Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-01-2025 06:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e5e7cc4b959ef512125b41a057ffdb940613236b1766094f0fa1ec61714b289bN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e5e7cc4b959ef512125b41a057ffdb940613236b1766094f0fa1ec61714b289bN.exe
-
Size
454KB
-
MD5
fefc45d097dda0a4afd8ac48f977ea30
-
SHA1
39ba2a0bc81893a034e7671ed6a3f7742c6bb888
-
SHA256
e5e7cc4b959ef512125b41a057ffdb940613236b1766094f0fa1ec61714b289b
-
SHA512
bd0a1a28d6c86a61b8d739edd0ec63d8096b99d4001dd65ea3ab9abeb5f32b6c012fe8431386b7f52ff91b12f9b501bf36b0ed04b7b9b620686d11d4e4cec9e3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2320-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-44-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/2752-62-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2752-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-97-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1248-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1136-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/868-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-333-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2800-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-341-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2824-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-567-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2348-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/928-782-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/928-784-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2388-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-845-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2800-895-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1988-1086-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-1093-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1956-1112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-1229-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2360-1242-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2184 fxrfllx.exe 1976 ttttnn.exe 2780 9ttbth.exe 596 5jvvj.exe 2808 5nbthh.exe 2752 btbhhb.exe 2844 8686600.exe 2708 fxllxxl.exe 2540 frflxxf.exe 1248 ntnttt.exe 2360 rxllfff.exe 2368 c260284.exe 1948 3ntttt.exe 2532 9hnnnn.exe 1824 04286.exe 1136 64668.exe 2940 btnntb.exe 2640 2046666.exe 1816 jjppj.exe 968 60666.exe 868 w64460.exe 1536 86222.exe 1740 pdppp.exe 912 26406.exe 944 g2644.exe 1992 4082622.exe 2520 264022.exe 2992 0848884.exe 1060 6644488.exe 2304 1rfrlfl.exe 1828 s8224.exe 316 64044.exe 1608 xlxrxrr.exe 2352 vdpjp.exe 2440 jdpjp.exe 1820 hbnbhh.exe 2128 c422824.exe 2784 w80244.exe 2800 42280.exe 2824 rlxlflr.exe 2768 7dpvp.exe 2888 6808802.exe 2896 pjvjp.exe 2820 4800600.exe 2608 86882.exe 3052 7jvvp.exe 292 vjvvj.exe 2100 04284.exe 1964 5rfflff.exe 2368 088400.exe 1656 66222.exe 2604 jpjjp.exe 2612 0862440.exe 1244 9vddd.exe 852 fxrlllr.exe 2720 2426266.exe 2164 20240.exe 2512 jvjjp.exe 3040 460044.exe 448 nbttbt.exe 2152 80824.exe 872 lrllrrr.exe 2180 i804444.exe 1756 4244662.exe -
