Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 02:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe
-
Size
454KB
-
MD5
3fb5a98edeadf8ebe864ffb15eb38127
-
SHA1
90cd09ff227538ecf13bfb81584ee945f0a6072f
-
SHA256
c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678
-
SHA512
5bac707f6fe5a6deaaa2e0388bf24c4338536323878ff45d16ca96a4aaed64dc04eeba4ef4006c3555edcd87e184408906bbaed7d6c352cc6076731503e7139d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2288-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-356-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2548-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-392-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/964-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-511-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2128-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/804-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-819-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-874-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1364-879-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2564-906-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2656-920-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2840-954-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1664-961-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1604-975-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1664-981-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1676-983-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2348 202688.exe 2308 5vjvv.exe 2264 frxxxrr.exe 2756 1dpvp.exe 2708 20228.exe 2800 5xfffxx.exe 2572 tbbbtn.exe 2720 bnhhhb.exe 2564 httntn.exe 2996 868848.exe 632 jpjjj.exe 2068 08068.exe 772 5xfxxrr.exe 1484 bntntt.exe 1724 428888.exe 1824 3lllfff.exe 1624 5frrffr.exe 2044 5hbbhb.exe 2184 20666.exe 2208 dpvpd.exe 448 xrrxxxx.exe 780 pdvpd.exe 2356 6440406.exe 1200 w46248.exe 824 9dvvj.exe 1540 3jpjj.exe 1872 xrlrffr.exe 1732 q24406.exe 2312 1hhtth.exe 112 m6048.exe 2336 3thtnn.exe 1488 u022422.exe 2332 7rrlrrr.exe 2988 c682044.exe 1592 thnhhb.exe 2736 1bhnnb.exe 1648 e64444.exe 2768 2622828.exe 1904 2066806.exe 2556 nbhhnn.exe 2800 1bbttn.exe 2656 jjppj.exe 2548 rlrxfrx.exe 2592 vpddd.exe 536 2060208.exe 3016 lrxrxrr.exe 892 428622.exe 2792 ddpvd.exe 2024 5rlflrf.exe 2444 202026.exe 1912 frfrxrx.exe 2612 64880.exe 964 pjppv.exe 2360 8026600.exe 2044 1nthbb.exe 2588 6468406.exe 2948 9jjdv.exe 1496 m6822.exe 2064 k24464.exe 780 864004.exe 612 02486.exe 2472 jvjdv.exe 824 5bhtnb.exe 2872 w64060.exe -
resource yara_rule behavioral1/memory/2288-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/964-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/804-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/804-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-874-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2600-913-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-961-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1604-968-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-984-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-1016-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/928-1023-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2348 2288 c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe 31 PID 2288 wrote to memory of 2348 2288 c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe 31 PID 2288 wrote to memory of 2348 2288 