Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 04:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe
-
Size
455KB
-
MD5
18ea8309a3cc695ac88b5b916e556070
-
SHA1
31ee1084ac6d99eeb7ed0dd989448422c684278d
-
SHA256
cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9
-
SHA512
5d1d98b9583720d025af06fe4be97e39537575e7a48c01bb49407ec9e2fbf0f77b65d2cecc67b3eb72c87d48ee4e14fc47d2e0e059dd5389cd21ea2f04979be1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/3008-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-135-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1664-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/676-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/628-261-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1536-275-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1712-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-313-0x0000000077B80000-0x0000000077C9F000-memory.dmp family_blackmoon behavioral1/memory/2368-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-535-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/896-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-602-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2876-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1072-737-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1348-744-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2628-761-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/944-801-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/628-808-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2860-917-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/1104-970-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2016-978-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 800 5htnnn.exe 2620 xxxxlrf.exe 2096 1dvjv.exe 2752 608022.exe 2764 a4806.exe 2912 8268008.exe 2396 m6406.exe 2900 08668.exe 2920 5htnht.exe 2656 nhbbnh.exe 2192 266800.exe 2144 4268020.exe 1664 02668.exe 2728 rffrlxr.exe 332 1bttbh.exe 2012 pjddd.exe 1784 dvdvv.exe 2436 6006208.exe 2036 fffffff.exe 1876 rfrrxxx.exe 2756 3rflrll.exe 852 hhbntn.exe 3044 484460.exe 676 4222444.exe 628 5pdvd.exe 1472 rlxxllx.exe 1872 rflfrlx.exe 2316 pdvvd.exe 1012 c840262.exe 1536 9bhtbt.exe 3012 i088446.exe 1364 46884.exe 3060 rxlrflr.exe 2348 g0884.exe 1304 208462.exe 1712 w68400.exe 2568 bhhhth.exe 1532 608804.exe 2368 e42888.exe 2868 m6062.exe 2812 9tthht.exe 2776 pdpvd.exe 2960 2640606.exe 2900 vjvpd.exe 2672 4088662.exe 2772 20222.exe 2032 u405ppp.exe 2732 1tbbhh.exe 2148 xlxrrlr.exe 1396 42002.exe 2136 s2000.exe 1568 5ddjd.exe 836 8688006.exe 332 lxfxllr.exe 1348 jdpdp.exe 2948 3hbbbb.exe 2408 822466.exe 2084 04846.exe 1876 820088.exe 2156 nhbhnn.exe 1084 o862446.exe 1476 608460.exe 1312 lxfllfl.exe 1888 fxrrrrx.exe -
resource yara_rule behavioral1/memory/3008-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/628-261-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1536-273-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1364-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-313-0x0000000077B80000-0x0000000077C9F000-memory.dmp upx behavioral1/memory/2368-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-535-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/896-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-737-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2644-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-903-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-919-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-939-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4268480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6640662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i444224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0480844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w48426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0440840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbnb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 