Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 10:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cd18b89f15d09381d057f5f6eea546bc4e55bf5be0f7cbd389ccbbcd9908ed2f.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cd18b89f15d09381d057f5f6eea546bc4e55bf5be0f7cbd389ccbbcd9908ed2f.exe
-
Size
454KB
-
MD5
6abd8c063831dcdc79203d5e12de4221
-
SHA1
23b9c356decc9114bec5118f93eca4f8cbb4dee5
-
SHA256
cd18b89f15d09381d057f5f6eea546bc4e55bf5be0f7cbd389ccbbcd9908ed2f
-
SHA512
7c95bc995ee3b3ef80f6e01bc629b37325e7a6ad610cd0864dc10eb8b53055fd71ff3d601f840e56c041cbc6e1a2aa50d679863bbc2d8e6c195aff489e29d3b1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 35 IoCs
resource yara_rule behavioral1/memory/1736-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1288-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/932-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-758-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2456-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-1265-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2184-1339-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1900 rrxrfll.exe 2312 6262402.exe 2452 002840.exe 2556 4480824.exe 2884 0040224.exe 1288 042866.exe 1260 w86244.exe 3040 9rrxflx.exe 2712 bhbnht.exe 2696 4822446.exe 2512 rrllxxx.exe 540 jjdvv.exe 1480 04440.exe 3004 lfrlrrf.exe 948 264280.exe 1772 60468.exe 2840 3pvdj.exe 1620 9lxrxff.exe 1680 pjvvd.exe 2252 bttbht.exe 2156 tthntb.exe 1340 nnbnhh.exe 2488 pjvjd.exe 1500 fxlrxxf.exe 2648 20420.exe 1908 608400.exe 892 6424284.exe 2236 642828.exe 2292 rrxflrf.exe 1668 ddddv.exe 728 fxxxrlf.exe 1608 2602640.exe 2280 608468.exe 1700 08646.exe 1588 ddvvd.exe 1776 5bnnnn.exe 1200 hbttbh.exe 2148 042846.exe 2756 7tbnbh.exe 2884 k66200.exe 2916 llxlffx.exe 2880 0866206.exe 2688 080262.exe 2720 2640846.exe 2736 nhhnbb.exe 2660 g0280.exe 1852 xrrflrf.exe 2420 bthnbb.exe 3004 xxlrlxx.exe 596 nthhbh.exe 2828 88620.exe 1676 460882.exe 3008 1xrfrxl.exe 2980 xxxfrxl.exe 1536 jdpvd.exe 2360 nhbhbn.exe 3056 7ttnhn.exe 2704 hbnnbh.exe 2676 vpdjv.exe 1296 fxxfxff.exe 696 bbbhht.exe 2648 vvdjd.exe 1932 7vvdp.exe 2028 3dppv.exe -
resource yara_rule behavioral1/memory/1736-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/932-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/728-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-908-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-945-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-982-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-1007-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-1092-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-1136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-1143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-1170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-1207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-1258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-1265-0x00000000001B0000-0x00000000001DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0866206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 