Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 21:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe
-
Size
456KB
-
MD5
a03453537332aac2cf2583f7d3231a76
-
SHA1
2f704022dd4c0e3080e8fcd801644de660540697
-
SHA256
26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71
-
SHA512
b9123e847b2e62dd76dca9fb0bd9a38491eb8e4cc4af4af21fd206ae89947e0f4d07cf221c75e612e5e85c1c4dc1e22d654ed42c238c23abedc6cd6fc2163c2e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRs:q7Tc2NYHUrAwfMp3CDRs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/3060-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1108-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/628-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/860-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-247-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2936-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-305-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2564-323-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2644-342-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2560-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1016-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1016-428-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2152-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-526-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2452-528-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/616-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-572-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2196-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-642-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1460-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1344-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/628-730-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1476 hthhnn.exe 2752 62202.exe 2664 24622.exe 2812 xllllll.exe 2788 e42844.exe 2604 bntnnb.exe 2588 0244484.exe 2840 5jvvv.exe 1108 1bbttn.exe 796 800048.exe 2292 6400444.exe 1620 8626888.exe 2544 c680040.exe 1300 208244.exe 2404 s6884.exe 2268 02062.exe 1920 dvdjp.exe 628 frxrfxx.exe 3052 k80004.exe 2596 xlxrxrr.exe 1812 3rrllfl.exe 860 q46600.exe 836 dddjd.exe 1536 7bnntn.exe 1960 1pppp.exe 696 dvjjj.exe 1816 jvpvv.exe 760 ttnnbn.exe 2936 468222.exe 1928 0282662.exe 3028 i240622.exe 2688 6460206.exe 2668 6800884.exe 2800 xrfxfxr.exe 2564 m8488.exe 2932 04060.exe 2720 08062.exe 2644 thtnhb.exe 2560 s4222.exe 2620 1rffllr.exe 2608 xrfflfl.exe 3008 3htbhh.exe 2440 dvdvv.exe 1108 k60000.exe 1868 480400.exe 2780 04284.exe 1756 lfflxfr.exe 1620 bbtbnn.exe 700 0484668.exe 2380 86440.exe 1016 424444.exe 2164 nhhntt.exe 2152 60284.exe 2156 nhbbbb.exe 2220 3jvdp.exe 2908 604622.exe 2964 08662.exe 2504 rfrxflr.exe 1056 60240.exe 1508 s6404.exe 2948 hhbtnn.exe 2012 7httbb.exe 1996 86846.exe 1708 3lxrffr.exe -
resource yara_rule behavioral1/memory/1476-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1108-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/628-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/628-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-179-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2596-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-305-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2800-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-342-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2620-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/616-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/616-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-642-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1460-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-769-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0884404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8022288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c866268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u482884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 1476 3060 26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe 30 PID 3060 wrote to memory of 1476 3060 26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe 