Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 23:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5462efbc34050eb79f20937efa64b21ba14737dbff058cc5dcf298c1b6a2bd78.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5462efbc34050eb79f20937efa64b21ba14737dbff058cc5dcf298c1b6a2bd78.exe
-
Size
454KB
-
MD5
9b57a1717d278b37820b7f49941b7f85
-
SHA1
48483f11211dcce237a83a25c88ccefd3a234d82
-
SHA256
5462efbc34050eb79f20937efa64b21ba14737dbff058cc5dcf298c1b6a2bd78
-
SHA512
5dada7d503999b4a737e99cdcf8cb6247f1e8624456e86f28b18cd342535cf89d50bb020bf276847dbf690d608d31d1625c7a0e8fdd05b886c43eca640d1446c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/784-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-60-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-137-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1136-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/924-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1104-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/560-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1284-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1012-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-357-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2680-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1184-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1136-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1336-751-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1036-1011-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/568-1063-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2388-1082-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-1114-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2128-1140-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2128-1159-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2668-1186-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2656-1189-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2612-1228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-1277-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1788 nbbtbb.exe 1588 i800426.exe 2280 26402.exe 1604 24846.exe 2800 u844224.exe 2768 7rlrxxf.exe 2760 7bnttb.exe 1668 vpjpd.exe 2544 9rrrxrx.exe 2664 tnbbhh.exe 2168 26068.exe 572 rrrxxxl.exe 1948 7vdjj.exe 2836 608806.exe 1500 7nbbnt.exe 1136 9htnhh.exe 2940 rxxfxfl.exe 2164 4828064.exe 2456 s0446.exe 3040 26002.exe 1144 5rflrfl.exe 2004 lfrxflr.exe 712 q20084.exe 1756 i208022.exe 924 3bhhhn.exe 1560 lfrrxfr.exe 1104 hthbbb.exe 2996 xlrrxxx.exe 560 e80804.exe 1284 pdjpp.exe 1012 5rfllfl.exe 1272 o466662.exe 784 vddjv.exe 1620 xlxxxfl.exe 2440 nbnthb.exe 2628 rrflrrr.exe 2636 lxllrlx.exe 2652 u240228.exe 2796 3tbttn.exe 2828 806226.exe 2272 046220.exe 2888 26828.exe 2896 5ntttn.exe 2568 4288444.exe 2680 08628.exe 3052 46666.exe 292 4244006.exe 992 hthhhn.exe 2056 3dvvd.exe 1184 7bnbhb.exe 2868 jjdpj.exe 1692 4884022.exe 1648 xlrlrll.exe 2020 c084680.exe 1136 9rflrxr.exe 2084 jjvdj.exe 2228 lxrrrll.exe 2248 a6442.exe 1252 k86600.exe 3040 hntttn.exe 1044 jdjjd.exe 1628 tnhhnh.exe 1664 a8284.exe 1740 dpvpp.exe -
