Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a65e5f1ada127a5bd40c2ba3c85396d4878c4119162f1fdd2a0f487ea1b1027e.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a65e5f1ada127a5bd40c2ba3c85396d4878c4119162f1fdd2a0f487ea1b1027e.exe
-
Size
455KB
-
MD5
d634f15c810361e699f883875d16df0d
-
SHA1
5afc23eb4f9bcedbbb3b293a0785ce6782d4d7b3
-
SHA256
a65e5f1ada127a5bd40c2ba3c85396d4878c4119162f1fdd2a0f487ea1b1027e
-
SHA512
66e58f9da21bb069e1410dfb2d7818e5a3641015b67a1aad7b5c2a2aff05974d8806372154b70d32580f6960ede68a4121fc29dc811f6a82b7b848c5f2557250
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1c:q7Tc2NYHUrAwfMp3CD1c
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2016-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/288-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/292-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1400-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-809-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2252-815-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2428-892-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-902-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1608-1015-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-1066-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2292-1247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/344-1328-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2168 024404.exe 1500 vvjjp.exe 2092 w86688.exe 2536 088460.exe 2832 u468406.exe 3044 9tttbb.exe 2952 228622.exe 3000 nbttbt.exe 2836 6444662.exe 2700 9nbtbb.exe 2428 4244880.exe 2864 bbtnbb.exe 872 60280.exe 812 26244.exe 288 0204006.exe 2124 rxxlfrl.exe 380 tnttbb.exe 1048 dpvvv.exe 1280 bbbtbb.exe 292 868466.exe 2900 08028.exe 1696 rlxrxlx.exe 3028 42406.exe 2464 08022.exe 1784 24624.exe 1776 i468002.exe 2244 64626.exe 2240 0840268.exe 1648 k02806.exe 2188 3httbh.exe 1516 7rxfrxf.exe 2108 pjddj.exe 1584 jvddv.exe 1612 5btttt.exe 1488 204640.exe 2332 68008.exe 3056 7pdvp.exe 2980 22062.exe 2968 9hntth.exe 2480 2688828.exe 2880 xlfxffl.exe 2308 o244040.exe 1996 vpddp.exe 2740 u442686.exe 2428 xxfflfr.exe 2724 lfxfxfr.exe 2864 3vjpp.exe 872 u860640.exe 1400 48662.exe 2024 ttnntt.exe 2088 g2002.exe 2596 42442.exe 2080 hhbhbb.exe 1804 1frrffr.exe 2020 9rrxfff.exe 1236 g2884.exe 324 9nbnnh.exe 2128 lfxflll.exe 1696 m6064.exe 3028 9rrxllx.exe 2924 8860284.exe 2292 860022.exe 2672 hthhhh.exe 1028 080022.exe -
resource yara_rule behavioral1/memory/2016-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-893-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-902-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1248-939-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/496-946-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-1015-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-1035-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/932-1140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-1159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-1178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-1185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-1247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-1335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-1342-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k26240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u262446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4824680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0406222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2168 2016 a65e5f1ada127a5bd40c2ba3c85396d4878c4119162f1fdd2a0f487ea1b1027e.exe 