Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 00:56
Behavioral task
behavioral1
Sample
9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe
-
Size
331KB
-
MD5
78514fa2e07ac6b487807e4757409701
-
SHA1
87efb991759d3e145d054e7c96ebb799b405d13e
-
SHA256
9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2
-
SHA512
76ca9393cb7aa096ccbd2c255080cbe717123299ce25023c4e33034d6fde1115dbdfa0e7ac9b1686b80cda238a1e4633550528cf2447172615e47833466ede0c
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7t+:94wFHoStJdSjylh2b77BoTMA9gX59sTW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1844-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3916-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2744-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/752-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1244-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2640-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3748-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2752-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1172-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2656-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2100-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/544-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4176-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3552-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3716-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4888-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4288-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3756-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1836-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4376-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1708-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1132-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2992-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1016-526-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-537-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2760-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-571-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-612-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-1006-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3540 86486.exe 3560 rlrlrlx.exe 212 6048228.exe 3692 flrlffx.exe 3916 66828.exe 2744 tbhhbt.exe 4736 vjppv.exe 3988 w02226.exe 640 8022622.exe 2140 0602648.exe 3428 nhnhbt.exe 4488 4046820.exe 3048 068622.exe 1048 9dvpj.exe 4728 7rxrxrx.exe 752 jddvj.exe 1244 u020448.exe 2640 htnthb.exe 3416 8664826.exe 3748 602206.exe 220 q46088.exe 1280 s2800.exe 4892 2824682.exe 3168 dpjpj.exe 4036 802604.exe 2752 26882.exe 2268 flrffxx.exe 1796 hhhhnt.exe 2060 hnbnhn.exe 3252 rrxxrrf.exe 1172 9btbth.exe 932 k08888.exe 2656 thhbbn.exe 2864 jjvvp.exe 2100 g6842.exe 3980 8888466.exe 2692 4826604.exe 2320 nhtbtb.exe 544 46482.exe 2252 pvvjj.exe 4884 7rlfxrf.exe 5008 rxfxxlr.exe 4176 jdjdv.exe 412 o682004.exe 3552 ntbtnn.exe 2996 5htbtn.exe 1524 lrfrlff.exe 4484 w84482.exe 3652 484488.exe 4052 606600.exe 3716 fxrlrxf.exe 60 2628288.exe 5024 628888.exe 4888 026666.exe 116 httttt.exe 4288 nbbbbh.exe 4296 460448.exe 1844 jvdvv.exe 3756 djpjd.exe 3012 80046.exe 2280 3djdj.exe 3036 bbnhhh.exe 3076 xxfxxxr.exe 1456 lxxrlff.exe -