resource yara_rule behavioral1/memory/784-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/924-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/560-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1012-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-699-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1916-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1336-751-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1592-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-801-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-919-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1036-1011-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1536-1018-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-1082-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-1168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-1200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-1214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-1228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-1309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-1316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-1323-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0822440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k40060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8028440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlfxff.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 784 wrote to memory of 1788 784 5462efbc34050eb79f20937efa64b21ba14737dbff058cc5dcf298c1b6a2bd78.exe 31 PID 784 wrote to memory of 1788 784 5462efbc34050eb79f20937efa64b21ba14737dbff058cc5dcf298c1b6a2bd78.exe 31 PID 784 wrote to memory of 1788 784 5462efbc34050eb79f20937efa64b21ba14737dbff058cc5dcf298c1b6a2bd78.exe 31 PID 784 wrote to memory of 1788 784 5462efbc34050eb79f20937efa64b21ba14737dbff058cc5dcf298c1b6a2bd78.exe 31 PID 1788 wrote to memory of 1588 1788 nbbtbb.exe 32 PID 1788 wrote to memory of 1588 1788 nbbtbb.exe 32 PID 1788 wrote to memory of 1588 1788 nbbtbb.exe 32 PID 1788 wrote to memory of 1588 1788 nbbtbb.exe 32 PID 1588 wrote to memory of 2280 1588 i800426.exe 33 PID 1588 wrote to memory of 2280 1588 i800426.exe 33 PID 1588 wrote to memory of 2280 1588 i800426.exe 33 PID 1588 wrote to memory of 2280 1588 i800426.exe 33 PID 2280 wrote to memory of 1604 2280 26402.exe 34 PID 2280 wrote to memory of 1604 2280 26402.exe 34 PID 2280 wrote to memory of 1604 2280 26402.exe 34 PID 2280 wrote to memory of 1604 2280 26402.exe 34 PID 1604 wrote to memory of 2800 1604 24846.exe 35 PID 1604 wrote to memory of 2800 1604 24846.exe 35 PID 1604 wrote to memory of 2800 1604 24846.exe 35 PID 1604 wrote to memory of 2800 1604 24846.exe 35 PID 2800 wrote to memory of 2768 2800 u844224.exe 36 PID 2800 wrote to memory of 2768 2800 u844224.exe 36 PID 2800 wrote to memory of 2768 2800 u844224.exe 36 PID 2800 wrote to memory of 2768 2800 u844224.exe 36 PID 2768 wrote to memory of 2760 2768 7rlrxxf.exe 37 PID 2768 wrote to memory of 2760 2768 7rlrxxf.exe 37 PID 