660864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8202468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 664024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 886244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c824620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 1900 1736 cd18b89f15d09381d057f5f6eea546bc4e55bf5be0f7cbd389ccbbcd9908ed2f.exe 30 PID 1736 wrote to memory of 1900 1736 cd18b89f15d09381d057f5f6eea546bc4e55bf5be0f7cbd389ccbbcd9908ed2f.exe 30 PID 1736 wrote to memory of 1900 1736 cd18b89f15d09381d057f5f6eea546bc4e55bf5be0f7cbd389ccbbcd9908ed2f.exe 30 PID 1736 wrote to memory of 1900 1736 cd18b89f15d09381d057f5f6eea546bc4e55bf5be0f7cbd389ccbbcd9908ed2f.exe 30 PID 1900 wrote to memory of 2312 1900 rrxrfll.exe 31 PID 1900 wrote to memory of 2312 1900 rrxrfll.exe 31 PID 1900 wrote to memory of 2312 1900 rrxrfll.exe 31 PID 1900 wrote to memory of 2312 1900 rrxrfll.exe 31 PID 2312 wrote to memory of 2452 2312 6262402.exe 32 PID 2312 wrote to memory of 2452 2312 6262402.exe 32 PID 2312 wrote to memory of 2452 2312 6262402.exe 32 PID 2312 wrote to memory of 2452 2312 6262402.exe 32 PID 2452 wrote to memory of 2556 2452 002840.exe 33 PID 2452 wrote to memory of 2556 2452 002840.exe 33 PID 2452 wrote to memory of 2556 2452 002840.exe 33 PID 2452 wrote to memory of 2556 2452 002840.exe 33 PID 2556 wrote to memory of 2884 2556 4480824.exe 34 PID 2556 wrote to memory of 2884 2556 4480824.exe 34 PID 2556 wrote to memory of 2884 2556 4480824.exe 34 PID 2556 wrote to memory of 2884 2556 4480824.exe 34 PID 2884 wrote to memory of 1288 2884 0040224.exe 35 PID 2884 wrote to memory of 1288 2884 0040224.exe 35 PID 2884 wrote to memory of 1288 2884 0040224.exe 35 PID 2884 wrote to memory of 1288 2884 0040224.exe 35 PID 1288 wrote to memory of 1260 1288 042866.exe 36 PID 1288 wrote to memory of 1260 1288 042866.exe 36 PID 1288 wrote to memory of 1260 1288 042866.exe 36 PID 1288 wrote to memory of 1260 1288 042866.exe 36 PID 1260 wrote to memory of 3040 1260 w86244.exe 37 PID 1260 wrote to memory of 3040 1260 w86244.exe 37 PID 1260 wrote to memory of 3040 1260 w86244.exe 37 PID 1260 wrote to memory of 3040 1260 w86244.exe 37 PID 3040 wrote to memory of 2712 3040 9rrxflx.exe 38 PID 3040 wrote to memory of 2712 3040 9rrxflx.exe 38 PID 3040 wrote to memory of 2712 3040 9rrxflx.exe 38 PID 3040 wrote to memory of 2712 3040 9rrxflx.exe 38 PID 2712 wrote to memory of 2696 2712 bhbnht.exe 39 PID 2712 wrote to memory of 2696 2712 bhbnht.exe 39 PID 2712 wrote to memory of 2696 2712 bhbnht.exe 39 PID 2712 wrote to memory of 2696 