800 3008 cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe 30 PID 3008 wrote to memory of 800 3008 cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe 30 PID 3008 wrote to memory of 800 3008 cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe 30 PID 3008 wrote to memory of 800 3008 cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe 30 PID 800 wrote to memory of 2620 800 5htnnn.exe 31 PID 800 wrote to memory of 2620 800 5htnnn.exe 31 PID 800 wrote to memory of 2620 800 5htnnn.exe 31 PID 800 wrote to memory of 2620 800 5htnnn.exe 31 PID 2620 wrote to memory of 2096 2620 xxxxlrf.exe 32 PID 2620 wrote to memory of 2096 2620 xxxxlrf.exe 32 PID 2620 wrote to memory of 2096 2620 xxxxlrf.exe 32 PID 2620 wrote to memory of 2096 2620 xxxxlrf.exe 32 PID 2096 wrote to memory of 2752 2096 1dvjv.exe 33 PID 2096 wrote to memory of 2752 2096 1dvjv.exe 33 PID 2096 wrote to memory of 2752 2096 1dvjv.exe 33 PID 2096 wrote to memory of 2752 2096 1dvjv.exe 33 PID 2752 wrote to memory of 2764 2752 608022.exe 34 PID 2752 wrote to memory of 2764 2752 608022.exe 34 PID 2752 wrote to memory of 2764 2752 608022.exe 34 PID 2752 wrote to memory of 2764 2752 608022.exe 34 PID 2764 wrote to memory of 2912 2764 a4806.exe 35 PID 2764 wrote to memory of 2912 2764 a4806.exe 35 PID 2764 wrote to memory of 2912 2764 a4806.exe 35 PID 2764 wrote to memory of 2912 2764 a4806.exe 35 PID 2912 wrote to memory of 2396 2912 8268008.exe 36 PID 2912 wrote to memory of 2396 2912 8268008.exe 36 PID 2912 wrote to memory of 2396 2912 8268008.exe 36 PID 2912 wrote to memory of 2396 2912 8268008.exe 36 PID 2396 wrote to memory of 2900 2396 m6406.exe 37 PID 2396 wrote to memory of 2900 2396 m6406.exe 37 PID 2396 wrote to memory of 2900 2396 m6406.exe 37 PID 2396 wrote to memory of 2900 2396 m6406.exe 37 PID 2900 wrote to memory of 2920 2900 08668.exe 38 PID 2900 wrote to memory of 2920 2900 08668.exe 38 PID 2900 wrote to memory of 2920 2900 08668.exe 38 PID 2900 wrote to memory of 2920 2900 08668.exe 38 PID 2920 wrote to memory of 2656 2920 5htnht.exe 39 PID 2920 wrote to memory of 2656 2920 5htnht.exe 39 PID 2920 wrote to memory of 2656 2920 5htnht.exe 39 PID 2920 wrote to memory of 2656 2920 5htnht.exe 39 PID 2656 wrote to memory of 2192 2656 nhbbnh.exe 40 PID 2656 wrote to memory of 2192 2656 nhbbnh.exe 40 PID 2656 wrote to memory of 2192 2656 nhbbnh.exe 40 PID 2656 wrote to memory of 2192 2656 nhbbnh.exe 40 PID 2192 wrote to memory of 2144 2192 266800.exe 41 PID 2192 wrote to memory of 2144 2192 266800.exe 41 PID 2192 wrote to memory of 2144 2192 266800.exe 41 PID 2192 wrote to memory of 2144 2192 266800.exe 41 PID 2144 wrote to memory of 1664 2144 4268020.exe 42 PID 2144 wrote to memory of 1664 2144 4268020.exe 42 PID 2144 wrote to memory of 1664 2144 4268020.exe 42 PID 2144 wrote to memory of 1664 2144 4268020.exe 42 PID 1664 wrote to memory of 2728 1664 02668.exe 43 PID 1664 wrote to memory of 2728 1664 02668.exe 43 PID 1664 wrote to memory of 2728 1664 02668.exe 43 PID 1664 wrote to memory of 2728 1664 02668.exe 43 PID 2728 wrote to memory of 332 2728 rffrlxr.exe 44 PID 2728 wrote to memory of 332 2728 rffrlxr.exe 44 PID 2728 wrote to memory of 332 2728 rffrlxr.exe 44 PID 2728 wrote to memory of 332 2728 rffrlxr.exe 44 PID 332 wrote to memory of 2012 332 1bttbh.exe 45 PID 332 wrote to memory of 2012 332 1bttbh.exe 45 PID 332 wrote to memory of 2012 332 1bttbh.exe 45 PID 332 wrote to memory of 2012 332 1bttbh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe"C:\Users\Admin\AppData\Local\Temp\cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\5htnnn.exec:\5htnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\xxxxlrf.exec:\xxxxlrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\1dvjv.exec:\1dvjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\608022.exec:\608022.