c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe 31 PID 2288 wrote to memory of 2348 2288 c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe 31 PID 2348 wrote to memory of 2308 2348 202688.exe 32 PID 2348 wrote to memory of 2308 2348 202688.exe 32 PID 2348 wrote to memory of 2308 2348 202688.exe 32 PID 2348 wrote to memory of 2308 2348 202688.exe 32 PID 2308 wrote to memory of 2264 2308 5vjvv.exe 33 PID 2308 wrote to memory of 2264 2308 5vjvv.exe 33 PID 2308 wrote to memory of 2264 2308 5vjvv.exe 33 PID 2308 wrote to memory of 2264 2308 5vjvv.exe 33 PID 2264 wrote to memory of 2756 2264 frxxxrr.exe 34 PID 2264 wrote to memory of 2756 2264 frxxxrr.exe 34 PID 2264 wrote to memory of 2756 2264 frxxxrr.exe 34 PID 2264 wrote to memory of 2756 2264 frxxxrr.exe 34 PID 2756 wrote to memory of 2708 2756 1dpvp.exe 35 PID 2756 wrote to memory of 2708 2756 1dpvp.exe 35 PID 2756 wrote to memory of 2708 2756 1dpvp.exe 35 PID 2756 wrote to memory of 2708 2756 1dpvp.exe 35 PID 2708 wrote to memory of 2800 2708 20228.exe 36 PID 2708 wrote to memory of 2800 2708 20228.exe 36 PID 2708 wrote to memory of 2800 2708 20228.exe 36 PID 2708 wrote to memory of 2800 2708 20228.exe 36 PID 2800 wrote to memory of 2572 2800 5xfffxx.exe 37 PID 2800 wrote to memory of 2572 2800 5xfffxx.exe 37 PID 2800 wrote to memory of 2572 2800 5xfffxx.exe 37 PID 2800 wrote to memory of 2572 2800 5xfffxx.exe 37 PID 2572 wrote to memory of 2720 2572 tbbbtn.exe 38 PID 2572 wrote to memory of 2720 2572 tbbbtn.exe 38 PID 2572 wrote to memory of 2720 2572 tbbbtn.exe 38 PID 2572 wrote to memory of 2720 2572 tbbbtn.exe 38 PID 2720 wrote to memory of 2564 2720 bnhhhb.exe 39 PID 2720 wrote to memory of 2564 2720 bnhhhb.exe 39 PID 2720 wrote to memory of 2564 2720 bnhhhb.exe 39 PID 2720 wrote to memory of 2564 2720 bnhhhb.exe 39 PID 2564 wrote to memory of 2996 2564 httntn.exe 40 PID 2564 wrote to memory of 2996 2564 httntn.exe 40 PID 2564 wrote to memory of 2996 2564 httntn.exe 40 PID 2564 wrote to memory of 2996 2564 httntn.exe 40 PID 2996 wrote to memory of 632 2996 868848.exe 41 PID 2996 wrote to memory of 632 2996 868848.exe 41 PID 2996 wrote to memory of 632 2996 868848.exe 41 PID 2996 wrote to memory of 632 2996 868848.exe 41 PID 632 wrote to memory of 2068 632 jpjjj.exe 42 PID 632 wrote to memory of 2068 632 jpjjj.exe 42 PID 632 wrote to memory of 2068 632 jpjjj.exe 42 PID 632 wrote to memory of 2068 632 jpjjj.exe 42 PID 2068 wrote to memory of 772 2068 08068.exe 43 PID 2068 wrote to memory of 772 2068 08068.exe 43 PID 2068 wrote to memory of 772 2068 08068.exe 43 PID 2068 wrote to memory of 772 2068 08068.exe 43 PID 772 wrote to memory of 1484 772 5xfxxrr.exe 44 PID 772 wrote to memory of 1484 772 5xfxxrr.exe 44 PID 772 wrote to memory of 1484 772 5xfxxrr.exe 44 PID 772 wrote to memory of 1484 772 5xfxxrr.exe 44 PID 1484 wrote to memory of 1724 1484 bntntt.exe 45 PID 1484 wrote to memory of 1724 1484 bntntt.exe 45 PID 1484 wrote to memory of 1724 1484 bntntt.exe 45 PID 1484 wrote to memory of 1724 1484 bntntt.exe 45 PID 1724 wrote to memory of 1824 1724 428888.exe 46 PID 1724 wrote to memory of 1824 1724 428888.exe 46 PID 1724 wrote to memory of 1824 1724 428888.exe 46 PID 1724 wrote to memory of 1824 1724 428888.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe"C:\Users\Admin\AppData\Local\Temp\c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\202688.exec:\202688.