2768 wrote to memory of 2760 2768 7rlrxxf.exe 37 PID 2768 wrote to memory of 2760 2768 7rlrxxf.exe 37 PID 2760 wrote to memory of 1668 2760 7bnttb.exe 38 PID 2760 wrote to memory of 1668 2760 7bnttb.exe 38 PID 2760 wrote to memory of 1668 2760 7bnttb.exe 38 PID 2760 wrote to memory of 1668 2760 7bnttb.exe 38 PID 1668 wrote to memory of 2544 1668 vpjpd.exe 39 PID 1668 wrote to memory of 2544 1668 vpjpd.exe 39 PID 1668 wrote to memory of 2544 1668 vpjpd.exe 39 PID 1668 wrote to memory of 2544 1668 vpjpd.exe 39 PID 2544 wrote to memory of 2664 2544 9rrrxrx.exe 40 PID 2544 wrote to memory of 2664 2544 9rrrxrx.exe 40 PID 2544 wrote to memory of 2664 2544 9rrrxrx.exe 40 PID 2544 wrote to memory of 2664 2544 9rrrxrx.exe 40 PID 2664 wrote to memory of 2168 2664 tnbbhh.exe 41 PID 2664 wrote to memory of 2168 2664 tnbbhh.exe 41 PID 2664 wrote to memory of 2168 2664 tnbbhh.exe 41 PID 2664 wrote to memory of 2168 2664 tnbbhh.exe 41 PID 2168 wrote to memory of 572 2168 26068.exe 42 PID 2168 wrote to memory of 572 2168 26068.exe 42 PID 2168 wrote to memory of 572 2168 26068.exe 42 PID 2168 wrote to memory of 572 2168 26068.exe 42 PID 572 wrote to memory of 1948 572 rrrxxxl.exe 43 PID 572 wrote to memory of 1948 572 rrrxxxl.exe 43 PID 572 wrote to memory of 1948 572 rrrxxxl.exe 43 PID 572 wrote to memory of 1948 572 rrrxxxl.exe 43 PID 1948 wrote to memory of 2836 1948 7vdjj.exe 44 PID 1948 wrote to memory of 2836 1948 7vdjj.exe 44 PID 1948 wrote to memory of 2836 1948 7vdjj.exe 44 PID 1948 wrote to memory of 2836 1948 7vdjj.exe 44 PID 2836 wrote to memory of 1500 2836 608806.exe 45 PID 2836 wrote to memory of 1500 2836 608806.exe 45 PID 2836 wrote to memory of 1500 2836 608806.exe 45 PID 2836 wrote to memory of 1500 2836 608806.exe 45 PID 1500 wrote to memory of 1136 1500 7nbbnt.exe 46 PID 1500 wrote to memory of 1136 1500 7nbbnt.exe 46 PID 1500 wrote to memory of 1136 1500 7nbbnt.exe 46 PID 1500 wrote to memory of 1136 1500 7nbbnt.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\5462efbc34050eb79f20937efa64b21ba14737dbff058cc5dcf298c1b6a2bd78.exe"C:\Users\Admin\AppData\Local\Temp\5462efbc34050eb79f20937efa64b21ba14737dbff058cc5dcf298c1b6a2bd78.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\nbbtbb.exec:\nbbtbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\i800426.exec:\i800426.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\26402.exec:\26402.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\24846.exec:\24846.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\u844224.exec:\u844224.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\7rlrxxf.exec:\7rlrxxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\7bnttb.exec:\7bnttb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\vpjpd.exec:\vpjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\9rrrxrx.exec:\9rrrxrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\tnbbhh.exec:\tnbbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\26068.exec:\26068.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\rrrxxxl.exec:\rrrxxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\7vdjj.exec:\7vdjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\608806.exec:\608806.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\7nbbnt.exec:\7nbbnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\9htnhh.exec:\9htnhh.exe17⤵