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\a4806.exec:\a4806.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\8268008.exec:\8268008.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\m6406.exec:\m6406.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\08668.exec:\08668.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\5htnht.exec:\5htnht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\nhbbnh.exec:\nhbbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\266800.exec:\266800.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\4268020.exec:\4268020.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\02668.exec:\02668.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\rffrlxr.exec:\rffrlxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\1bttbh.exec:\1bttbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
\??\c:\pjddd.exec:\pjddd.exe17⤵
- Executes dropped EXE
PID:2012 -
\??\c:\dvdvv.exec:\dvdvv.exe18⤵
- Executes dropped EXE
PID:1784 -
\??\c:\6006208.exec:\6006208.exe19⤵
- Executes dropped EXE
PID:2436 -
\??\c:\fffffff.exec:\fffffff.exe20⤵
- Executes dropped EXE
PID:2036 -
\??\c:\rfrrxxx.exec:\rfrrxxx.exe21⤵
- Executes dropped EXE
PID:1876 -
\??\c:\3rflrll.exec:\3rflrll.exe22⤵
- Executes dropped EXE
PID:2756 -
\??\c:\hhbntn.exec:\hhbntn.exe23⤵
- Executes dropped EXE
PID:852 -
\??\c:\484460.exec:\484460.exe24⤵
- Executes dropped EXE
PID:3044 -
\??\c:\4222444.exec:\4222444.exe25⤵
- Executes dropped EXE
PID:676 -
\??\c:\5pdvd.exec:\5pdvd.exe26⤵
- Executes dropped EXE
PID:628 -
\??\c:\rlxxllx.exec:\rlxxllx.exe27⤵
- Executes dropped EXE
PID:1472 -
\??\c:\rflfrlx.exec:\rflfrlx.exe28⤵
- Executes dropped EXE
PID:1872 -
\??\c:\pdvvd.exec:\pdvvd.exe29⤵
- Executes dropped EXE
PID:2316 -
\??\c:\c840262.exec:\c840262.exe30⤵
- Executes dropped EXE
PID:1012 -
\??\c:\9bhtbt.exec:\9bhtbt.exe31⤵
- Executes dropped EXE
PID:1536 -
\??\c:\i088446.exec:\i088446.exe32⤵
- Executes dropped EXE
PID:3012 -
\??\c:\46884.exec:\46884.exe33⤵
- Executes dropped EXE
PID:1364 -
\??\c:\rxlrflr.exec:\rxlrflr.exe34⤵
- Executes dropped EXE
PID:3060 -
\??\c:\g0884.exec:\g0884.exe35⤵
- Executes dropped EXE
PID:2348 -
\??\c:\208462.exec:\208462.exe36⤵
- Executes dropped EXE
PID:1304 -
\??\c:\w68400.exec:\w68400.exe37⤵
- Executes dropped EXE
PID:1712 -
\??\c:\a8684.exec:\a8684.exe38⤵PID:2572
-
\??\c:\bhhhth.exec:\bhhhth.exe39⤵
- Executes dropped EXE
PID:2568 -
\??\c:\608804.exec:\608804.exe40⤵
- Executes dropped EXE
PID:1532 -
\??\c:\e42888.exec:\e42888.exe41⤵
- Executes dropped EXE
PID:2368 -
\??\c:\m6062.exec:\m6062.exe42⤵
- Executes dropped EXE
PID:2868 -
\??\c:\9tthht.exec:\9tthht.exe43⤵
- Executes dropped EXE
PID:2812 -
\??\c:\pdpvd.exec:\pdpvd.exe44⤵
- Executes dropped EXE
PID:2776 -
\??\c:\2640606.exec:\2640606.exe45⤵
- Executes dropped EXE
PID:2960 -
\??\c:\vjvpd.exec:\vjvpd.exe46⤵
- Executes dropped EXE
PID:2900 -
\??\c:\4088662.exec:\4088662.exe47⤵
- Executes dropped EXE
PID:2672 -
\??\c:\20222.exec:\20222.exe48⤵
- Executes dropped EXE
PID:2772 -
\??\c:\u405ppp.exec:\u405ppp.exe49⤵
- Executes dropped EXE
PID:2032 -
\??\c:\1tbbhh.exec:\1tbbhh.exe50⤵
- Executes dropped EXE
