Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 15:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe
-
Size
454KB
-
MD5
2def4c88d3f0849f21b1123579301a80
-
SHA1
1e28f0dce3e130a61d314b1c7b4b3c3cd89ba98b
-
SHA256
5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863
-
SHA512
55c63b186634d718e11eaae667603e2861ad617dd2f44c911aa7c7d0c90f69a396790c4dca81d7c343ce850cf6af3995e2199257b428045286cb6accd975678b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2196-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-54-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2796-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1456-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/828-90-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2228-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/828-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-109-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2336-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-143-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1040-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/268-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-709-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2108-850-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1680-882-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2808-895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-936-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2796-969-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1740 9bnnnn.exe 2892 btbbnt.exe 2808 rlxxllr.exe 2708 4202880.exe 2696 jvpvj.exe 2904 08024.exe 2796 268466.exe 1456 w28860.exe 828 6080262.exe 2228 ddpdp.exe 2076 68868.exe 2336 8602840.exe 2032 xrxrffx.exe 2960 20606.exe 1040 ffxrxfr.exe 1420 vvdvd.exe 1480 ttnnnh.exe 2268 0868002.exe 2088 420684.exe 2124 btnntb.exe 2084 820684.exe 1108 ddpvd.exe 2536 3hhnhh.exe 1584 dddjv.exe 1508 7rlxflr.exe 1660 g8246.exe 896 lllfrrf.exe 832 u268008.exe 1952 s2626.exe 864 7dppp.exe 2588 264684.exe 1032 tnbhnt.exe 2196 tnbtbn.exe 1740 hbntbh.exe 1548 c880668.exe 1560 djdvv.exe 2940 0866824.exe 3008 nnbbth.exe 2836 q80066.exe 2976 u480224.exe 2704 pddjj.exe 2312 bbtnhn.exe 888 3dppv.exe 2320 ttnbnb.exe 2080 264684.exe 1496 bbhbnn.exe 1104 3nhhth.exe 2264 tbhttt.exe 1304 2026262.exe 1940 9nnnhh.exe 2744 3bbthn.exe 2996 60224.exe 1468 q60688.exe 1492 tnhntb.exe 1420 vvppd.exe 760 5jdpv.exe 1480 424080.exe 2192 2422446.exe 2428 202806.exe 2220 6602402.exe 2084 m2662.exe 2476 1xlrlrx.exe 2636 0462246.exe 944 i206402.exe -
resource yara_rule behavioral1/memory/2196-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/828-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-183-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1584-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-619-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2692-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-909-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-943-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6640886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8660044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8622840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4424280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0004800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8026822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i868068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 1740 2196 5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe 