Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 18:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe
-
Size
454KB
-
MD5
e7f447eac120811f0a2b4539dccc0771
-
SHA1
66a2f961fbfb85e3f56acf8ab9232af03f714d7f
-
SHA256
18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7
-
SHA512
82a118ed96d2bfc17b6da3dd944a87bc5a8309c690da3713b0ac963190355402979f0cf11c6213780a4c8a3542eab3c6587942648ab903d70c483fc5ed7ecbd5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/1728-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1012-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/524-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1064-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1448-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-320-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/480-343-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2760-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/480-364-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-371-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2680-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-430-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1296-446-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2984-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-472-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1732-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/988-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-683-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2056-750-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/1644-807-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1360-815-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2360-877-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-974-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1528 tnnhnn.exe 2152 20062.exe 1012 vpjpp.exe 2144 u800884.exe 2704 btttnn.exe 3012 vjddp.exe 524 c200446.exe 2692 0424408.exe 2712 llfxflx.exe 2668 xxrxllx.exe 2276 thbbhn.exe 2780 482088.exe 1672 xfxrxfl.exe 2368 48468.exe 2664 w48406.exe 1700 hnbnhn.exe 2056 fllfxfx.exe 2092 btnthn.exe 2232 086666.exe 2236 9btbhn.exe 1920 rllflxf.exe 3016 7rrrrlr.exe 956 pjdjd.exe 2472 xxrrflr.exe 1064 64628.exe 908 o206408.exe 1512 8862880.exe 3060 c404426.exe 2260 4240880.exe 1540 k64022.exe 1624 2206846.exe 1740 lrxxlrl.exe 1448 bthnbh.exe 1600 vpdpd.exe 1444 jdpvj.exe 2152 604244.exe 1012 q26200.exe 480 bththh.exe 2828 1pddp.exe 2704 jdpjp.exe 2760 jpdpd.exe 2820 bhhbbt.exe 2356 5rlrfrx.exe 2608 866026.exe 2680 fxllxxx.exe 2636 7btbnt.exe 2252 w80066.exe 2276 4200606.exe 1092 3jddv.exe 884 ppppp.exe 2892 ppdvj.exe 2956 rfrllfl.exe 1296 68002.exe 2984 20466.exe 2004 tnbbhh.exe 2292 rrxxlfr.exe 2176 608400.exe 2112 hbbntb.exe 2028 vpjvp.exe 608 20228.exe 2644 82406.exe 1344 004022.exe 992 ffxflxf.exe 1864 vvddd.exe -
resource yara_rule behavioral1/memory/1728-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1012-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/524-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-884-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2800-909-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-910-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/524-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-949-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-974-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w42848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0484624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4468060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 