:\i040840.exec:\i040840.exe120⤵PID:2516
-
\??\c:\dpvpv.exec:\dpvpv.exe121⤵PID:2756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-