30 PID 2016 wrote to memory of 2168 2016 a65e5f1ada127a5bd40c2ba3c85396d4878c4119162f1fdd2a0f487ea1b1027e.exe 30 PID 2016 wrote to memory of 2168 2016 a65e5f1ada127a5bd40c2ba3c85396d4878c4119162f1fdd2a0f487ea1b1027e.exe 30 PID 2016 wrote to memory of 2168 2016 a65e5f1ada127a5bd40c2ba3c85396d4878c4119162f1fdd2a0f487ea1b1027e.exe 30 PID 2168 wrote to memory of 1500 2168 024404.exe 31 PID 2168 wrote to memory of 1500 2168 024404.exe 31 PID 2168 wrote to memory of 1500 2168 024404.exe 31 PID 2168 wrote to memory of 1500 2168 024404.exe 31 PID 1500 wrote to memory of 2092 1500 vvjjp.exe 32 PID 1500 wrote to memory of 2092 1500 vvjjp.exe 32 PID 1500 wrote to memory of 2092 1500 vvjjp.exe 32 PID 1500 wrote to memory of 2092 1500 vvjjp.exe 32 PID 2092 wrote to memory of 2536 2092 w86688.exe 33 PID 2092 wrote to memory of 2536 2092 w86688.exe 33 PID 2092 wrote to memory of 2536 2092 w86688.exe 33 PID 2092 wrote to memory of 2536 2092 w86688.exe 33 PID 2536 wrote to memory of 2832 2536 088460.exe 34 PID 2536 wrote to memory of 2832 2536 088460.exe 34 PID 2536 wrote to memory of 2832 2536 088460.exe 34 PID 2536 wrote to memory of 2832 2536 088460.exe 34 PID 2832 wrote to memory of 3044 2832 u468406.exe 35 PID 2832 wrote to memory of 3044 2832 u468406.exe 35 PID 2832 wrote to memory of 3044 2832 u468406.exe 35 PID 2832 wrote to memory of 3044 2832 u468406.exe 35 PID 3044 wrote to memory of 2952 3044 9tttbb.exe 36 PID 3044 wrote to memory of 2952 3044 9tttbb.exe 36 PID 3044 wrote to memory of 2952 3044 9tttbb.exe 36 PID 3044 wrote to memory of 2952 3044 9tttbb.exe 36 PID 2952 wrote to memory of 3000 2952 228622.exe 37 PID 2952 wrote to memory of 3000 2952 228622.exe 37 PID 2952 wrote to memory of 3000 2952 228622.exe 37 PID 2952 wrote to memory of 3000 2952 228622.exe 37 PID 3000 wrote to memory of 2836 3000 nbttbt.exe 38 PID 3000 wrote to memory of 2836 3000 nbttbt.exe 38 PID 3000 wrote to memory of 2836 3000 nbttbt.exe 38 PID 3000 wrote to memory of 2836 3000 nbttbt.exe 38 PID 2836 wrote to memory of 2700 2836 6444662.exe 39 PID 2836 wrote to memory of 2700 2836 6444662.exe 39 PID 2836 wrote to memory of 2700 2836 6444662.exe 39 PID 2836 wrote to memory of 2700 2836 6444662.exe 39 PID 2700 wrote to memory of 2428 2700 9nbtbb.exe 74 PID 2700 wrote to memory of 2428 2700 9nbtbb.exe 74 PID 2700 wrote to memory of 2428 2700 9nbtbb.exe 74 PID 2700 wrote to memory of 2428 2700 9nbtbb.exe 74 PID 2428 wrote to memory of 2864 2428 4244880.exe 41 PID 2428 wrote to memory of 2864 2428 4244880.exe 41 PID 2428 wrote to memory of 2864 2428 4244880.exe 41 PID 2428 wrote to memory of 2864 2428 4244880.exe 41 PID 2864 wrote to memory of 872 2864 bbtnbb.exe 42 PID 2864 wrote to memory of 872 2864 bbtnbb.exe 42 PID 2864 wrote to memory of 872 2864 bbtnbb.exe 42 PID 2864 wrote to memory of 872 2864 bbtnbb.exe 42 PID 872 wrote to memory of 812 872 60280.exe 43 PID 872 wrote to memory of 812 872 60280.exe 43 PID 872 wrote to memory of 812 872 60280.exe 43 PID 872 wrote to memory of 812 872 60280.exe 43 PID 812 wrote to memory of 288 812 26244.exe 44 PID 812 wrote to memory of 288 812 26244.exe 44 PID 812 wrote to memory of 288 812 26244.exe 44 PID 812 wrote to memory of 288 812 26244.exe 44 PID 288 wrote to memory of 2124 288 0204006.exe 45 PID 288 wrote to memory of 2124 288 0204006.exe 45 PID 288 wrote to memory of 2124 288 0204006.exe 45 PID 288 wrote to memory of 2124 288 0204006.