PID:2732 -
\??\c:\xlxrrlr.exec:\xlxrrlr.exe51⤵
- Executes dropped EXE
PID:2148 -
\??\c:\42002.exec:\42002.exe52⤵
- Executes dropped EXE
PID:1396 -
\??\c:\s2000.exec:\s2000.exe53⤵
- Executes dropped EXE
PID:2136 -
\??\c:\5ddjd.exec:\5ddjd.exe54⤵
- Executes dropped EXE
PID:1568 -
\??\c:\8688006.exec:\8688006.exe55⤵
- Executes dropped EXE
PID:836 -
\??\c:\lxfxllr.exec:\lxfxllr.exe56⤵
- Executes dropped EXE
PID:332 -
\??\c:\jdpdp.exec:\jdpdp.exe57⤵
- Executes dropped EXE
PID:1348 -
\??\c:\3hbbbb.exec:\3hbbbb.exe58⤵
- Executes dropped EXE
PID:2948 -
\??\c:\822466.exec:\822466.exe59⤵
- Executes dropped EXE
PID:2408 -
\??\c:\04846.exec:\04846.exe60⤵
- Executes dropped EXE
PID:2084 -
\??\c:\820088.exec:\820088.exe61⤵
- Executes dropped EXE
PID:1876 -
\??\c:\nhbhnn.exec:\nhbhnn.exe62⤵
- Executes dropped EXE
PID:2156 -
\??\c:\o862446.exec:\o862446.exe63⤵
- Executes dropped EXE
PID:1084 -
\??\c:\608460.exec:\608460.exe64⤵
- Executes dropped EXE
PID:1476 -
\??\c:\lxfllfl.exec:\lxfllfl.exe65⤵
- Executes dropped EXE
PID:1312 -
\??\c:\fxrrrrx.exec:\fxrrrrx.exe66⤵
- Executes dropped EXE
PID:1888 -
\??\c:\xrlxllx.exec:\xrlxllx.exe67⤵PID:1696
-
\??\c:\i640066.exec:\i640066.exe68⤵PID:1244
-
\??\c:\6088884.exec:\6088884.exe69⤵PID:896
-
\??\c:\jjvjp.exec:\jjvjp.exe70⤵PID:1240
-
\??\c:\282888.exec:\282888.exe71⤵PID:2636
-
\??\c:\02068.exec:\02068.exe72⤵PID:1668
-
\??\c:\20228.exec:\20228.exe73⤵PID:2532
-
\??\c:\808840.exec:\808840.exe74⤵PID:2308
-
\??\c:\bthnbt.exec:\bthnbt.exe75⤵PID:3012
-
\??\c:\vvjpd.exec:\vvjpd.exe76⤵PID:1364
-
\??\c:\0482204.exec:\0482204.exe77⤵PID:2128
-
\??\c:\k08848.exec:\k08848.exe78⤵PID:2088
-
\??\c:\08440.exec:\08440.exe79⤵
- System Location Discovery: System Language Discovery
PID:800 -
\??\c:\862460.exec:\862460.exe80⤵PID:2364
-
\??\c:\48624.exec:\48624.exe81⤵PID:1524
-
\??\c:\nhbnbt.exec:\nhbnbt.exe82⤵PID:2508
-
\??\c:\xlxfflr.exec:\xlxfflr.exe83⤵PID:1532
-
\??\c:\o424628.exec:\o424628.exe84⤵PID:2808
-
\??\c:\82028.exec:\82028.exe85⤵PID:2876
-
\??\c:\bbnttn.exec:\bbnttn.exe86⤵PID:2928
-
\??\c:\c240628.exec:\c240628.exe87⤵PID:2776
-
\??\c:\0444002.exec:\0444002.exe88⤵PID:2688
-
\??\c:\llfxxrr.exec:\llfxxrr.exe89⤵PID:2676
-
\??\c:\4884664.exec:\4884664.exe90⤵PID:2664
-
\??\c:\4240606.exec:\4240606.exe91⤵PID:2796
-
\??\c:\224400.exec:\224400.exe92⤵PID:2880
-
\??\c:\hhbbnt.exec:\hhbbnt.exe93⤵PID:1832
-
\??\c:\824068.exec:\824068.exe94⤵PID:1868
-
\??\c:\046644.exec:\046644.exe95⤵PID:1556
-
\??\c:\4846648.exec:\4846648.exe96⤵PID:1508
-
\??\c:\htttbb.exec:\htttbb.exe97⤵PID:840
-
\??\c:\20242.exec:\20242.exe98⤵PID:2632
-
\??\c:\lfllxfl.exec:\lfllxfl.exe99⤵PID:1560
-
\??\c:\vjpvv.exec:\vjpvv.exe100⤵PID:1072
-
\??\c:\5dppv.exec:\5dppv.exe101⤵PID:1348
-
\??\c:\htnbhh.exec:\htnbhh.exe102⤵PID:1784
-
\??\c:\vvvvp.exec:\vvvvp.exe103⤵PID:2036
-
\??\c:\fxfllrx.exec:\fxfllrx.exe104⤵PID:2628
-
\??\c:\3pddv.exec:\3pddv.exe105⤵PID:1724
-
\??\c:\g2002.exec:\g2002.exe106⤵PID:560
-
\??\c:\vddpd.exec:\vddpd.exe107⤵PID:2952
-
\??\c:\8200662.exec:\8200662.exe108⤵PID:2644
-
\??\c:\rlrrxfl.exec:\rlrrxfl.exe109⤵PID:976
-
\??\c:\dpvvd.exec:\dpvvd.exe110⤵PID:944
-
\??\c:\7vppv.exec:\7vppv.exe111⤵PID:628
-
\??\c:\48062.exec:\48062.exe112⤵PID:2476
-
\??\c:\8646884.exec:\8646884.exe113⤵PID:2232
-
\??\c:\26008.exec:\26008.exe114⤵PID:2180
-
\??\c:\9nbthn.exec:\9nbthn.exe115⤵PID:3036
-
\??\c:\864026.exec:\864026.exe116⤵PID:2336
-
\??\c:\hhnbnt.exec:\hhnbnt.exe117⤵PID:1976
-
\??\c:\i868444.exec:\i868444.exe118⤵PID:680
-
\??\c:\3rxxlfl.exec:\3rxxlfl.exe119⤵PID:1920
-
\??\c:\5thhtn.exec:\5thhtn.exe120⤵PID:1968
-
\??\c:\frflrrx.exec:\frflrrx.exe121⤵PID:1808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-