31 PID 2196 wrote to memory of 1740 2196 5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe 31 PID 2196 wrote to memory of 1740 2196 5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe 31 PID 2196 wrote to memory of 1740 2196 5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe 31 PID 1740 wrote to memory of 2892 1740 9bnnnn.exe 32 PID 1740 wrote to memory of 2892 1740 9bnnnn.exe 32 PID 1740 wrote to memory of 2892 1740 9bnnnn.exe 32 PID 1740 wrote to memory of 2892 1740 9bnnnn.exe 32 PID 2892 wrote to memory of 2808 2892 btbbnt.exe 33 PID 2892 wrote to memory of 2808 2892 btbbnt.exe 33 PID 2892 wrote to memory of 2808 2892 btbbnt.exe 33 PID 2892 wrote to memory of 2808 2892 btbbnt.exe 33 PID 2808 wrote to memory of 2708 2808 rlxxllr.exe 34 PID 2808 wrote to memory of 2708 2808 rlxxllr.exe 34 PID 2808 wrote to memory of 2708 2808 rlxxllr.exe 34 PID 2808 wrote to memory of 2708 2808 rlxxllr.exe 34 PID 2708 wrote to memory of 2696 2708 4202880.exe 35 PID 2708 wrote to memory of 2696 2708 4202880.exe 35 PID 2708 wrote to memory of 2696 2708 4202880.exe 35 PID 2708 wrote to memory of 2696 2708 4202880.exe 35 PID 2696 wrote to memory of 2904 2696 jvpvj.exe 36 PID 2696 wrote to memory of 2904 2696 jvpvj.exe 36 PID 2696 wrote to memory of 2904 2696 jvpvj.exe 36 PID 2696 wrote to memory of 2904 2696 jvpvj.exe 36 PID 2904 wrote to memory of 2796 2904 08024.exe 37 PID 2904 wrote to memory of 2796 2904 08024.exe 37 PID 2904 wrote to memory of 2796 2904 08024.exe 37 PID 2904 wrote to memory of 2796 2904 08024.exe 37 PID 2796 wrote to memory of 1456 2796 268466.exe 38 PID 2796 wrote to memory of 1456 2796 268466.exe 38 PID 2796 wrote to memory of 1456 2796 268466.exe 38 PID 2796 wrote to memory of 1456 2796 268466.exe 38 PID 1456 wrote to memory of 828 1456 w28860.exe 39 PID 1456 wrote to memory of 828 1456 w28860.exe 39 PID 1456 wrote to memory of 828 1456 w28860.exe 39 PID 1456 wrote to memory of 828 1456 w28860.exe 39 PID 828 wrote to memory of 2228 828 6080262.exe 40 PID 828 wrote to memory of 2228 828 6080262.exe 40 PID 828 wrote to memory of 2228 828 6080262.exe 40 PID 828 wrote to memory of 2228 828 6080262.exe 40 PID 2228 wrote to memory of 2076 2228 ddpdp.exe 41 PID 2228 wrote to memory of 2076 2228 ddpdp.exe 41 PID 2228 wrote to memory of 2076 2228 ddpdp.exe 41 PID 2228 wrote to memory of 2076 2228 ddpdp.exe 41 PID 2076 wrote to memory of 2336 2076 68868.exe 42 PID 2076 wrote to memory of 2336 2076 68868.exe 42 PID 2076 wrote to memory of 2336 2076 68868.exe 42 PID 2076 wrote to memory of 2336 2076 68868.exe 42 PID 2336 wrote to memory of 2032 2336 8602840.exe 43 PID 2336 wrote to memory of 2032 2336 8602840.exe 43 PID 2336 wrote to memory of 2032 2336 8602840.exe 43 PID 2336 wrote to memory of 2032 2336 8602840.exe 43 PID 2032 wrote to memory of 2960 2032 xrxrffx.exe 44 PID 2032 wrote to memory of 2960 2032 xrxrffx.exe 44 PID 2032 wrote to memory of 2960 2032 xrxrffx.exe 44 PID 2032 wrote to memory of 2960 2032 xrxrffx.exe 44 PID 2960 wrote to memory of 1040 2960 20606.exe 45 PID 2960 wrote to memory of 1040 2960 20606.exe 45 PID 2960 wrote to memory of 1040 2960 20606.exe 45 PID 2960 wrote to memory of 1040 2960 20606.exe 45 PID 1040 wrote to memory of 1420 1040 ffxrxfr.exe 46 PID 1040 wrote to memory of 1420 1040 ffxrxfr.exe 46 PID 1040 wrote to memory of 1420 1040 ffxrxfr.exe 46 PID 1040 wrote to memory of 1420 1040 ffxrxfr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe"C:\Users\Admin\AppData\Local\Temp\5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\9bnnnn.exec:\9bnnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\btbbnt.exec:\btbbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\rlxxllr.exec:\rlxxllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\4202880.exec:\4202880.