30 PID 3060 wrote to memory of 1476 3060 26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe 30 PID 3060 wrote to memory of 1476 3060 26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe 30 PID 1476 wrote to memory of 2752 1476 hthhnn.exe 31 PID 1476 wrote to memory of 2752 1476 hthhnn.exe 31 PID 1476 wrote to memory of 2752 1476 hthhnn.exe 31 PID 1476 wrote to memory of 2752 1476 hthhnn.exe 31 PID 2752 wrote to memory of 2664 2752 62202.exe 32 PID 2752 wrote to memory of 2664 2752 62202.exe 32 PID 2752 wrote to memory of 2664 2752 62202.exe 32 PID 2752 wrote to memory of 2664 2752 62202.exe 32 PID 2664 wrote to memory of 2812 2664 24622.exe 33 PID 2664 wrote to memory of 2812 2664 24622.exe 33 PID 2664 wrote to memory of 2812 2664 24622.exe 33 PID 2664 wrote to memory of 2812 2664 24622.exe 33 PID 2812 wrote to memory of 2788 2812 xllllll.exe 34 PID 2812 wrote to memory of 2788 2812 xllllll.exe 34 PID 2812 wrote to memory of 2788 2812 xllllll.exe 34 PID 2812 wrote to memory of 2788 2812 xllllll.exe 34 PID 2788 wrote to memory of 2604 2788 e42844.exe 35 PID 2788 wrote to memory of 2604 2788 e42844.exe 35 PID 2788 wrote to memory of 2604 2788 e42844.exe 35 PID 2788 wrote to memory of 2604 2788 e42844.exe 35 PID 2604 wrote to memory of 2588 2604 bntnnb.exe 36 PID 2604 wrote to memory of 2588 2604 bntnnb.exe 36 PID 2604 wrote to memory of 2588 2604 bntnnb.exe 36 PID 2604 wrote to memory of 2588 2604 bntnnb.exe 36 PID 2588 wrote to memory of 2840 2588 0244484.exe 37 PID 2588 wrote to memory of 2840 2588 0244484.exe 37 PID 2588 wrote to memory of 2840 2588 0244484.exe 37 PID 2588 wrote to memory of 2840 2588 0244484.exe 37 PID 2840 wrote to memory of 1108 2840 5jvvv.exe 38 PID 2840 wrote to memory of 1108 2840 5jvvv.exe 38 PID 2840 wrote to memory of 1108 2840 5jvvv.exe 38 PID 2840 wrote to memory of 1108 2840 5jvvv.exe 38 PID 1108 wrote to memory of 796 1108 1bbttn.exe 39 PID 1108 wrote to memory of 796 1108 1bbttn.exe 39 PID 1108 wrote to memory of 796 1108 1bbttn.exe 39 PID 1108 wrote to memory of 796 1108 1bbttn.exe 39 PID 796 wrote to memory of 2292 796 800048.exe 40 PID 796 wrote to memory of 2292 796 800048.exe 40 PID 796 wrote to memory of 2292 796 800048.exe 40 PID 796 wrote to memory of 2292 796 800048.exe 40 PID 2292 wrote to memory of 1620 2292 6400444.exe 41 PID 2292 wrote to memory of 1620 2292 6400444.exe 41 PID 2292 wrote to memory of 1620 2292 6400444.exe 41 PID 2292 wrote to memory of 1620 2292 6400444.exe 41 PID 1620 wrote to memory of 2544 1620 8626888.exe 42 PID 1620 wrote to memory of 2544 1620 8626888.exe 42 PID 1620 wrote to memory of 2544 1620 8626888.exe 42 PID 1620 wrote to memory of 2544 1620 8626888.exe 42 PID 2544 wrote to memory of 1300 2544 c680040.exe 43 PID 2544 wrote to memory of 1300 2544 c680040.exe 43 PID 2544 wrote to memory of 1300 2544 c680040.exe 43 PID 2544 wrote to memory of 1300 2544 c680040.exe 43 PID 1300 wrote to memory of 2404 1300 208244.exe 44 PID 1300 wrote to memory of 2404 1300 208244.exe 44 PID 1300 wrote to memory of 2404 1300 208244.exe 44 PID 1300 wrote to memory of 2404 1300 208244.exe 44 PID 2404 wrote to memory of 2268 2404 s6884.exe 45 PID 2404 wrote to memory of 2268 2404 s6884.exe 45 PID 2404 wrote to memory of 2268 2404 s6884.exe 45 PID 2404 wrote to memory of 2268 2404 s6884.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe"C:\Users\Admin\AppData\Local\Temp\26b4bbe783d77b1d5f2a039c546c1d72d42ba38e8e5e56f55a251af72982bb71.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\hthhnn.exec:\hthhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\62202.exec:\62202.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\24622.exec:\24622.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\xllllll.exec:\xllllll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\e42844.exec:\e42844.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\bntnnb.exec:\bntnnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\0244484.exec:\0244484.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\5jvvv.exec:\5jvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\1bbttn.exec:\1bbttn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\800048.exec:\800048.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\6400444.exec:\6400444.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\8626888.exec:\8626888.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\c680040.exec:\c680040.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\208244.exec:\208244.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\s6884.exec:\s6884.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\02062.exec:\02062.exe17⤵