resource yara_rule behavioral1/memory/2320-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-838-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-876-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-939-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-1086-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-1112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-1161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-1261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-1280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-1287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-1342-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 682468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4082622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6644488.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2184 2320 e5e7cc4b959ef512125b41a057ffdb940613236b1766094f0fa1ec61714b289bN.exe 31 PID 2320 wrote to memory of 2184 2320 e5e7cc4b959ef512125b41a057ffdb940613236b1766094f0fa1ec61714b289bN.exe 31 PID 2320 wrote to memory of 2184 2320 e5e7cc4b959ef512125b41a057ffdb940613236b1766094f0fa1ec61714b289bN.exe 31 PID 2320 wrote to memory of 2184 2320 e5e7cc4b959ef512125b41a057ffdb940613236b1766094f0fa1ec61714b289bN.exe 31 PID 2184 wrote to memory of 1976 2184 fxrfllx.exe 32 PID 2184 wrote to memory of 1976 2184 fxrfllx.exe 32 PID 2184 wrote to memory of 1976 2184 fxrfllx.exe 32 PID 2184 wrote to memory of 1976 2184 fxrfllx.exe 32 PID 1976 wrote to memory of 2780 1976 ttttnn.exe 33 PID 1976 wrote to memory of 2780 1976 ttttnn.exe 33 PID 1976 wrote to memory of 2780 1976 ttttnn.exe 33 PID 1976 wrote to memory of 2780 1976 ttttnn.exe 33 PID 2780 wrote to memory of 596 2780 9ttbth.exe 34 PID 2780 wrote to memory of 596 2780 9ttbth.exe 34 PID 2780 wrote to memory of 596 2780 9ttbth.exe 34 PID 2780 wrote to memory of 596 2780 9ttbth.exe 34 PID 596 wrote to memory of 2808 596 5jvvj.exe 35 PID 596 wrote to memory of 2808 596 5jvvj.exe 35 PID 596 wrote to memory of 2808 596 5jvvj.exe 35 PID 596 wrote to memory of 2808 596 5jvvj.exe 35 PID 2808 wrote to memory of 2752 2808 5nbthh.exe 36 PID 2808 wrote to memory of 2752 2808 5nbthh.exe 36 PID 2808 wrote to memory of 2752 2808 5nbthh.exe 36 PID 2808 wrote to memory of 2752 2808 5nbthh.exe 36 PID 2752 wrote to memory of 2844 2752 btbhhb.exe 37 PID 2752 wrote to memory of 2844 2752 btbhhb.exe 37 PID 2752 wrote to memory of 2844 2752 btbhhb.exe 37 PID 2752 wrote to memory of 2844 2752 btbhhb.exe 37 PID 2844 wrote to memory of 2708 2844 8686600.exe 38 PID 2844 wrote to memory of 2708 2844 8686600.exe 38 PID 2844 wrote to memory of 2708 2844 8686600.exe 38 PID 2844 wrote to memory of 2708 2844 8686600.exe 38 PID 2708 wrote to memory of 2540 2708 fxllxxl.exe 39 PID 2708 wrote to memory of 2540 2708 fxllxxl.exe 39 PID 2708 wrote to memory