804846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxflxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0424408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 1528 1728 18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe 30 PID 1728 wrote to memory of 1528 1728 18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe 30 PID 1728 wrote to memory of 1528 1728 18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe 30 PID 1728 wrote to memory of 1528 1728 18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe 30 PID 1528 wrote to memory of 2152 1528 tnnhnn.exe 31 PID 1528 wrote to memory of 2152 1528 tnnhnn.exe 31 PID 1528 wrote to memory of 2152 1528 tnnhnn.exe 31 PID 1528 wrote to memory of 2152 1528 tnnhnn.exe 31 PID 2152 wrote to memory of 1012 2152 20062.exe 32 PID 2152 wrote to memory of 1012 2152 20062.exe 32 PID 2152 wrote to memory of 1012 2152 20062.exe 32 PID 2152 wrote to memory of 1012 2152 20062.exe 32 PID 1012 wrote to memory of 2144 1012 vpjpp.exe 33 PID 1012 wrote to memory of 2144 1012 vpjpp.exe 33 PID 1012 wrote to memory of 2144 1012 vpjpp.exe 33 PID 1012 wrote to memory of 2144 1012 vpjpp.exe 33 PID 2144 wrote to memory of 2704 2144 u800884.exe 34 PID 2144 wrote to memory of 2704 2144 u800884.exe 34 PID 2144 wrote to memory of 2704 2144 u800884.exe 34 PID 2144 wrote to memory of 2704 2144 u800884.exe 34 PID 2704 wrote to memory of 3012 2704 btttnn.exe 35 PID 2704 wrote to memory of 3012 2704 btttnn.exe 35 PID 2704 wrote to memory of 3012 2704 btttnn.exe 35 PID 2704 wrote to memory of 3012 2704 btttnn.exe 35 PID 3012 wrote to memory of 524 3012 vjddp.exe 36 PID 3012 wrote to memory of 524 3012 vjddp.exe 36 PID 3012 wrote to memory of 524 3012 vjddp.exe 36 PID 3012 wrote to memory of 524 3012 vjddp.exe 36 PID 524 wrote to memory of 2692 524 c200446.exe 37 PID 524 wrote to memory of 2692 524 c200446.exe 37 PID 524 wrote to memory of 2692 524 c200446.exe 37 PID 524 wrote to memory of 2692 524 c200446.exe 37 PID 2692 wrote to memory of 2712 2692 0424408.exe 38 PID 2692 wrote to memory of 2712 2692 0424408.exe 38 PID 2692 wrote to memory of 2712 2692 0424408.exe 38 PID 2692 wrote to memory of 2712 2692 0424408.exe 38 PID 2712 wrote to memory of 2668 2712 llfxflx.exe 39 PID 2712 wrote to memory of 2668 2712 llfxflx.exe 39 PID 2712 wrote to memory of 2668 2712 llfxflx.exe 39 PID 2712 wrote to memory of 2668 2712 llfxflx.exe 39 PID 2668 wrote to memory of 2276 2668 xxrxllx.exe 40 PID 2668 wrote to memory of 2276 2668 xxrxllx.exe 40 PID 2668 wrote to memory of 2276 2668 xxrxllx.exe 40 PID 2668 wrote to memory of 2276 2668 xxrxllx.exe 40 PID 2276 wrote to memory of 2780 2276 thbbhn.exe 41 PID 2276 wrote to memory of 2780 2276 thbbhn.exe 41 PID 2276 wrote to memory of 2780 2276 thbbhn.exe 41 PID 2276 wrote to memory of 2780 2276 thbbhn.exe 41 PID 2780 wrote to memory of 1672 2780 482088.exe 42 PID 2780 wrote to memory of 1672 2780 482088.exe 42 PID 2780 wrote to memory of 1672 2780 482088.exe 42 PID 2780 wrote to memory of 1672 2780 482088.exe 42 PID 1672 wrote to memory of 2368 1672 xfxrxfl.exe 43 PID 1672 wrote to memory of 2368 1672 xfxrxfl.exe 43 PID 1672 wrote to memory of 2368 1672 xfxrxfl.exe 43 PID 1672 wrote to memory of 2368 1672 xfxrxfl.exe 43 PID 2368 wrote to memory of 2664 2368 48468.exe 44 PID 2368 wrote to memory of 2664 2368 48468.exe 44 PID 2368 wrote to memory of 2664 2368 48468.exe 44 PID 2368 wrote to memory of 2664 2368 48468.exe 44 PID 2664 wrote to memory of 1700 2664 w48406.exe 45 PID 2664 wrote to memory of 1700 2664 w48406.exe 45 PID 2664 wrote to memory of 1700 2664 w48406.exe 45 PID 2664 wrote to memory of 1700 2664 w48406.