- Executes dropped EXE
PID:1136 -
\??\c:\rxxfxfl.exec:\rxxfxfl.exe18⤵
- Executes dropped EXE
PID:2940 -
\??\c:\4828064.exec:\4828064.exe19⤵
- Executes dropped EXE
PID:2164 -
\??\c:\s0446.exec:\s0446.exe20⤵
- Executes dropped EXE
PID:2456 -
\??\c:\26002.exec:\26002.exe21⤵
- Executes dropped EXE
PID:3040 -
\??\c:\5rflrfl.exec:\5rflrfl.exe22⤵
- Executes dropped EXE
PID:1144 -
\??\c:\lfrxflr.exec:\lfrxflr.exe23⤵
- Executes dropped EXE
PID:2004 -
\??\c:\q20084.exec:\q20084.exe24⤵
- Executes dropped EXE
PID:712 -
\??\c:\i208022.exec:\i208022.exe25⤵
- Executes dropped EXE
PID:1756 -
\??\c:\3bhhhn.exec:\3bhhhn.exe26⤵
- Executes dropped EXE
PID:924 -
\??\c:\lfrrxfr.exec:\lfrrxfr.exe27⤵
- Executes dropped EXE
PID:1560 -
\??\c:\hthbbb.exec:\hthbbb.exe28⤵
- Executes dropped EXE
PID:1104 -
\??\c:\xlrrxxx.exec:\xlrrxxx.exe29⤵
- Executes dropped EXE
PID:2996 -
\??\c:\e80804.exec:\e80804.exe30⤵
- Executes dropped EXE
PID:560 -
\??\c:\pdjpp.exec:\pdjpp.exe31⤵
- Executes dropped EXE
PID:1284 -
\??\c:\5rfllfl.exec:\5rfllfl.exe32⤵
- Executes dropped EXE
PID:1012 -
\??\c:\o466662.exec:\o466662.exe33⤵
- Executes dropped EXE
PID:1272 -
\??\c:\vddjv.exec:\vddjv.exe34⤵
- Executes dropped EXE
PID:784 -
\??\c:\xlxxxfl.exec:\xlxxxfl.exe35⤵
- Executes dropped EXE
PID:1620 -
\??\c:\nbnthb.exec:\nbnthb.exe36⤵
- Executes dropped EXE
PID:2440 -
\??\c:\rrflrrr.exec:\rrflrrr.exe37⤵
- Executes dropped EXE
PID:2628 -
\??\c:\lxllrlx.exec:\lxllrlx.exe38⤵
- Executes dropped EXE
PID:2636 -
\??\c:\u240228.exec:\u240228.exe39⤵
- Executes dropped EXE
PID:2652 -
\??\c:\3tbttn.exec:\3tbttn.exe40⤵
- Executes dropped EXE
PID:2796 -
\??\c:\806226.exec:\806226.exe41⤵
- Executes dropped EXE
PID:2828 -
\??\c:\046220.exec:\046220.exe42⤵
- Executes dropped EXE
PID:2272 -
\??\c:\26828.exec:\26828.exe43⤵
- Executes dropped EXE
PID:2888 -
\??\c:\5ntttn.exec:\5ntttn.exe44⤵
- Executes dropped EXE
PID:2896 -
\??\c:\4288444.exec:\4288444.exe45⤵
- Executes dropped EXE
PID:2568 -
\??\c:\08628.exec:\08628.exe46⤵
- Executes dropped EXE
PID:2680 -
\??\c:\46666.exec:\46666.exe47⤵
- Executes dropped EXE
PID:3052 -
\??\c:\4244006.exec:\4244006.exe48⤵
- Executes dropped EXE
PID:292 -
\??\c:\hthhhn.exec:\hthhhn.exe49⤵
- Executes dropped EXE
PID:992 -
\??\c:\3dvvd.exec:\3dvvd.exe50⤵
- Executes dropped EXE
PID:2056 -
\??\c:\7bnbhb.exec:\7bnbhb.exe51⤵
- Executes dropped EXE
PID:1184 -
\??\c:\jjdpj.exec:\jjdpj.exe52⤵
- Executes dropped EXE
PID:2868 -
\??\c:\4884022.exec:\4884022.exe53⤵
- Executes dropped EXE
PID:1692 -
\??\c:\xlrlrll.exec:\xlrlrll.exe54⤵
- Executes dropped EXE
PID:1648 -
\??\c:\c084680.exec:\c084680.exe55⤵
- Executes dropped EXE
PID:2020 -
\??\c:\9rflrxr.exec:\9rflrxr.exe56⤵
- Executes dropped EXE
PID:1136 -
\??\c:\jjvdj.exec:\jjvdj.exe57⤵
- Executes dropped EXE
PID:2084 -
\??\c:\lxrrrll.exec:\lxrrrll.exe58⤵