of 2540 2708 fxllxxl.exe 39 PID 2708 wrote to memory of 2540 2708 fxllxxl.exe 39 PID 2540 wrote to memory of 1248 2540 frflxxf.exe 40 PID 2540 wrote to memory of 1248 2540 frflxxf.exe 40 PID 2540 wrote to memory of 1248 2540 frflxxf.exe 40 PID 2540 wrote to memory of 1248 2540 frflxxf.exe 40 PID 1248 wrote to memory of 2360 1248 ntnttt.exe 41 PID 1248 wrote to memory of 2360 1248 ntnttt.exe 41 PID 1248 wrote to memory of 2360 1248 ntnttt.exe 41 PID 1248 wrote to memory of 2360 1248 ntnttt.exe 41 PID 2360 wrote to memory of 2368 2360 rxllfff.exe 42 PID 2360 wrote to memory of 2368 2360 rxllfff.exe 42 PID 2360 wrote to memory of 2368 2360 rxllfff.exe 42 PID 2360 wrote to memory of 2368 2360 rxllfff.exe 42 PID 2368 wrote to memory of 1948 2368 c260284.exe 43 PID 2368 wrote to memory of 1948 2368 c260284.exe 43 PID 2368 wrote to memory of 1948 2368 c260284.exe 43 PID 2368 wrote to memory of 1948 2368 c260284.exe 43 PID 1948 wrote to memory of 2532 1948 3ntttt.exe 44 PID 1948 wrote to memory of 2532 1948 3ntttt.exe 44 PID 1948 wrote to memory of 2532 1948 3ntttt.exe 44 PID 1948 wrote to memory of 2532 1948 3ntttt.exe 44 PID 2532 wrote to memory of 1824 2532 9hnnnn.exe 45 PID 2532 wrote to memory of 1824 2532 9hnnnn.exe 45 PID 2532 wrote to memory of 1824 2532 9hnnnn.exe 45 PID 2532 wrote to memory of 1824 2532 9hnnnn.exe 45 PID 1824 wrote to memory of 1136 1824 04286.exe 46 PID 1824 wrote to memory of 1136 1824 04286.exe 46 PID 1824 wrote to memory of 1136 1824 04286.exe 46 PID 1824 wrote to memory of 1136 1824 04286.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5e7cc4b959ef512125b41a057ffdb940613236b1766094f0fa1ec61714b289bN.exe"C:\Users\Admin\AppData\Local\Temp\e5e7cc4b959ef512125b41a057ffdb940613236b1766094f0fa1ec61714b289bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\fxrfllx.exec:\fxrfllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\ttttnn.exec:\ttttnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\9ttbth.exec:\9ttbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\5jvvj.exec:\5jvvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:596 -
\??\c:\5nbthh.exec:\5nbthh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\btbhhb.exec:\btbhhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\8686600.exec:\8686600.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\fxllxxl.exec:\fxllxxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\frflxxf.exec:\frflxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\ntnttt.exec:\ntnttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\rxllfff.exec:\rxllfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\c260284.exec:\c260284.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\3ntttt.exec:\3ntttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\9hnnnn.exec:\9hnnnn.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\04286.exec:\04286.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\64668.exec:\64668.exe17⤵
- Executes dropped EXE
PID:1136 -