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe"C:\Users\Admin\AppData\Local\Temp\18e4a02f7035b621266238709121c8e99e92924bdf1f5638d278a0a021643fd7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\tnnhnn.exec:\tnnhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\20062.exec:\20062.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\vpjpp.exec:\vpjpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\u800884.exec:\u800884.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\btttnn.exec:\btttnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\vjddp.exec:\vjddp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\c200446.exec:\c200446.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
\??\c:\0424408.exec:\0424408.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\llfxflx.exec:\llfxflx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\xxrxllx.exec:\xxrxllx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\thbbhn.exec:\thbbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\482088.exec:\482088.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\xfxrxfl.exec:\xfxrxfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\48468.exec:\48468.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\w48406.exec:\w48406.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\hnbnhn.exec:\hnbnhn.exe17⤵
- Executes dropped EXE
PID:1700 -
\??\c:\fllfxfx.exec:\fllfxfx.exe18⤵
- Executes dropped EXE
PID:2056 -
\??\c:\btnthn.exec:\btnthn.exe19⤵
- Executes dropped EXE
PID:2092 -
\??\c:\086666.exec:\086666.exe20⤵
- Executes dropped EXE
PID:2232 -
\??\c:\9btbhn.exec:\9btbhn.exe21⤵
- Executes dropped EXE
PID:2236 -
\??\c:\rllflxf.exec:\rllflxf.exe22⤵
- Executes dropped EXE
PID:1920 -
\??\c:\7rrrrlr.exec:\7rrrrlr.exe23⤵
- Executes dropped EXE
PID:3016 -
\??\c:\pjdjd.exec:\pjdjd.exe24⤵
- Executes dropped EXE
PID:956 -
\??\c:\xxrrflr.exec:\xxrrflr.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2472 -
\??\c:\64628.exec:\64628.exe26⤵
- Executes dropped EXE
PID:1064 -
\??\c:\o206408.exec:\o206408.exe27⤵
- Executes dropped EXE
PID:908 -
\??\c:\8862880.exec:\8862880.exe28⤵
- Executes dropped EXE
PID:1512 -
\??\c:\c404426.exec:\c404426.exe29⤵
- Executes dropped EXE
PID:3060 -
\??\c:\4240880.exec:\4240880.exe30⤵
- Executes dropped EXE
PID:2260 -
\??\c:\k64022.exec:\k64022.exe31⤵
- Executes dropped EXE
PID:1540 -
\??\c:\2206846.exec:\2206846.exe32⤵
- Executes dropped EXE
PID:1624 -
\??\c:\lrxxlrl.exec:\lrxxlrl.exe33⤵
- Executes dropped EXE
PID:1740 -
\??\c:\bthnbh.exec:\bthnbh.exe34⤵
- Executes dropped EXE
PID:1448 -
\??\c:\vpdpd.exec:\vpdpd.exe35⤵
- Executes dropped EXE
PID:1600 -
\??\c:\jdpvj.exec:\jdpvj.exe36⤵
- Executes dropped EXE
PID:1444 -
\??\c:\604244.exec:\604244.exe37⤵
- Executes dropped EXE
PID:2152 -
\??\c:\q26200.exec:\q26200.exe38⤵
- Executes dropped EXE
PID:1012 -
\??\c:\bththh.exec:\bththh.exe39⤵
- Executes dropped EXE
PID:480 -
\??\c:\1pddp.exec:\1pddp.exe40⤵
- Executes dropped EXE
PID:2828 -
\??\c:\jdpjp.exec:\jdpjp.exe41⤵
- Executes dropped EXE
PID:2704 -
\??\c:\jpdpd.exec:\jpdpd.exe42⤵
- Executes dropped EXE
PID:2760 -
\??\c:\bhhbbt.exec:\bhhbbt.exe43⤵
- Executes dropped EXE
PID:2820 -
\??\c:\5rlrfrx.exec:\5rlrfrx.exe44⤵
- Executes dropped EXE
PID:2356 -
\??\c:\866026.exec:\866026.exe45⤵
- Executes dropped EXE
PID:2608 -
\??\c:\fxllxxx.exec:\fxllxxx.exe46⤵
- Executes dropped EXE
PID:2680 -
\??\c:\7btbnt.exec:\7btbnt.exe47⤵
- Executes dropped EXE
PID:2636 -
\??\c:\w80066.exec:\w80066.exe48⤵
- Executes dropped EXE
PID:2252 -
\??\c:\4200606.exec:\4200606.exe49⤵
- Executes dropped EXE
PID:2276 -
\??\c:\3jddv.exec:\3jddv.exe50⤵
- Executes dropped EXE