- Executes dropped EXE
PID:2228 -
\??\c:\a6442.exec:\a6442.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248 -
\??\c:\k86600.exec:\k86600.exe60⤵
- Executes dropped EXE
PID:1252 -
\??\c:\hntttn.exec:\hntttn.exe61⤵
- Executes dropped EXE
PID:3040 -
\??\c:\jdjjd.exec:\jdjjd.exe62⤵
- Executes dropped EXE
PID:1044 -
\??\c:\tnhhnh.exec:\tnhhnh.exe63⤵
- Executes dropped EXE
PID:1628 -
\??\c:\a8284.exec:\a8284.exe64⤵
- Executes dropped EXE
PID:1664 -
\??\c:\dpvpp.exec:\dpvpp.exe65⤵
- Executes dropped EXE
PID:1740 -
\??\c:\1xlrfxl.exec:\1xlrfxl.exe66⤵PID:2504
-
\??\c:\jdppv.exec:\jdppv.exe67⤵PID:1984
-
\??\c:\thnntt.exec:\thnntt.exe68⤵PID:1804
-
\??\c:\lflrrrr.exec:\lflrrrr.exe69⤵PID:1544
-
\??\c:\0082200.exec:\0082200.exe70⤵PID:2432
-
\??\c:\20668.exec:\20668.exe71⤵PID:2240
-
\??\c:\9rxlfxx.exec:\9rxlfxx.exe72⤵PID:1988
-
\??\c:\lrxrrlx.exec:\lrxrrlx.exe73⤵PID:2060
-
\??\c:\7htnnh.exec:\7htnnh.exe74⤵PID:2448
-
\??\c:\dpdvv.exec:\dpdvv.exe75⤵PID:2472
-
\??\c:\xlxxxlr.exec:\xlxxxlr.exe76⤵PID:2328
-
\??\c:\3vpvv.exec:\3vpvv.exe77⤵PID:2348
-
\??\c:\u244488.exec:\u244488.exe78⤵PID:1788
-
\??\c:\424460.exec:\424460.exe79⤵PID:1712
-
\??\c:\bnnbtb.exec:\bnnbtb.exe80⤵PID:2416
-
\??\c:\jdjdj.exec:\jdjdj.exe81⤵PID:3060
-
\??\c:\82400.exec:\82400.exe82⤵PID:2288
-
\??\c:\864662.exec:\864662.exe83⤵PID:2804
-
\??\c:\3ddjp.exec:\3ddjp.exe84⤵PID:2156
-
\??\c:\pvjvp.exec:\pvjvp.exe85⤵PID:2748
-
\??\c:\426288.exec:\426288.exe86⤵PID:2844
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe87⤵PID:2600
-
\??\c:\bbthtt.exec:\bbthtt.exe88⤵PID:2856
-
\??\c:\868444.exec:\868444.exe89⤵PID:2544
-
\??\c:\64228.exec:\64228.exe90⤵PID:2944
-
\??\c:\vpdjp.exec:\vpdjp.exe91⤵PID:1064
-
\??\c:\jvjjj.exec:\jvjjj.exe92⤵PID:2360
-
\??\c:\u484624.exec:\u484624.exe93⤵PID:1216
-
\??\c:\802848.exec:\802848.exe94⤵PID:1948
-
\??\c:\nhtbnb.exec:\nhtbnb.exe95⤵PID:1432
-
\??\c:\868466.exec:\868466.exe96⤵PID:2912
-
\??\c:\ntbbbt.exec:\ntbbbt.exe97⤵PID:1916
-
\??\c:\1hhhnn.exec:\1hhhnn.exe98⤵PID:3032
-
\??\c:\1xlrflx.exec:\1xlrflx.exe99⤵PID:3036
-
\??\c:\80222.exec:\80222.exe100⤵PID:2224
-
\??\c:\86442.exec:\86442.exe101⤵PID:2336
-
\??\c:\llrfrxr.exec:\llrfrxr.exe102⤵PID:2148
-
\??\c:\080022.exec:\080022.exe103⤵PID:1936
-
\??\c:\1jvvd.exec:\1jvvd.exe104⤵PID:1336
-
\??\c:\a8028.exec:\a8028.exe105⤵PID:2152
-
\??\c:\64666.exec:\64666.exe106⤵PID:1592
-
\??\c:\ntnbbh.exec:\ntnbbh.exe107⤵PID:2052
-
\??\c:\jjdjv.exec:\jjdjv.exe108⤵PID:1752
-
\??\c:\9rfllrx.exec:\9rfllrx.exe109⤵PID:924
-
\??\c:\3hbtbt.exec:\3hbtbt.exe110⤵PID:1348
-
\??\c:\8684228.exec:\8684228.exe111⤵PID:2212
-
\??\c:\88880.exec:\88880.exe112⤵PID:1804
-
\??\c:\vjvpd.exec:\vjvpd.exe113⤵PID:1572
-
\??\c:\9vjdd.exec:\9vjdd.exe114⤵PID:3024
-
\??\c:\8684006.exec:\8684006.exe115⤵PID:820
-
\??\c:\6844444.exec:\6844444.exe116⤵PID:1324
-
\??\c:\djjvd.exec:\djjvd.exe117⤵PID:1800
-
\??\c:\6664828.exec:\6664828.exe118⤵PID:1488
-
\??\c:\hntttt.exec:\hntttt.exe119⤵PID:2624
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe120⤵PID:1616
-
\??\c:\824022.exec:\824022.exe121⤵PID:2016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-