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\5vjvv.exec:\5vjvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\frxxxrr.exec:\frxxxrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\1dpvp.exec:\1dpvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\20228.exec:\20228.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\5xfffxx.exec:\5xfffxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\tbbbtn.exec:\tbbbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\bnhhhb.exec:\bnhhhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\httntn.exec:\httntn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\868848.exec:\868848.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\jpjjj.exec:\jpjjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\08068.exec:\08068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\5xfxxrr.exec:\5xfxxrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\bntntt.exec:\bntntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\428888.exec:\428888.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\3lllfff.exec:\3lllfff.exe17⤵
- Executes dropped EXE
PID:1824 -
\??\c:\5frrffr.exec:\5frrffr.exe18⤵
- Executes dropped EXE
PID:1624 -
\??\c:\5hbbhb.exec:\5hbbhb.exe19⤵
- Executes dropped EXE
PID:2044 -
\??\c:\20666.exec:\20666.exe20⤵
- Executes dropped EXE
PID:2184 -
\??\c:\dpvpd.exec:\dpvpd.exe21⤵
- Executes dropped EXE
PID:2208 -
\??\c:\xrrxxxx.exec:\xrrxxxx.exe22⤵
- Executes dropped EXE
PID:448 -
\??\c:\pdvpd.exec:\pdvpd.exe23⤵
- Executes dropped EXE
PID:780 -
\??\c:\6440406.exec:\6440406.exe24⤵
- Executes dropped EXE
PID:2356 -
\??\c:\w46248.exec:\w46248.exe25⤵
- Executes dropped EXE
PID:1200 -
\??\c:\9dvvj.exec:\9dvvj.exe26⤵
- Executes dropped EXE
PID:824 -
\??\c:\3jpjj.exec:\3jpjj.exe27⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xrlrffr.exec:\xrlrffr.exe28⤵
- Executes dropped EXE
PID:1872 -
\??\c:\q24406.exec:\q24406.exe29⤵
- Executes dropped EXE
PID:1732 -
\??\c:\1hhtth.exec:\1hhtth.exe30⤵
- Executes dropped EXE
PID:2312 -
\??\c:\m6048.exec:\m6048.exe31⤵
- Executes dropped EXE
PID:112 -
\??\c:\3thtnn.exec:\3thtnn.exe32⤵
- Executes dropped EXE
PID:2336 -
\??\c:\u022422.exec:\u022422.exe33⤵
- Executes dropped EXE
PID:1488 -
\??\c:\7rrlrrr.exec:\7rrlrrr.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332 -
\??\c:\c682044.exec:\c682044.exe35⤵
- Executes dropped EXE
PID:2988 -
\??\c:\thnhhb.exec:\thnhhb.exe36⤵
- Executes dropped EXE
PID:1592 -
\??\c:\1bhnnb.exec:\1bhnnb.exe37⤵
- Executes dropped EXE
PID:2736 -
\??\c:\e64444.exec:\e64444.exe38⤵
- Executes dropped EXE
PID:1648 -
\??\c:\2622828.exec:\2622828.exe39⤵
- Executes dropped EXE
PID:2768 -
\??\c:\2066806.exec:\2066806.exe40⤵
- Executes dropped EXE
PID:1904 -
\??\c:\nbhhnn.exec:\nbhhnn.exe41⤵
- Executes dropped EXE
PID:2556 -
\??\c:\1bbttn.exec:\1bbttn.exe42⤵
- Executes dropped EXE
PID:2800 -
\??\c:\jjppj.exec:\jjppj.exe43⤵
- Executes dropped EXE
PID:2656 -
\??\c:\rlrxfrx.exec:\rlrxfrx.exe44⤵
- Executes dropped EXE
PID:2548 -
\??\c:\vpddd.exec:\vpddd.exe45⤵
- Executes dropped EXE
PID:2592 -
\??\c:\2060208.exec:\2060208.exe46⤵
- Executes dropped EXE
PID:536 -
\??\c:\lrxrxrr.exec:\lrxrxrr.exe47⤵
- Executes dropped EXE
PID:3016 -
\??\c:\428622.exec:\428622.exe48⤵
- Executes dropped EXE
PID:892 -
\??\c:\ddpvd.exec:\ddpvd.exe49⤵
- Executes dropped EXE
PID:2792 -
\??\c:\5rlflrf.exec:\5rlflrf.exe50⤵
- Executes dropped EXE
PID:2024 -
\??\c:\202026.exec:\202026.exe51⤵
- Executes dropped EXE
PID:2444 -
\??\c:\frfrxrx.exec:\frfrxrx.exe52⤵