PID:1092 -
\??\c:\ppppp.exec:\ppppp.exe51⤵
- Executes dropped EXE
PID:884 -
\??\c:\ppdvj.exec:\ppdvj.exe52⤵
- Executes dropped EXE
PID:2892 -
\??\c:\rfrllfl.exec:\rfrllfl.exe53⤵
- Executes dropped EXE
PID:2956 -
\??\c:\68002.exec:\68002.exe54⤵
- Executes dropped EXE
PID:1296 -
\??\c:\20466.exec:\20466.exe55⤵
- Executes dropped EXE
PID:2984 -
\??\c:\tnbbhh.exec:\tnbbhh.exe56⤵
- Executes dropped EXE
PID:2004 -
\??\c:\rrxxlfr.exec:\rrxxlfr.exe57⤵
- Executes dropped EXE
PID:2292 -
\??\c:\608400.exec:\608400.exe58⤵
- Executes dropped EXE
PID:2176 -
\??\c:\hbbntb.exec:\hbbntb.exe59⤵
- Executes dropped EXE
PID:2112 -
\??\c:\vpjvp.exec:\vpjvp.exe60⤵
- Executes dropped EXE
PID:2028 -
\??\c:\20228.exec:\20228.exe61⤵
- Executes dropped EXE
PID:608 -
\??\c:\82406.exec:\82406.exe62⤵
- Executes dropped EXE
PID:2644 -
\??\c:\004022.exec:\004022.exe63⤵
- Executes dropped EXE
PID:1344 -
\??\c:\ffxflxf.exec:\ffxflxf.exe64⤵
- Executes dropped EXE
PID:992 -
\??\c:\vvddd.exec:\vvddd.exe65⤵
- Executes dropped EXE
PID:1864 -
\??\c:\5dvdd.exec:\5dvdd.exe66⤵PID:1828
-
\??\c:\bnbttn.exec:\bnbttn.exe67⤵PID:1064
-
\??\c:\hbtthh.exec:\hbtthh.exe68⤵PID:556
-
\??\c:\680000.exec:\680000.exe69⤵PID:544
-
\??\c:\3httbh.exec:\3httbh.exe70⤵PID:824
-
\??\c:\8286268.exec:\8286268.exe71⤵PID:1924
-
\??\c:\fxrxrrr.exec:\fxrxrrr.exe72⤵PID:1860
-
\??\c:\2080668.exec:\2080668.exe73⤵PID:1868
-
\??\c:\804846.exec:\804846.exe74⤵
- System Location Discovery: System Language Discovery
PID:1504 -
\??\c:\080404.exec:\080404.exe75⤵PID:1732
-
\??\c:\rfllxxf.exec:\rfllxxf.exe76⤵PID:1592
-
\??\c:\q46266.exec:\q46266.exe77⤵PID:2684
-
\??\c:\s0868.exec:\s0868.exe78⤵PID:2540
-
\??\c:\dpdpv.exec:\dpdpv.exe79⤵PID:2836
-
\??\c:\260688.exec:\260688.exe80⤵PID:988
-
\??\c:\1dpdd.exec:\1dpdd.exe81⤵PID:2304
-
\??\c:\0800284.exec:\0800284.exe82⤵PID:2832
-
\??\c:\20880.exec:\20880.exe83⤵PID:2752
-
\??\c:\jdvdd.exec:\jdvdd.exe84⤵PID:2796
-
\??\c:\7xxxxrr.exec:\7xxxxrr.exe85⤵PID:3000
-
\??\c:\046262.exec:\046262.exe86⤵PID:2628
-
\??\c:\dpdpj.exec:\dpdpj.exe87⤵PID:2908
-
\??\c:\3xrlfxr.exec:\3xrlfxr.exe88⤵PID:2600
-
\??\c:\642282.exec:\642282.exe89⤵PID:1808
-
\??\c:\c206884.exec:\c206884.exe90⤵PID:1200
-
\??\c:\4802880.exec:\4802880.exe91⤵PID:2052
-
\??\c:\0428440.exec:\0428440.exe92⤵PID:2276
-
\??\c:\82286.exec:\82286.exe93⤵PID:2132
-
\??\c:\82668.exec:\82668.exe94⤵PID:1672
-
\??\c:\2088406.exec:\2088406.exe95⤵PID:2508
-
\??\c:\o644644.exec:\o644644.exe96⤵PID:2964
-
\??\c:\c202402.exec:\c202402.exe97⤵PID:1076
-
\??\c:\xrrflrf.exec:\xrrflrf.exe98⤵PID:1296
-
\??\c:\7djdp.exec:\7djdp.exe99⤵PID:1844
-
\??\c:\462604.exec:\462604.exe100⤵PID:2572
-
\??\c:\rllxlrf.exec:\rllxlrf.exe101⤵PID:2056
-
\??\c:\a6224.exec:\a6224.exe102⤵PID:2552
-
\??\c:\4868064.exec:\4868064.exe103⤵PID:2112
-
\??\c:\480066.exec:\480066.exe104⤵PID:1524
-
\??\c:\rrlrffx.exec:\rrlrffx.exe105⤵PID:3016
-
\??\c:\4244440.exec:\4244440.exe106⤵PID:1608
-
\??\c:\1vjdd.exec:\1vjdd.exe107⤵PID:844
-
\??\c:\q80000.exec:\q80000.exe108⤵PID:444
-
\??\c:\2842020.exec:\2842020.exe109⤵PID:1044
-
\??\c:\2088040.exec:\2088040.exe110⤵PID:1644
-
\??\c:\fxlrrrf.exec:\fxlrrrf.exe111⤵PID:1360
-
\??\c:\w64060.exec:\w64060.exe112⤵PID:1036
-
\??\c:\lxxfxff.exec:\lxxfxff.exe113⤵PID:936
-
\??\c:\028220.exec:\028220.exe114⤵PID:1620
-
\??\c:\640000.exec:\640000.exe115⤵PID:1152
-
\??\c:\1hbtbb.exec:\1hbtbb.exe116⤵PID:892
-
\??\c:\3nbbbb.exec:\3nbbbb.exe117⤵PID:880
-
\??\c:\nnnbnh.exec:\nnnbnh.exe118⤵PID:2480
-
\??\c:\822462.exec:\822462.exe119⤵PID:2264
-
\??\c:\86880.exec:\86880.exe120⤵PID:2300
-
\??\c:\3httbb.exec:\3httbb.exe121⤵PID:2360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-