\??\c:\btnntb.exec:\btnntb.exe18⤵
- Executes dropped EXE
PID:2940 -
\??\c:\2046666.exec:\2046666.exe19⤵
- Executes dropped EXE
PID:2640 -
\??\c:\jjppj.exec:\jjppj.exe20⤵
- Executes dropped EXE
PID:1816 -
\??\c:\60666.exec:\60666.exe21⤵
- Executes dropped EXE
PID:968 -
\??\c:\w64460.exec:\w64460.exe22⤵
- Executes dropped EXE
PID:868 -
\??\c:\86222.exec:\86222.exe23⤵
- Executes dropped EXE
PID:1536 -
\??\c:\pdppp.exec:\pdppp.exe24⤵
- Executes dropped EXE
PID:1740 -
\??\c:\26406.exec:\26406.exe25⤵
- Executes dropped EXE
PID:912 -
\??\c:\g2644.exec:\g2644.exe26⤵
- Executes dropped EXE
PID:944 -
\??\c:\4082622.exec:\4082622.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992 -
\??\c:\264022.exec:\264022.exe28⤵
- Executes dropped EXE
PID:2520 -
\??\c:\0848884.exec:\0848884.exe29⤵
- Executes dropped EXE
PID:2992 -
\??\c:\6644488.exec:\6644488.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1060 -
\??\c:\1rfrlfl.exec:\1rfrlfl.exe31⤵
- Executes dropped EXE
PID:2304 -
\??\c:\s8224.exec:\s8224.exe32⤵
- Executes dropped EXE
PID:1828 -
\??\c:\64044.exec:\64044.exe33⤵
- Executes dropped EXE
PID:316 -
\??\c:\xlxrxrr.exec:\xlxrxrr.exe34⤵
- Executes dropped EXE
PID:1608 -
\??\c:\vdpjp.exec:\vdpjp.exe35⤵
- Executes dropped EXE
PID:2352 -
\??\c:\jdpjp.exec:\jdpjp.exe36⤵
- Executes dropped EXE
PID:2440 -
\??\c:\hbnbhh.exec:\hbnbhh.exe37⤵
- Executes dropped EXE
PID:1820 -
\??\c:\c422824.exec:\c422824.exe38⤵
- Executes dropped EXE
PID:2128 -
\??\c:\w80244.exec:\w80244.exe39⤵
- Executes dropped EXE
PID:2784 -
\??\c:\42280.exec:\42280.exe40⤵
- Executes dropped EXE
PID:2800 -
\??\c:\rlxlflr.exec:\rlxlflr.exe41⤵
- Executes dropped EXE
PID:2824 -
\??\c:\7dpvp.exec:\7dpvp.exe42⤵
- Executes dropped EXE
PID:2768 -
\??\c:\6808802.exec:\6808802.exe43⤵
- Executes dropped EXE
PID:2888 -
\??\c:\pjvjp.exec:\pjvjp.exe44⤵
- Executes dropped EXE
PID:2896 -
\??\c:\4800600.exec:\4800600.exe45⤵
- Executes dropped EXE
PID:2820 -
\??\c:\86882.exec:\86882.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2608 -
\??\c:\7jvvp.exec:\7jvvp.exe47⤵
- Executes dropped EXE
PID:3052 -
\??\c:\vjvvj.exec:\vjvvj.exe48⤵
- Executes dropped EXE
PID:292 -
\??\c:\04284.exec:\04284.exe49⤵
- Executes dropped EXE
PID:2100 -
\??\c:\5rfflff.exec:\5rfflff.exe50⤵
- Executes dropped EXE
PID:1964 -
\??\c:\088400.exec:\088400.exe51⤵
- Executes dropped EXE
PID:2368 -
\??\c:\66222.exec:\66222.exe52⤵
- Executes dropped EXE
PID:1656 -
\??\c:\jpjjp.exec:\jpjjp.exe53⤵
- Executes dropped EXE
PID:2604 -
\??\c:\0862440.exec:\0862440.exe54⤵
- Executes dropped EXE
PID:2612 -
\??\c:\9vddd.exec:\9vddd.exe55⤵
- Executes dropped EXE
PID:1244 -
\??\c:\fxrlllr.exec:\fxrlllr.exe56⤵
- Executes dropped EXE
PID:852 -
\??\c:\2426266.exec:\2426266.exe57⤵
- Executes dropped EXE
PID:2720 -
\??\c:\20240.exec:\20240.exe58⤵
- Executes dropped EXE
PID:2164 -
\??\c:\jvjjp.exec:\jvjjp.exe59⤵
- Executes dropped EXE
PID:2512 -
\??\c:\460044.exec:\460044.exe60⤵
- Executes dropped EXE
PID:3040 -
\??\c:\nbttbt.exec:\nbttbt.exe61⤵