2712 bhbnht.exe 39 PID 2696 wrote to memory of 2512 2696 4822446.exe 40 PID 2696 wrote to memory of 2512 2696 4822446.exe 40 PID 2696 wrote to memory of 2512 2696 4822446.exe 40 PID 2696 wrote to memory of 2512 2696 4822446.exe 40 PID 2512 wrote to memory of 540 2512 rrllxxx.exe 41 PID 2512 wrote to memory of 540 2512 rrllxxx.exe 41 PID 2512 wrote to memory of 540 2512 rrllxxx.exe 41 PID 2512 wrote to memory of 540 2512 rrllxxx.exe 41 PID 540 wrote to memory of 1480 540 jjdvv.exe 42 PID 540 wrote to memory of 1480 540 jjdvv.exe 42 PID 540 wrote to memory of 1480 540 jjdvv.exe 42 PID 540 wrote to memory of 1480 540 jjdvv.exe 42 PID 1480 wrote to memory of 3004 1480 04440.exe 78 PID 1480 wrote to memory of 3004 1480 04440.exe 78 PID 1480 wrote to memory of 3004 1480 04440.exe 78 PID 1480 wrote to memory of 3004 1480 04440.exe 78 PID 3004 wrote to memory of 948 3004 lfrlrrf.exe 44 PID 3004 wrote to memory of 948 3004 lfrlrrf.exe 44 PID 3004 wrote to memory of 948 3004 lfrlrrf.exe 44 PID 3004 wrote to memory of 948 3004 lfrlrrf.exe 44 PID 948 wrote to memory of 1772 948 264280.exe 45 PID 948 wrote to memory of 1772 948 264280.exe 45 PID 948 wrote to memory of 1772 948 264280.exe 45 PID 948 wrote to memory of 1772 948 264280.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd18b89f15d09381d057f5f6eea546bc4e55bf5be0f7cbd389ccbbcd9908ed2f.exe"C:\Users\Admin\AppData\Local\Temp\cd18b89f15d09381d057f5f6eea546bc4e55bf5be0f7cbd389ccbbcd9908ed2f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\rrxrfll.exec:\rrxrfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\6262402.exec:\6262402.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\002840.exec:\002840.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\4480824.exec:\4480824.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\0040224.exec:\0040224.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\042866.exec:\042866.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\w86244.exec:\w86244.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\9rrxflx.exec:\9rrxflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\bhbnht.exec:\bhbnht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\4822446.exec:\4822446.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\rrllxxx.exec:\rrllxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\jjdvv.exec:\jjdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\04440.exec:\04440.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\lfrlrrf.exec:\lfrlrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\264280.exec:\264280.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\60468.exec:\60468.exe17⤵
- Executes dropped EXE
PID:1772 -
\??\c:\3pvdj.exec:\3pvdj.exe18⤵
- Executes dropped EXE
PID:2840 -
\??\c:\9lxrxff.exec:\9lxrxff.exe19⤵
- Executes dropped EXE
PID:1620 -
\??\c:\pjvvd.exec:\pjvvd.exe20⤵