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a65e5f1ada127a5bd40c2ba3c85396d4878c4119162f1fdd2a0f487ea1b1027e.exe"C:\Users\Admin\AppData\Local\Temp\a65e5f1ada127a5bd40c2ba3c85396d4878c4119162f1fdd2a0f487ea1b1027e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\024404.exec:\024404.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\vvjjp.exec:\vvjjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\w86688.exec:\w86688.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\088460.exec:\088460.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\u468406.exec:\u468406.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\9tttbb.exec:\9tttbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\228622.exec:\228622.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\nbttbt.exec:\nbttbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\6444662.exec:\6444662.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\9nbtbb.exec:\9nbtbb.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\4244880.exec:\4244880.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\bbtnbb.exec:\bbtnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\60280.exec:\60280.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\26244.exec:\26244.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\0204006.exec:\0204006.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:288 -
\??\c:\rxxlfrl.exec:\rxxlfrl.exe17⤵
- Executes dropped EXE
PID:2124 -
\??\c:\tnttbb.exec:\tnttbb.exe18⤵
- Executes dropped EXE
PID:380 -
\??\c:\dpvvv.exec:\dpvvv.exe19⤵
- Executes dropped EXE
PID:1048 -
\??\c:\bbbtbb.exec:\bbbtbb.exe20⤵
- Executes dropped EXE
PID:1280 -
\??\c:\868466.exec:\868466.exe21⤵
- Executes dropped EXE
PID:292 -
\??\c:\08028.exec:\08028.exe22⤵
- Executes dropped EXE
PID:2900 -
\??\c:\rlxrxlx.exec:\rlxrxlx.exe23⤵
- Executes dropped EXE
PID:1696 -
\??\c:\42406.exec:\42406.exe24⤵
- Executes dropped EXE
PID:3028 -
\??\c:\08022.exec:\08022.exe25⤵
- Executes dropped EXE
PID:2464 -
\??\c:\24624.exec:\24624.exe26⤵
- Executes dropped EXE
PID:1784 -
\??\c:\i468002.exec:\i468002.exe27⤵
- Executes dropped EXE
PID:1776 -
\??\c:\64626.exec:\64626.exe28⤵
- Executes dropped EXE
PID:2244 -
\??\c:\0840268.exec:\0840268.exe29⤵
- Executes dropped EXE
PID:2240 -
\??\c:\k02806.exec:\k02806.exe30⤵
- Executes dropped EXE
PID:1648 -
\??\c:\3httbh.exec:\3httbh.exe31⤵
- Executes dropped EXE
PID:2188 -
\??\c:\7rxfrxf.exec:\7rxfrxf.exe32⤵
- Executes dropped EXE
PID:1516 -
\??\c:\pjddj.exec:\pjddj.exe33⤵
- Executes dropped EXE
PID:2108 -
\??\c:\jvddv.exec:\jvddv.exe34⤵
- Executes dropped EXE
PID:1584 -
\??\c:\5btttt.exec:\5btttt.exe35⤵
- Executes dropped EXE
PID:1612 -
\??\c:\204640.exec:\204640.exe36⤵
- Executes dropped EXE
PID:1488 -
\??\c:\68008.exec:\68008.exe37⤵
- Executes dropped EXE
PID:2332 -
\??\c:\7pdvp.exec:\7pdvp.exe38⤵
- Executes dropped EXE
PID:3056 -
\??\c:\22062.exec:\22062.exe39⤵
- Executes dropped EXE
PID:2980 -
\??\c:\9hntth.exec:\9hntth.exe40⤵
- Executes dropped EXE
PID:2968 -
\??\c:\2688828.exec:\2688828.exe41⤵
- Executes dropped EXE
PID:2480 -
\??\c:\xlfxffl.exec:\xlfxffl.exe42⤵
- Executes dropped EXE
PID:2880 -
\??\c:\o244040.exec:\o244040.exe43⤵
- Executes dropped EXE
PID:2308 -
\??\c:\vpddp.exec:\vpddp.exe44⤵
- Executes dropped EXE
PID:1996 -
\??\c:\u442686.exec:\u442686.exe45⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xxfflfr.exec:\xxfflfr.exe46⤵
- Executes dropped EXE
PID:2428 -
\??\c:\lfxfxfr.exec:\lfxfxfr.exe47⤵
- Executes dropped EXE
PID:2724 -
\??\c:\3vjpp.exec:\3vjpp.exe48⤵
- Executes dropped EXE
PID:2864 -
\??\c:\u860640.exec:\u860640.exe49⤵
- Executes dropped EXE
PID:872 -
\??\c:\48662.exec:\48662.exe50⤵
- Executes dropped EXE
PID:1400 -