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\jvpvj.exec:\jvpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\08024.exec:\08024.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\268466.exec:\268466.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\w28860.exec:\w28860.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\6080262.exec:\6080262.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\ddpdp.exec:\ddpdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\68868.exec:\68868.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\8602840.exec:\8602840.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\xrxrffx.exec:\xrxrffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\20606.exec:\20606.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\ffxrxfr.exec:\ffxrxfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\vvdvd.exec:\vvdvd.exe17⤵
- Executes dropped EXE
PID:1420 -
\??\c:\ttnnnh.exec:\ttnnnh.exe18⤵
- Executes dropped EXE
PID:1480 -
\??\c:\0868002.exec:\0868002.exe19⤵
- Executes dropped EXE
PID:2268 -
\??\c:\420684.exec:\420684.exe20⤵
- Executes dropped EXE
PID:2088 -
\??\c:\btnntb.exec:\btnntb.exe21⤵
- Executes dropped EXE
PID:2124 -
\??\c:\820684.exec:\820684.exe22⤵
- Executes dropped EXE
PID:2084 -
\??\c:\ddpvd.exec:\ddpvd.exe23⤵
- Executes dropped EXE
PID:1108 -
\??\c:\3hhnhh.exec:\3hhnhh.exe24⤵
- Executes dropped EXE
PID:2536 -
\??\c:\dddjv.exec:\dddjv.exe25⤵
- Executes dropped EXE
PID:1584 -
\??\c:\7rlxflr.exec:\7rlxflr.exe26⤵
- Executes dropped EXE
PID:1508 -
\??\c:\g8246.exec:\g8246.exe27⤵
- Executes dropped EXE
PID:1660 -
\??\c:\lllfrrf.exec:\lllfrrf.exe28⤵
- Executes dropped EXE
PID:896 -
\??\c:\u268008.exec:\u268008.exe29⤵
- Executes dropped EXE
PID:832 -
\??\c:\s2626.exec:\s2626.exe30⤵
- Executes dropped EXE
PID:1952 -
\??\c:\7dppp.exec:\7dppp.exe31⤵
- Executes dropped EXE
PID:864 -
\??\c:\264684.exec:\264684.exe32⤵
- Executes dropped EXE
PID:2588 -
\??\c:\tnbhnt.exec:\tnbhnt.exe33⤵
- Executes dropped EXE
PID:1032 -
\??\c:\tnbtbn.exec:\tnbtbn.exe34⤵
- Executes dropped EXE
PID:2196 -
\??\c:\hbntbh.exec:\hbntbh.exe35⤵
- Executes dropped EXE
PID:1740 -
\??\c:\c880668.exec:\c880668.exe36⤵
- Executes dropped EXE
PID:1548 -
\??\c:\djdvv.exec:\djdvv.exe37⤵
- Executes dropped EXE
PID:1560 -
\??\c:\0866824.exec:\0866824.exe38⤵
- Executes dropped EXE
PID:2940 -
\??\c:\nnbbth.exec:\nnbbth.exe39⤵
- Executes dropped EXE
PID:3008 -
\??\c:\q80066.exec:\q80066.exe40⤵
- Executes dropped EXE
PID:2836 -
\??\c:\u480224.exec:\u480224.exe41⤵
- Executes dropped EXE
PID:2976 -
\??\c:\pddjj.exec:\pddjj.exe42⤵
- Executes dropped EXE
PID:2704 -
\??\c:\bbtnhn.exec:\bbtnhn.exe43⤵
- Executes dropped EXE
PID:2312 -
\??\c:\3dppv.exec:\3dppv.exe44⤵
- Executes dropped EXE
PID:888 -
\??\c:\ttnbnb.exec:\ttnbnb.exe45⤵
- Executes dropped EXE
PID:2320 -
\??\c:\264684.exec:\264684.exe46⤵
- Executes dropped EXE
PID:2080 -
\??\c:\bbhbnn.exec:\bbhbnn.exe47⤵
- Executes dropped EXE
PID:1496 -
\??\c:\3nhhth.exec:\3nhhth.exe48⤵
- Executes dropped EXE
PID:1104 -
\??\c:\tbhttt.exec:\tbhttt.exe49⤵
- Executes dropped EXE
PID:2264 -
\??\c:\2026262.exec:\2026262.exe50⤵
- Executes dropped EXE
PID:1304 -
\??\c:\9nnnhh.exec:\9nnnhh.exe51⤵
- Executes dropped EXE
PID:1940 -
\??\c:\3bbthn.exec:\3bbthn.exe52⤵