resource yara_rule behavioral2/memory/1844-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cce-3.dat upx behavioral2/memory/1844-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cd1-9.dat upx behavioral2/memory/3540-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3560-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd6-12.dat upx behavioral2/memory/212-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd7-20.dat upx behavioral2/memory/3916-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd9-30.dat upx behavioral2/files/0x0007000000023cda-35.dat upx behavioral2/memory/2744-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd8-25.dat upx behavioral2/memory/3692-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdb-38.dat upx behavioral2/files/0x0007000000023cdc-42.dat upx behavioral2/memory/3988-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdd-47.dat upx behavioral2/memory/640-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cde-52.dat upx behavioral2/files/0x0007000000023cdf-56.dat upx behavioral2/memory/3428-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4488-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce0-62.dat upx behavioral2/files/0x0007000000023ce1-68.dat upx behavioral2/memory/3048-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce2-72.dat upx behavioral2/memory/4728-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cd2-77.dat upx behavioral2/memory/752-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce4-82.dat upx behavioral2/memory/1244-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce5-86.dat upx behavioral2/files/0x0007000000023ce6-91.dat upx behavioral2/memory/3416-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3748-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce7-97.dat upx behavioral2/memory/2640-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3748-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce8-102.dat upx behavioral2/files/0x0007000000023ce9-106.dat upx behavioral2/memory/4892-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3168-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ceb-116.dat upx behavioral2/files/0x0007000000023cea-111.dat upx behavioral2/files/0x0007000000023cec-119.dat upx behavioral2/files/0x0007000000023ced-125.dat upx behavioral2/memory/2752-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4036-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2752-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cee-131.dat upx behavioral2/files/0x0007000000023cef-135.dat upx behavioral2/memory/1796-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cf0-140.dat upx behavioral2/files/0x0007000000023cf1-144.dat upx behavioral2/files/0x0007000000023cf2-148.dat upx behavioral2/memory/3252-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cf3-153.dat upx behavioral2/memory/1172-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2656-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2100-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/544-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2252-177-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2824682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4466004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8860422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1844 wrote to memory of 3540 1844 9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe 85 PID 1844 wrote to memory of 3540 1844 9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe 85 PID 1844 wrote to memory of 3540 1844 9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe 85 PID 3540 wrote to memory of 3560 3540 86486.exe 86 PID 3540 wrote to memory of 3560 3540 86486.exe 86 PID 3540 wrote to memory of 3560 3540 86486.exe 86 PID 3560 wrote to memory of 212 3560 rlrlrlx.exe 87 PID 3560 wrote to memory of 212 3560 rlrlrlx.exe 87 PID 3560 wrote to memory of 212 3560 rlrlrlx.exe 87 PID 212 wrote to memory of 3692 212 6048228.exe 88 PID 212 wrote to memory of 3692 212 6048228.exe 88 PID 212 wrote to memory of 3692 212 6048228.exe 88 PID 3692 wrote to memory of 3916 3692 flrlffx.exe 89 PID 3692 wrote to memory of 3916 3692 flrlffx.exe 89 PID 3692 wrote to memory of 3916 3692 flrlffx.exe 89 PID 3916 wrote to memory of 2744 3916 66828.exe 90 PID 3916 wrote to memory of 2744 3916 66828.exe 90 PID 3916 wrote to memory of 2744 3916 66828.exe 90 PID 2744 wrote to memory of 4736 2744 tbhhbt.exe 91 PID 2744 wrote to memory of 4736 2744 tbhhbt.exe 91 PID 2744 wrote to memory of 4736 2744 tbhhbt.exe 91 PID 4736 wrote to memory of 3988 4736 vjppv.exe 92 PID 4736 wrote to memory of 3988 4736 vjppv.exe 92 PID 4736 wrote to memory of 3988 4736 vjppv.exe 92 PID 3988 wrote to memory of 640 3988 w02226.exe 93 PID 3988 wrote to memory of 640 3988 w02226.exe 93 PID 3988 wrote to memory of 640 3988 w02226.exe 93 PID 640 wrote to memory of 2140 640 8022622.exe 94 PID 640 wrote to memory of 2140 640 8022622.exe 94 PID 640 wrote to memory of 2140 640 8022622.exe 94 PID 2140 wrote to memory of 3428 2140 0602648.exe 95 PID 2140 wrote to memory of 3428 2140 0602648.exe 95 PID 2140 wrote to memory of 3428 2140 0602648.exe 95 PID 3428 wrote to memory of 4488 3428 nhnhbt.exe 96 PID 3428 wrote to memory of 4488 3428 nhnhbt.exe 96 PID 3428 wrote to memory of 4488 3428 nhnhbt.exe 96 PID 4488 wrote to memory of 3048 4488 4046820.exe 97 PID 4488 wrote to memory of 3048 4488 4046820.exe 97 PID 4488 wrote to memory of 3048 4488 4046820.exe 97 PID 3048 wrote to memory of 1048 3048 068622.exe 98 PID 3048 wrote to memory of 1048 3048 068622.exe 98 PID 3048 wrote to memory of 1048 3048 068622.exe 98 PID 1048 wrote to memory of 4728 1048 9dvpj.exe 99 PID 1048 wrote to memory of 4728 1048 9dvpj.exe 99 PID 1048 wrote to memory of 4728 1048 9dvpj.exe 99 PID 4728 wrote to memory of 752 4728 7rxrxrx.exe 100 PID 4728 wrote to memory of 752 4728 7rxrxrx.exe 100 PID 4728 wrote to memory of 752 4728 7rxrxrx.exe 100 PID 752 wrote to memory of 1244 752 jddvj.exe 101 PID 752 wrote to memory of 1244 752 jddvj.exe 101 PID 752 wrote to memory of 1244 752 jddvj.exe 101 PID 1244 wrote to memory of 2640 1244 u020448.exe 102 PID 1244 wrote to memory of 2640 1244 u020448.exe 102 PID 1244 wrote to memory of 2640 1244 u020448.exe 102 PID 2640 wrote to memory of 3416 2640 htnthb.exe 103 PID 2640 wrote to memory of 3416 2640 htnthb.exe 103 PID 2640 wrote to memory of 3416 2640 htnthb.exe 103 PID 3416 wrote to memory of 3748 3416 8664826.exe 104 PID 3416 wrote to memory of 3748 3416 8664826.exe 104 PID 3416 wrote to memory of 3748 3416 8664826.exe 104 PID 3748 wrote to memory of 220 3748 602206.exe 105 PID 3748 wrote to memory of 220 3748 602206.exe 105 PID 3748 wrote to memory of 220 3748 602206.exe 105 PID 220 wrote to memory of 1280 220 q46088.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe"C:\Users\Admin\AppData\Local\Temp\9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\86486.exec:\86486.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\rlrlrlx.exec:\rlrlrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\6048228.exec:\6048228.