- Executes dropped EXE
PID:1912 -
\??\c:\64880.exec:\64880.exe53⤵
- Executes dropped EXE
PID:2612 -
\??\c:\pjppv.exec:\pjppv.exe54⤵
- Executes dropped EXE
PID:964 -
\??\c:\8026600.exec:\8026600.exe55⤵
- Executes dropped EXE
PID:2360 -
\??\c:\1nthbb.exec:\1nthbb.exe56⤵
- Executes dropped EXE
PID:2044 -
\??\c:\6468406.exec:\6468406.exe57⤵
- Executes dropped EXE
PID:2588 -
\??\c:\9jjdv.exec:\9jjdv.exe58⤵
- Executes dropped EXE
PID:2948 -
\??\c:\m6822.exec:\m6822.exe59⤵
- Executes dropped EXE
PID:1496 -
\??\c:\k24464.exec:\k24464.exe60⤵
- Executes dropped EXE
PID:2064 -
\??\c:\864004.exec:\864004.exe61⤵
- Executes dropped EXE
PID:780 -
\??\c:\02486.exec:\02486.exe62⤵
- Executes dropped EXE
PID:612 -
\??\c:\jvjdv.exec:\jvjdv.exe63⤵
- Executes dropped EXE
PID:2472 -
\??\c:\5bhtnb.exec:\5bhtnb.exe64⤵
- Executes dropped EXE
PID:824 -
\??\c:\w64060.exec:\w64060.exe65⤵
- Executes dropped EXE
PID:2872 -
\??\c:\08444.exec:\08444.exe66⤵PID:940
-
\??\c:\jddjj.exec:\jddjj.exe67⤵PID:1716
-
\??\c:\680404.exec:\680404.exe68⤵PID:2128
-
\??\c:\vpdjj.exec:\vpdjj.exe69⤵PID:2312
-
\??\c:\hbbttt.exec:\hbbttt.exe70⤵PID:900
-
\??\c:\4204884.exec:\4204884.exe71⤵PID:804
-
\??\c:\o840662.exec:\o840662.exe72⤵PID:1780
-
\??\c:\86884.exec:\86884.exe73⤵PID:1488
-
\??\c:\o860444.exec:\o860444.exe74⤵PID:2324
-
\??\c:\6404066.exec:\6404066.exe75⤵PID:1588
-
\??\c:\pdpvv.exec:\pdpvv.exe76⤵PID:3008
-
\??\c:\pdjjj.exec:\pdjjj.exe77⤵PID:888
-
\??\c:\20886.exec:\20886.exe78⤵PID:2116
-
\??\c:\a6822.exec:\a6822.exe79⤵PID:2264
-
\??\c:\thhbnt.exec:\thhbnt.exe80⤵PID:2748
-
\??\c:\tthhnt.exec:\tthhnt.exe81⤵PID:2664
-
\??\c:\k84426.exec:\k84426.exe82⤵PID:2824
-
\??\c:\4688228.exec:\4688228.exe83⤵PID:2692
-
\??\c:\640082.exec:\640082.exe84⤵PID:2684
-
\??\c:\s0262.exec:\s0262.exe85⤵PID:2568
-
\??\c:\4282222.exec:\4282222.exe86⤵PID:3044
-
\??\c:\7nttbn.exec:\7nttbn.exe87⤵PID:2996
-
\??\c:\46444.exec:\46444.exe88⤵PID:2552
-
\??\c:\24266.exec:\24266.exe89⤵PID:3016
-
\??\c:\80228.exec:\80228.exe90⤵PID:276
-
\??\c:\04842.exec:\04842.exe91⤵PID:2792
-
\??\c:\vjdvj.exec:\vjdvj.exe92⤵PID:1484
-
\??\c:\g0880.exec:\g0880.exe93⤵PID:3012
-
\??\c:\40826.exec:\40826.exe94⤵PID:988
-
\??\c:\hbbhtt.exec:\hbbhtt.exe95⤵PID:1604
-
\??\c:\ddvpj.exec:\ddvpj.exe96⤵PID:1796
-
\??\c:\7rfllrx.exec:\7rfllrx.exe97⤵PID:320
-
\??\c:\4844662.exec:\4844662.exe98⤵PID:2120
-
\??\c:\8206408.exec:\8206408.exe99⤵PID:2880
-
\??\c:\e46240.exec:\e46240.exe100⤵PID:2208
-
\??\c:\btbhbb.exec:\btbhbb.exe101⤵PID:2432
-
\??\c:\3pjpj.exec:\3pjpj.exe102⤵PID:1608
-
\??\c:\dvddj.exec:\dvddj.exe103⤵PID:1576
-
\??\c:\xxlflrl.exec:\xxlflrl.exe104⤵PID:2320
-
\??\c:\0862402.exec:\0862402.exe105⤵PID:604
-
\??\c:\htnhbb.exec:\htnhbb.exe106⤵PID:2940
-
\??\c:\dpvvv.exec:\dpvvv.exe107⤵PID:2852
-
\??\c:\ttbhbb.exec:\ttbhbb.exe108⤵PID:2652
-
\??\c:\a2628.exec:\a2628.exe109⤵PID:1964
-
\??\c:\rrlrxxl.exec:\rrlrxxl.exe110⤵PID:1732
-
\??\c:\xfxrffl.exec:\xfxrffl.exe111⤵PID:2268
-
\??\c:\8262442.exec:\8262442.exe112⤵PID:1060
-
\??\c:\nbnnbb.exec:\nbnnbb.exe113⤵PID:1356
-
\??\c:\nnhntt.exec:\nnhntt.exe114⤵PID:1788
-
\??\c:\7htnnn.exec:\7htnnn.exe115⤵PID:1780
-
\??\c:\486206.exec:\486206.exe116⤵PID:2988
-
\??\c:\pjdjv.exec:\pjdjv.exe117⤵PID:2452
-
\??\c:\64666.exec:\64666.exe118⤵PID:2000
-
\??\c:\rlxrflr.exec:\rlxrflr.exe119⤵PID:2340
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe120⤵PID:1364
-
\??\c:\fxffrrx.exec:\fxffrrx.exe121⤵PID:2776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-