- Executes dropped EXE
PID:1680 -
\??\c:\bttbht.exec:\bttbht.exe21⤵
- Executes dropped EXE
PID:2252 -
\??\c:\tthntb.exec:\tthntb.exe22⤵
- Executes dropped EXE
PID:2156 -
\??\c:\nnbnhh.exec:\nnbnhh.exe23⤵
- Executes dropped EXE
PID:1340 -
\??\c:\pjvjd.exec:\pjvjd.exe24⤵
- Executes dropped EXE
PID:2488 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe25⤵
- Executes dropped EXE
PID:1500 -
\??\c:\20420.exec:\20420.exe26⤵
- Executes dropped EXE
PID:2648 -
\??\c:\608400.exec:\608400.exe27⤵
- Executes dropped EXE
PID:1908 -
\??\c:\6424284.exec:\6424284.exe28⤵
- Executes dropped EXE
PID:892 -
\??\c:\642828.exec:\642828.exe29⤵
- Executes dropped EXE
PID:2236 -
\??\c:\rrxflrf.exec:\rrxflrf.exe30⤵
- Executes dropped EXE
PID:2292 -
\??\c:\ddddv.exec:\ddddv.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
\??\c:\fxxxrlf.exec:\fxxxrlf.exe32⤵
- Executes dropped EXE
PID:728 -
\??\c:\2602640.exec:\2602640.exe33⤵
- Executes dropped EXE
PID:1608 -
\??\c:\608468.exec:\608468.exe34⤵
- Executes dropped EXE
PID:2280 -
\??\c:\08646.exec:\08646.exe35⤵
- Executes dropped EXE
PID:1700 -
\??\c:\ddvvd.exec:\ddvvd.exe36⤵
- Executes dropped EXE
PID:1588 -
\??\c:\5bnnnn.exec:\5bnnnn.exe37⤵
- Executes dropped EXE
PID:1776 -
\??\c:\hbttbh.exec:\hbttbh.exe38⤵
- Executes dropped EXE
PID:1200 -
\??\c:\042846.exec:\042846.exe39⤵
- Executes dropped EXE
PID:2148 -
\??\c:\7tbnbh.exec:\7tbnbh.exe40⤵
- Executes dropped EXE
PID:2756 -
\??\c:\k66200.exec:\k66200.exe41⤵
- Executes dropped EXE
PID:2884 -
\??\c:\llxlffx.exec:\llxlffx.exe42⤵
- Executes dropped EXE
PID:2916 -
\??\c:\0866206.exec:\0866206.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
\??\c:\080262.exec:\080262.exe44⤵
- Executes dropped EXE
PID:2688 -
\??\c:\2640846.exec:\2640846.exe45⤵
- Executes dropped EXE
PID:2720 -
\??\c:\nhhnbb.exec:\nhhnbb.exe46⤵
- Executes dropped EXE
PID:2736 -
\??\c:\g0280.exec:\g0280.exe47⤵
- Executes dropped EXE
PID:2660 -
\??\c:\xrrflrf.exec:\xrrflrf.exe48⤵
- Executes dropped EXE
PID:1852 -
\??\c:\bthnbb.exec:\bthnbb.exe49⤵
- Executes dropped EXE
PID:2420 -
\??\c:\xxlrlxx.exec:\xxlrlxx.exe50⤵
- Executes dropped EXE
PID:3004 -
\??\c:\nthhbh.exec:\nthhbh.exe51⤵
- Executes dropped EXE
PID:596 -
\??\c:\88620.exec:\88620.exe52⤵
- Executes dropped EXE
PID:2828 -
\??\c:\460882.exec:\460882.exe53⤵
- Executes dropped EXE
PID:1676 -
\??\c:\1xrfrxl.exec:\1xrfrxl.exe54⤵
- Executes dropped EXE
PID:3008 -
\??\c:\xxxfrxl.exec:\xxxfrxl.exe55⤵
- Executes dropped EXE
PID:2980 -
\??\c:\jdpvd.exec:\jdpvd.exe56⤵
- Executes dropped EXE
PID:1536 -
\??\c:\nhbhbn.exec:\nhbhbn.exe57⤵
- Executes dropped EXE
PID:2360 -
\??\c:\7ttnhn.exec:\7ttnhn.exe58⤵
- Executes dropped EXE
PID:3056 -
\??\c:\hbnnbh.exec:\hbnnbh.exe59⤵
- Executes dropped EXE
PID:2704 -
\??\c:\vpdjv.exec:\vpdjv.exe60⤵
- Executes dropped EXE
PID:2676 -
\??\c:\fxxfxff.exec:\fxxfxff.exe61⤵