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\flrlffx.exec:\flrlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\66828.exec:\66828.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\tbhhbt.exec:\tbhhbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\vjppv.exec:\vjppv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\w02226.exec:\w02226.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\8022622.exec:\8022622.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\0602648.exec:\0602648.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\nhnhbt.exec:\nhnhbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\4046820.exec:\4046820.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\068622.exec:\068622.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\9dvpj.exec:\9dvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\7rxrxrx.exec:\7rxrxrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\jddvj.exec:\jddvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\u020448.exec:\u020448.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\htnthb.exec:\htnthb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\8664826.exec:\8664826.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\602206.exec:\602206.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\q46088.exec:\q46088.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\s2800.exec:\s2800.exe23⤵
- Executes dropped EXE
PID:1280 -
\??\c:\2824682.exec:\2824682.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4892 -
\??\c:\dpjpj.exec:\dpjpj.exe25⤵
- Executes dropped EXE
PID:3168 -
\??\c:\802604.exec:\802604.exe26⤵
- Executes dropped EXE
PID:4036 -
\??\c:\26882.exec:\26882.exe27⤵
- Executes dropped EXE
PID:2752 -
\??\c:\flrffxx.exec:\flrffxx.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
\??\c:\hhhhnt.exec:\hhhhnt.exe29⤵
- Executes dropped EXE
PID:1796 -
\??\c:\hnbnhn.exec:\hnbnhn.exe30⤵
- Executes dropped EXE
PID:2060 -
\??\c:\rrxxrrf.exec:\rrxxrrf.exe31⤵
- Executes dropped EXE
PID:3252 -
\??\c:\9btbth.exec:\9btbth.exe32⤵
- Executes dropped EXE
PID:1172 -
\??\c:\k08888.exec:\k08888.exe33⤵
- Executes dropped EXE
PID:932 -
\??\c:\thhbbn.exec:\thhbbn.exe34⤵
- Executes dropped EXE
PID:2656 -
\??\c:\jjvvp.exec:\jjvvp.exe35⤵
- Executes dropped EXE
PID:2864 -
\??\c:\g6842.exec:\g6842.exe36⤵
- Executes dropped EXE
PID:2100 -
\??\c:\8888466.exec:\8888466.exe37⤵
- Executes dropped EXE
PID:3980 -
\??\c:\4826604.exec:\4826604.exe38⤵
- Executes dropped EXE
PID:2692 -
\??\c:\nhtbtb.exec:\nhtbtb.exe39⤵
- Executes dropped EXE
PID:2320 -
\??\c:\46482.exec:\46482.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:544 -
\??\c:\pvvjj.exec:\pvvjj.exe41⤵
- Executes dropped EXE
PID:2252 -
\??\c:\7rlfxrf.exec:\7rlfxrf.exe42⤵
- Executes dropped EXE
PID:4884 -
\??\c:\rxfxxlr.exec:\rxfxxlr.exe43⤵
- Executes dropped EXE
PID:5008 -
\??\c:\jdjdv.exec:\jdjdv.exe44⤵
- Executes dropped EXE
PID:4176 -
\??\c:\o682004.exec:\o682004.exe45⤵
- Executes dropped EXE
PID:412 -
\??\c:\ntbtnn.exec:\ntbtnn.exe46⤵
- Executes dropped EXE
PID:3552 -
\??\c:\5htbtn.exec:\5htbtn.exe47⤵
- Executes dropped EXE
PID:2996 -
\??\c:\lrfrlff.exec:\lrfrlff.exe48⤵
- Executes dropped EXE
PID:1524 -
\??\c:\w84482.exec:\w84482.exe49⤵
- Executes dropped EXE
PID:4484 -
\??\c:\484488.exec:\484488.exe50⤵
- Executes dropped EXE
PID:3652 -
\??\c:\606600.exec:\606600.exe51⤵
- Executes dropped EXE
PID:4052 -
\??\c:\fxrlrxf.exec:\fxrlrxf.exe52⤵
- Executes dropped EXE