- Executes dropped EXE
PID:2744 -
\??\c:\60224.exec:\60224.exe53⤵
- Executes dropped EXE
PID:2996 -
\??\c:\q60688.exec:\q60688.exe54⤵
- Executes dropped EXE
PID:1468 -
\??\c:\tnhntb.exec:\tnhntb.exe55⤵
- Executes dropped EXE
PID:1492 -
\??\c:\vvppd.exec:\vvppd.exe56⤵
- Executes dropped EXE
PID:1420 -
\??\c:\5jdpv.exec:\5jdpv.exe57⤵
- Executes dropped EXE
PID:760 -
\??\c:\424080.exec:\424080.exe58⤵
- Executes dropped EXE
PID:1480 -
\??\c:\2422446.exec:\2422446.exe59⤵
- Executes dropped EXE
PID:2192 -
\??\c:\202806.exec:\202806.exe60⤵
- Executes dropped EXE
PID:2428 -
\??\c:\6602402.exec:\6602402.exe61⤵
- Executes dropped EXE
PID:2220 -
\??\c:\m2662.exec:\m2662.exe62⤵
- Executes dropped EXE
PID:2084 -
\??\c:\1xlrlrx.exec:\1xlrlrx.exe63⤵
- Executes dropped EXE
PID:2476 -
\??\c:\0462246.exec:\0462246.exe64⤵
- Executes dropped EXE
PID:2636 -
\??\c:\i206402.exec:\i206402.exe65⤵
- Executes dropped EXE
PID:944 -
\??\c:\rrrrxlx.exec:\rrrrxlx.exe66⤵PID:268
-
\??\c:\26484.exec:\26484.exe67⤵PID:1520
-
\??\c:\6466440.exec:\6466440.exe68⤵
- System Location Discovery: System Language Discovery
PID:2236 -
\??\c:\208428.exec:\208428.exe69⤵PID:2172
-
\??\c:\a6408.exec:\a6408.exe70⤵PID:2068
-
\??\c:\nbtttt.exec:\nbtttt.exe71⤵PID:1516
-
\??\c:\q28800.exec:\q28800.exe72⤵PID:2944
-
\??\c:\btntnh.exec:\btntnh.exe73⤵PID:2596
-
\??\c:\q46284.exec:\q46284.exe74⤵PID:872
-
\??\c:\xrllxrx.exec:\xrllxrx.exe75⤵PID:2768
-
\??\c:\hhhtbh.exec:\hhhtbh.exe76⤵PID:1756
-
\??\c:\nhthnn.exec:\nhthnn.exe77⤵PID:1992
-
\??\c:\60002.exec:\60002.exe78⤵PID:2876
-
\??\c:\2066846.exec:\2066846.exe79⤵PID:1564
-
\??\c:\i244002.exec:\i244002.exe80⤵PID:2808
-
\??\c:\4200406.exec:\4200406.exe81⤵PID:2936
-
\??\c:\s2624.exec:\s2624.exe82⤵PID:2880
-
\??\c:\3lxxfxl.exec:\3lxxfxl.exe83⤵PID:2812
-
\??\c:\k68444.exec:\k68444.exe84⤵PID:2696
-
\??\c:\9nhntb.exec:\9nhntb.exe85⤵PID:2692
-
\??\c:\7lrrxfl.exec:\7lrrxfl.exe86⤵PID:2752
-
\??\c:\6006882.exec:\6006882.exe87⤵PID:2796
-
\??\c:\c862464.exec:\c862464.exe88⤵PID:528
-
\??\c:\426284.exec:\426284.exe89⤵PID:1280
-
\??\c:\lrrlxfl.exec:\lrrlxfl.exe90⤵PID:2364
-
\??\c:\426284.exec:\426284.exe91⤵PID:768
-
\??\c:\bbthth.exec:\bbthth.exe92⤵PID:1104
-
\??\c:\o646880.exec:\o646880.exe93⤵PID:1604
-
\??\c:\480284.exec:\480284.exe94⤵PID:1304
-
\??\c:\82068.exec:\82068.exe95⤵PID:2660
-
\??\c:\fxrxflr.exec:\fxrxflr.exe96⤵PID:2988
-
\??\c:\pvppv.exec:\pvppv.exe97⤵PID:3028
-
\??\c:\826244.exec:\826244.exe98⤵PID:1468
-
\??\c:\rlxflxl.exec:\rlxflxl.exe99⤵PID:996
-
\??\c:\vdpvd.exec:\vdpvd.exe100⤵PID:3064
-
\??\c:\vpdjp.exec:\vpdjp.exe101⤵PID:2212
-
\??\c:\fxrxlrf.exec:\fxrxlrf.exe102⤵PID:2200
-
\??\c:\3bhbhh.exec:\3bhbhh.exe103⤵PID:2160
-
\??\c:\8228402.exec:\8228402.exe104⤵PID:624
-
\??\c:\dpppd.exec:\dpppd.exe105⤵PID:2220
-
\??\c:\3rlrfll.exec:\3rlrfll.exe106⤵PID:1716
-
\??\c:\608028.exec:\608028.exe107⤵PID:1620
-
\??\c:\flxfrxr.exec:\flxfrxr.exe108⤵PID:1312
-
\??\c:\dddpd.exec:\dddpd.exe109⤵PID:904
-
\??\c:\dpvjp.exec:\dpvjp.exe110⤵PID:1628
-
\??\c:\vvpvd.exec:\vvpvd.exe111⤵PID:1868
-
\??\c:\7vpvj.exec:\7vpvj.exe112⤵PID:2188
-
\??\c:\hbntbb.exec:\hbntbb.exe113⤵PID:1944
-
\??\c:\lxfxfxr.exec:\lxfxfxr.exe114⤵PID:1224
-
\??\c:\082422.exec:\082422.exe115⤵PID:2608
-
\??\c:\tntbbb.exec:\tntbbb.exe116⤵PID:2340
-
\??\c:\hhbhtb.exec:\hhbhtb.exe117⤵PID:2108
-
\??\c:\lffxfrr.exec:\lffxfrr.exe118⤵PID:1988
-
\??\c:\a6628.exec:\a6628.exe119⤵PID:2992
-
\??\c:\9xrrxfl.exec:\9xrrxfl.exe120⤵PID:2816
-
\??\c:\a2008.exec:\a2008.exe121⤵PID:2928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-