- Executes dropped EXE
PID:1296 -
\??\c:\bbbhht.exec:\bbbhht.exe62⤵
- Executes dropped EXE
PID:696 -
\??\c:\vvdjd.exec:\vvdjd.exe63⤵
- Executes dropped EXE
PID:2648 -
\??\c:\7vvdp.exec:\7vvdp.exe64⤵
- Executes dropped EXE
PID:1932 -
\??\c:\3dppv.exec:\3dppv.exe65⤵
- Executes dropped EXE
PID:2028 -
\??\c:\9xrlrrx.exec:\9xrlrrx.exe66⤵PID:1972
-
\??\c:\26086.exec:\26086.exe67⤵PID:2056
-
\??\c:\60242.exec:\60242.exe68⤵PID:932
-
\??\c:\1nhbnn.exec:\1nhbnn.exe69⤵PID:2368
-
\??\c:\60402.exec:\60402.exe70⤵PID:2584
-
\??\c:\nbtbhh.exec:\nbtbhh.exe71⤵PID:1944
-
\??\c:\ddvvd.exec:\ddvvd.exe72⤵PID:1252
-
\??\c:\jddvj.exec:\jddvj.exe73⤵PID:2180
-
\??\c:\08620.exec:\08620.exe74⤵PID:1724
-
\??\c:\ffxlrxl.exec:\ffxlrxl.exe75⤵PID:2372
-
\??\c:\2640840.exec:\2640840.exe76⤵PID:1900
-
\??\c:\9rfrlxl.exec:\9rfrlxl.exe77⤵PID:2320
-
\??\c:\1jddj.exec:\1jddj.exe78⤵PID:2552
-
\??\c:\vvpjv.exec:\vvpjv.exe79⤵PID:308
-
\??\c:\4468680.exec:\4468680.exe80⤵PID:2452
-
\??\c:\0480624.exec:\0480624.exe81⤵PID:2340
-
\??\c:\2642668.exec:\2642668.exe82⤵PID:2796
-
\??\c:\tnthtb.exec:\tnthtb.exe83⤵PID:2824
-
\??\c:\2644804.exec:\2644804.exe84⤵PID:2880
-
\??\c:\48686.exec:\48686.exe85⤵PID:2768
-
\??\c:\jdvdj.exec:\jdvdj.exe86⤵PID:2272
-
\??\c:\llxxllx.exec:\llxxllx.exe87⤵PID:2696
-
\??\c:\4800680.exec:\4800680.exe88⤵PID:2804
-
\??\c:\w86424.exec:\w86424.exe89⤵PID:1920
-
\??\c:\rlffrxl.exec:\rlffrxl.exe90⤵PID:888
-
\??\c:\u806628.exec:\u806628.exe91⤵PID:2664
-
\??\c:\o268004.exec:\o268004.exe92⤵PID:2412
-
\??\c:\442800.exec:\442800.exe93⤵PID:616
-
\??\c:\a6440.exec:\a6440.exe94⤵PID:320
-
\??\c:\2628062.exec:\2628062.exe95⤵PID:784
-
\??\c:\1tthth.exec:\1tthth.exe96⤵PID:552
-
\??\c:\5vppd.exec:\5vppd.exe97⤵PID:1676
-
\??\c:\66024.exec:\66024.exe98⤵PID:2560
-
\??\c:\046262.exec:\046262.exe99⤵PID:2980
-
\??\c:\664020.exec:\664020.exe100⤵PID:1440
-
\??\c:\nhtthh.exec:\nhtthh.exe101⤵PID:1152
-
\??\c:\ntnhbb.exec:\ntnhbb.exe102⤵PID:2160
-
\??\c:\6062008.exec:\6062008.exe103⤵PID:2704
-
\??\c:\dpjvv.exec:\dpjvv.exe104⤵PID:2680
-
\??\c:\vvpvj.exec:\vvpvj.exe105⤵PID:1704
-
\??\c:\nhhnbn.exec:\nhhnbn.exe106⤵PID:1272
-
\??\c:\xlrflff.exec:\xlrflff.exe107⤵PID:1908
-
\??\c:\3vpvp.exec:\3vpvp.exe108⤵PID:2644
-
\??\c:\vvjvp.exec:\vvjvp.exe109⤵PID:2996
-
\??\c:\0424626.exec:\0424626.exe110⤵PID:2268
-
\??\c:\o860286.exec:\o860286.exe111⤵PID:1084
-
\??\c:\88628.exec:\88628.exe112⤵PID:1936
-
\??\c:\82686.exec:\82686.exe113⤵PID:728
-
\??\c:\4484620.exec:\4484620.exe114⤵PID:1184
-
\??\c:\008680.exec:\008680.exe115⤵PID:1948
-
\??\c:\xxlxffr.exec:\xxlxffr.exe116⤵PID:1736
-
\??\c:\4800628.exec:\4800628.exe117⤵PID:1588
-
\??\c:\a2002.exec:\a2002.exe118⤵PID:2456
-
\??\c:\bttbnn.exec:\bttbnn.exe119⤵PID:2536
-
\??\c:\bbtbnt.exec:\bbtbnt.exe120⤵PID:2040
-
\??\c:\9flxlrr.exec:\9flxlrr.exe121⤵PID:2492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-