PID:3716 -
\??\c:\2628288.exec:\2628288.exe53⤵
- Executes dropped EXE
PID:60 -
\??\c:\628888.exec:\628888.exe54⤵
- Executes dropped EXE
PID:5024 -
\??\c:\026666.exec:\026666.exe55⤵
- Executes dropped EXE
PID:4888 -
\??\c:\httttt.exec:\httttt.exe56⤵
- Executes dropped EXE
PID:116 -
\??\c:\nbbbbh.exec:\nbbbbh.exe57⤵
- Executes dropped EXE
PID:4288 -
\??\c:\460448.exec:\460448.exe58⤵
- Executes dropped EXE
PID:4296 -
\??\c:\jvdvv.exec:\jvdvv.exe59⤵
- Executes dropped EXE
PID:1844 -
\??\c:\djpjd.exec:\djpjd.exe60⤵
- Executes dropped EXE
PID:3756 -
\??\c:\80046.exec:\80046.exe61⤵
- Executes dropped EXE
PID:3012 -
\??\c:\3djdj.exec:\3djdj.exe62⤵
- Executes dropped EXE
PID:2280 -
\??\c:\bbnhhh.exec:\bbnhhh.exe63⤵
- Executes dropped EXE
PID:3036 -
\??\c:\xxfxxxr.exec:\xxfxxxr.exe64⤵
- Executes dropped EXE
PID:3076 -
\??\c:\lxxrlff.exec:\lxxrlff.exe65⤵
- Executes dropped EXE
PID:1456 -
\??\c:\vjpdv.exec:\vjpdv.exe66⤵PID:1480
-
\??\c:\648008.exec:\648008.exe67⤵PID:2808
-
\??\c:\1dvpj.exec:\1dvpj.exe68⤵PID:4832
-
\??\c:\rfrfxrf.exec:\rfrfxrf.exe69⤵PID:2324
-
\??\c:\xfrfxrf.exec:\xfrfxrf.exe70⤵PID:1816
-
\??\c:\vjjvp.exec:\vjjvp.exe71⤵PID:1836
-
\??\c:\6828680.exec:\6828680.exe72⤵PID:640
-
\??\c:\s6604.exec:\s6604.exe73⤵PID:4092
-
\??\c:\9vvpj.exec:\9vvpj.exe74⤵PID:4368
-
\??\c:\q60466.exec:\q60466.exe75⤵PID:5108
-
\??\c:\1ppjd.exec:\1ppjd.exe76⤵PID:4072
-
\??\c:\tnhbbb.exec:\tnhbbb.exe77⤵PID:4376
-
\??\c:\o004248.exec:\o004248.exe78⤵PID:1048
-
\??\c:\pjjjd.exec:\pjjjd.exe79⤵PID:2476
-
\??\c:\ppvjv.exec:\ppvjv.exe80⤵PID:2792
-
\??\c:\64468.exec:\64468.exe81⤵PID:3628
-
\??\c:\224026.exec:\224026.exe82⤵PID:1708
-
\??\c:\660208.exec:\660208.exe83⤵PID:4320
-
\??\c:\g2260.exec:\g2260.exe84⤵PID:2236
-
\??\c:\bthbtt.exec:\bthbtt.exe85⤵PID:2520
-
\??\c:\3bthbb.exec:\3bthbb.exe86⤵PID:2416
-
\??\c:\g8826.exec:\g8826.exe87⤵PID:4572
-
\??\c:\628240.exec:\628240.exe88⤵PID:3668
-
\??\c:\tbntht.exec:\tbntht.exe89⤵PID:1132
-
\??\c:\tbnhtt.exec:\tbnhtt.exe90⤵PID:4720
-
\??\c:\bbtntb.exec:\bbtntb.exe91⤵PID:4764
-
\??\c:\40848.exec:\40848.exe92⤵PID:796
-
\??\c:\bhnnnn.exec:\bhnnnn.exe93⤵PID:3168
-
\??\c:\nnbntt.exec:\nnbntt.exe94⤵PID:4980
-
\??\c:\a4000.exec:\a4000.exe95⤵PID:760
-
\??\c:\vjvvp.exec:\vjvvp.exe96⤵PID:2752
-
\??\c:\djppj.exec:\djppj.exe97⤵PID:1756
-
\??\c:\lffrlfx.exec:\lffrlfx.exe98⤵PID:4088
-
\??\c:\lrfxxlf.exec:\lrfxxlf.exe99⤵PID:1796
-
\??\c:\pvjvp.exec:\pvjvp.exe100⤵PID:2352
-
\??\c:\9dpjv.exec:\9dpjv.exe101⤵PID:4544
-
\??\c:\fxlfxrl.exec:\fxlfxrl.exe102⤵PID:3252
-
\??\c:\860646.exec:\860646.exe103⤵PID:2992
-
\??\c:\jpvjd.exec:\jpvjd.exe104⤵PID:4156
-
\??\c:\224200.exec:\224200.exe105⤵PID:1316
-
\??\c:\3pjdv.exec:\3pjdv.exe106⤵PID:4584
-
\??\c:\9llxllx.exec:\9llxllx.exe107⤵PID:1948
-
\??\c:\bthbnh.exec:\bthbnh.exe108⤵
- System Location Discovery: System Language Discovery
PID:2924 -
\??\c:\rllfrlf.exec:\rllfrlf.exe109⤵PID:2872
-
\??\c:\lfxlrlf.exec:\lfxlrlf.exe110⤵PID:3256
-
\??\c:\006048.exec:\006048.exe111⤵PID:4204
-
\??\c:\7nhnhb.exec:\7nhnhb.exe112⤵PID:544
-
\??\c:\8022622.exec:\8022622.exe113⤵PID:2252
-
\??\c:\pdvpv.exec:\pdvpv.exe114⤵PID:4292
-
\??\c:\e84826.exec:\e84826.exe115⤵PID:4956
-
\??\c:\e88604.exec:\e88604.exe116⤵PID:4040
-
\??\c:\nhbntn.exec:\nhbntn.exe117⤵PID:4232
-
\??\c:\jdjdv.exec:\jdjdv.exe118⤵PID:3216
-
\??\c:\08648.exec:\08648.exe119⤵PID:2568
-
\??\c:\84608.exec:\84608.exe120⤵PID:1524
-
\??\c:\dvdvp.exec:\dvdvp.exe121⤵PID:3652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-