- Executes dropped EXE
PID:448 -
\??\c:\80824.exec:\80824.exe62⤵
- Executes dropped EXE
PID:2152 -
\??\c:\lrllrrr.exec:\lrllrrr.exe63⤵
- Executes dropped EXE
PID:872 -
\??\c:\i804444.exec:\i804444.exe64⤵
- Executes dropped EXE
PID:2180 -
\??\c:\4244662.exec:\4244662.exe65⤵
- Executes dropped EXE
PID:1756 -
\??\c:\tnhbhb.exec:\tnhbhb.exe66⤵PID:2216
-
\??\c:\pvdjj.exec:\pvdjj.exe67⤵PID:912
-
\??\c:\o422828.exec:\o422828.exe68⤵PID:1352
-
\??\c:\1lllrrx.exec:\1lllrrx.exe69⤵PID:2212
-
\??\c:\9flffff.exec:\9flffff.exe70⤵PID:1152
-
\??\c:\ttntbb.exec:\ttntbb.exe71⤵PID:560
-
\??\c:\w64688.exec:\w64688.exe72⤵PID:2992
-
\??\c:\m8288.exec:\m8288.exe73⤵PID:2188
-
\??\c:\fxlllll.exec:\fxlllll.exe74⤵PID:1056
-
\??\c:\e64404.exec:\e64404.exe75⤵PID:896
-
\??\c:\pppvd.exec:\pppvd.exe76⤵PID:2348
-
\??\c:\htthbb.exec:\htthbb.exe77⤵PID:1616
-
\??\c:\xfrrxxf.exec:\xfrrxxf.exe78⤵PID:1612
-
\??\c:\246288.exec:\246288.exe79⤵PID:2184
-
\??\c:\1dvvd.exec:\1dvvd.exe80⤵PID:2440
-
\??\c:\7tbnnh.exec:\7tbnnh.exe81⤵PID:3060
-
\??\c:\pdvpj.exec:\pdvpj.exe82⤵PID:2652
-
\??\c:\frlllfr.exec:\frlllfr.exe83⤵PID:2684
-
\??\c:\e62862.exec:\e62862.exe84⤵PID:2156
-
\??\c:\1pjpp.exec:\1pjpp.exe85⤵
- System Location Discovery: System Language Discovery
PID:2676 -
\??\c:\pvdvv.exec:\pvdvv.exe86⤵PID:2568
-
\??\c:\g2446.exec:\g2446.exe87⤵PID:2712
-
\??\c:\5rxxflf.exec:\5rxxflf.exe88⤵PID:2560
-
\??\c:\vpvdj.exec:\vpvdj.exe89⤵PID:2620
-
\??\c:\9fxxxff.exec:\9fxxxff.exe90⤵PID:3048
-
\??\c:\q22468.exec:\q22468.exe91⤵PID:2644
-
\??\c:\w82840.exec:\w82840.exe92⤵PID:2852
-
\??\c:\86404.exec:\86404.exe93⤵PID:2064
-
\??\c:\xlxxlfr.exec:\xlxxlfr.exe94⤵PID:2724
-
\??\c:\7lrffxf.exec:\7lrffxf.exe95⤵PID:2836
-
\??\c:\hbhntt.exec:\hbhntt.exe96⤵PID:1184
-
\??\c:\ttbhbh.exec:\ttbhbh.exe97⤵PID:1464
-
\??\c:\bbtbnt.exec:\bbtbnt.exe98⤵PID:1460
-
\??\c:\04620.exec:\04620.exe99⤵PID:1244
-
\??\c:\2062888.exec:\2062888.exe100⤵PID:852
-
\??\c:\lrflrrl.exec:\lrflrrl.exe101⤵PID:2932
-
\??\c:\2428006.exec:\2428006.exe102⤵PID:2640
-
\??\c:\1tbhnt.exec:\1tbhnt.exe103⤵PID:2424
-
\??\c:\604406.exec:\604406.exe104⤵PID:2456
-
\??\c:\260666.exec:\260666.exe105⤵PID:408
-
\??\c:\dddvj.exec:\dddvj.exe106⤵
- System Location Discovery: System Language Discovery
PID:1400 -
\??\c:\26684.exec:\26684.exe107⤵PID:1720
-
\??\c:\4828062.exec:\4828062.exe108⤵PID:2124
-
\??\c:\82068.exec:\82068.exe109⤵PID:928
-
\??\c:\xxxrfrl.exec:\xxxrfrl.exe110⤵PID:1516
-
\??\c:\1xlrrxl.exec:\1xlrrxl.exe111⤵PID:2976
-
\??\c:\602288.exec:\602288.exe112⤵PID:892
-
\??\c:\5hnnnh.exec:\5hnnnh.exe113⤵PID:1572
-
\??\c:\llfrffl.exec:\llfrffl.exe114⤵PID:3020
-
\??\c:\202226.exec:\202226.exe115⤵PID:2388
-
\??\c:\2206846.exec:\2206846.exe116⤵PID:1060
-
\??\c:\i862040.exec:\i862040.exe117⤵PID:2188
-
\??\c:\w44028.exec:\w44028.exe118⤵PID:2988
-
\??\c:\428222.exec:\428222.exe119⤵PID:1288
-
\??\c:\9fffllr.exec:\9fffllr.exe120⤵PID:2460
-
\??\c:\8642262.exec:\8642262.exe121⤵PID:2488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-