\??\c:\ttnntt.exec:\ttnntt.exe51⤵
- Executes dropped EXE
PID:2024 -
\??\c:\g2002.exec:\g2002.exe52⤵
- Executes dropped EXE
PID:2088 -
\??\c:\42442.exec:\42442.exe53⤵
- Executes dropped EXE
PID:2596 -
\??\c:\hhbhbb.exec:\hhbhbb.exe54⤵
- Executes dropped EXE
PID:2080 -
\??\c:\1frrffr.exec:\1frrffr.exe55⤵
- Executes dropped EXE
PID:1804 -
\??\c:\9rrxfff.exec:\9rrxfff.exe56⤵
- Executes dropped EXE
PID:2020 -
\??\c:\g2884.exec:\g2884.exe57⤵
- Executes dropped EXE
PID:1236 -
\??\c:\9nbnnh.exec:\9nbnnh.exe58⤵
- Executes dropped EXE
PID:324 -
\??\c:\lfxflll.exec:\lfxflll.exe59⤵
- Executes dropped EXE
PID:2128 -
\??\c:\m6064.exec:\m6064.exe60⤵
- Executes dropped EXE
PID:1696 -
\??\c:\9rrxllx.exec:\9rrxllx.exe61⤵
- Executes dropped EXE
PID:3028 -
\??\c:\8860284.exec:\8860284.exe62⤵
- Executes dropped EXE
PID:2924 -
\??\c:\860022.exec:\860022.exe63⤵
- Executes dropped EXE
PID:2292 -
\??\c:\hthhhh.exec:\hthhhh.exe64⤵
- Executes dropped EXE
PID:2672 -
\??\c:\080022.exec:\080022.exe65⤵
- Executes dropped EXE
PID:1028 -
\??\c:\608028.exec:\608028.exe66⤵PID:2244
-
\??\c:\k48460.exec:\k48460.exe67⤵PID:3068
-
\??\c:\lfrlrxr.exec:\lfrlrxr.exe68⤵PID:1700
-
\??\c:\7rffllr.exec:\7rffllr.exe69⤵PID:2160
-
\??\c:\0806268.exec:\0806268.exe70⤵PID:880
-
\??\c:\8866266.exec:\8866266.exe71⤵PID:1516
-
\??\c:\dpvvv.exec:\dpvvv.exe72⤵PID:1616
-
\??\c:\226408.exec:\226408.exe73⤵PID:1492
-
\??\c:\7frxrlf.exec:\7frxrlf.exe74⤵PID:1620
-
\??\c:\nbnnth.exec:\nbnnth.exe75⤵PID:1488
-
\??\c:\jdpvd.exec:\jdpvd.exe76⤵PID:2312
-
\??\c:\nbnthn.exec:\nbnthn.exe77⤵PID:1796
-
\??\c:\xxrrfrx.exec:\xxrrfrx.exe78⤵PID:2496
-
\??\c:\5bbbnn.exec:\5bbbnn.exe79⤵PID:2972
-
\??\c:\dpjvj.exec:\dpjvj.exe80⤵PID:3040
-
\??\c:\24240.exec:\24240.exe81⤵PID:2560
-
\??\c:\u868442.exec:\u868442.exe82⤵PID:2824
-
\??\c:\tnbntt.exec:\tnbntt.exe83⤵PID:2892
-
\??\c:\o002660.exec:\o002660.exe84⤵PID:2612
-
\??\c:\hhbbnn.exec:\hhbbnn.exe85⤵PID:2988
-
\??\c:\1pddj.exec:\1pddj.exe86⤵PID:2708
-
\??\c:\0602288.exec:\0602288.exe87⤵PID:2700
-
\??\c:\lxfffxf.exec:\lxfffxf.exe88⤵PID:2984
-
\??\c:\608046.exec:\608046.exe89⤵PID:1432
-
\??\c:\lfxflfr.exec:\lfxflfr.exe90⤵PID:1092
-
\??\c:\xfxfrxr.exec:\xfxfrxr.exe91⤵PID:2656
-
\??\c:\7bnbnn.exec:\7bnbnn.exe92⤵PID:1664
-
\??\c:\0488000.exec:\0488000.exe93⤵PID:1400
-
\??\c:\bthttn.exec:\bthttn.exe94⤵PID:2384
-
\??\c:\84242.exec:\84242.exe95⤵PID:1156
-
\??\c:\btbnbt.exec:\btbnbt.exe96⤵PID:1244
-
\??\c:\a2028.exec:\a2028.exe97⤵PID:1900
-
\??\c:\6466284.exec:\6466284.exe98⤵PID:1672
-
\??\c:\frfffll.exec:\frfffll.exe99⤵PID:2020
-
\??\c:\xlffrrx.exec:\xlffrrx.exe100⤵PID:2592
-
\??\c:\824486.exec:\824486.exe101⤵PID:292
-
\??\c:\pdjdj.exec:\pdjdj.exe102⤵PID:1836
-
\??\c:\6040224.exec:\6040224.exe103⤵PID:3004
-
\??\c:\28820.exec:\28820.exe104⤵PID:3020
-
\??\c:\c044286.exec:\c044286.exe105⤵PID:1044
-
\??\c:\lxrfxfr.exec:\lxrfxfr.exe106⤵PID:676
-
\??\c:\0848204.exec:\0848204.exe107⤵PID:2672
-
\??\c:\60242.exec:\60242.exe108⤵PID:1036
-
\??\c:\2220488.exec:\2220488.exe109⤵PID:2172
-
\??\c:\djvjd.exec:\djvjd.exe110⤵PID:3068
-
\??\c:\5bntbn.exec:\5bntbn.exe111⤵PID:2104
-
\??\c:\o868064.exec:\o868064.exe112⤵PID:880
-
\??\c:\o268624.exec:\o268624.exe113⤵PID:2628
-
\??\c:\0462880.exec:\0462880.exe114⤵PID:1612
-
\??\c:\pjppv.exec:\pjppv.exe115⤵PID:1492
-
\??\c:\2680668.exec:\2680668.exe116⤵PID:2168
-
\??\c:\tnbbnn.exec:\tnbbnn.exe117⤵PID:2252
-
\??\c:\tnhhtt.exec:\tnhhtt.exe118⤵PID:3064
-
\??\c:\02820.exec:\02820.exe119⤵PID:2536
-
\??\c:\nhbbhn.exec:\nhbbhn.exe120⤵PID:2524
-
\??\c:\i084668.exec:\i084668.exe121⤵PID:2816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-