- Executes dropped EXE
PID:2268 -
\??\c:\dvdjp.exec:\dvdjp.exe18⤵
- Executes dropped EXE
PID:1920 -
\??\c:\frxrfxx.exec:\frxrfxx.exe19⤵
- Executes dropped EXE
PID:628 -
\??\c:\k80004.exec:\k80004.exe20⤵
- Executes dropped EXE
PID:3052 -
\??\c:\xlxrxrr.exec:\xlxrxrr.exe21⤵
- Executes dropped EXE
PID:2596 -
\??\c:\3rrllfl.exec:\3rrllfl.exe22⤵
- Executes dropped EXE
PID:1812 -
\??\c:\q46600.exec:\q46600.exe23⤵
- Executes dropped EXE
PID:860 -
\??\c:\dddjd.exec:\dddjd.exe24⤵
- Executes dropped EXE
PID:836 -
\??\c:\7bnntn.exec:\7bnntn.exe25⤵
- Executes dropped EXE
PID:1536 -
\??\c:\1pppp.exec:\1pppp.exe26⤵
- Executes dropped EXE
PID:1960 -
\??\c:\dvjjj.exec:\dvjjj.exe27⤵
- Executes dropped EXE
PID:696 -
\??\c:\jvpvv.exec:\jvpvv.exe28⤵
- Executes dropped EXE
PID:1816 -
\??\c:\ttnnbn.exec:\ttnnbn.exe29⤵
- Executes dropped EXE
PID:760 -
\??\c:\468222.exec:\468222.exe30⤵
- Executes dropped EXE
PID:2936 -
\??\c:\0282662.exec:\0282662.exe31⤵
- Executes dropped EXE
PID:1928 -
\??\c:\i240622.exec:\i240622.exe32⤵
- Executes dropped EXE
PID:3028 -
\??\c:\6460206.exec:\6460206.exe33⤵
- Executes dropped EXE
PID:2688 -
\??\c:\6800884.exec:\6800884.exe34⤵
- Executes dropped EXE
PID:2668 -
\??\c:\xrfxfxr.exec:\xrfxfxr.exe35⤵
- Executes dropped EXE
PID:2800 -
\??\c:\m8488.exec:\m8488.exe36⤵
- Executes dropped EXE
PID:2564 -
\??\c:\04060.exec:\04060.exe37⤵
- Executes dropped EXE
PID:2932 -
\??\c:\08062.exec:\08062.exe38⤵
- Executes dropped EXE
PID:2720 -
\??\c:\thtnhb.exec:\thtnhb.exe39⤵
- Executes dropped EXE
PID:2644 -
\??\c:\s4222.exec:\s4222.exe40⤵
- Executes dropped EXE
PID:2560 -
\??\c:\1rffllr.exec:\1rffllr.exe41⤵
- Executes dropped EXE
PID:2620 -
\??\c:\xrfflfl.exec:\xrfflfl.exe42⤵
- Executes dropped EXE
PID:2608 -
\??\c:\3htbhh.exec:\3htbhh.exe43⤵
- Executes dropped EXE
PID:3008 -
\??\c:\dvdvv.exec:\dvdvv.exe44⤵
- Executes dropped EXE
PID:2440 -
\??\c:\k60000.exec:\k60000.exe45⤵
- Executes dropped EXE
PID:1108 -
\??\c:\480400.exec:\480400.exe46⤵
- Executes dropped EXE
PID:1868 -
\??\c:\04284.exec:\04284.exe47⤵
- Executes dropped EXE
PID:2780 -
\??\c:\lfflxfr.exec:\lfflxfr.exe48⤵
- Executes dropped EXE
PID:1756 -
\??\c:\bbtbnn.exec:\bbtbnn.exe49⤵
- Executes dropped EXE
PID:1620 -
\??\c:\0484668.exec:\0484668.exe50⤵
- Executes dropped EXE
PID:700 -
\??\c:\86440.exec:\86440.exe51⤵
- Executes dropped EXE
PID:2380 -
\??\c:\424444.exec:\424444.exe52⤵
- Executes dropped EXE
PID:1016 -
\??\c:\nhhntt.exec:\nhhntt.exe53⤵
- Executes dropped EXE
PID:2164 -
\??\c:\60284.exec:\60284.exe54⤵
- Executes dropped EXE
PID:2152 -
\??\c:\nhbbbb.exec:\nhbbbb.exe55⤵
- Executes dropped EXE
PID:2156 -
\??\c:\3jvdp.exec:\3jvdp.exe56⤵
- Executes dropped EXE
PID:2220 -
\??\c:\604622.exec:\604622.exe57⤵
- Executes dropped EXE
PID:2908 -
\??\c:\08662.exec:\08662.exe58⤵
- Executes dropped EXE
PID:2964 -
\??\c:\rfrxflr.exec:\rfrxflr.exe59⤵
- Executes dropped EXE
PID:2504 -
\??\c:\60240.exec:\60240.exe60⤵
- Executes dropped EXE
PID:1056 -
\??\c:\s6404.exec:\s6404.exe61⤵
- Executes dropped EXE
PID:1508 -
\??\c:\hhbtnn.exec:\hhbtnn.exe62⤵
- Executes dropped EXE
PID:2948 -
\??\c:\7httbb.exec:\7httbb.exe63⤵
- Executes dropped EXE
PID:2012 -
\??\c:\86846.exec:\86846.exe64⤵
- Executes dropped EXE
PID:1996 -
\??\c:\3lxrffr.exec:\3lxrffr.exe65⤵
- Executes dropped EXE
PID:1708 -
\??\c:\thnhnh.exec:\thnhnh.exe66⤵PID:2452
-
\??\c:\7lxrxxf.exec:\7lxrxxf.exe67⤵PID:2968
-
\??\c:\pvppj.exec:\pvppj.exe68⤵PID:1816
-
\??\c:\jvjdj.exec:\jvjdj.exe69⤵PID:2344
-
\??\c:\3rfrllf.exec:\3rfrllf.exe70⤵
- System Location Discovery: System Language Discovery
PID:2124 -
\??\c:\48028.exec:\48028.exe71⤵PID:1716
-
\??\c:\4868608.exec:\4868608.exe72⤵PID:616
-
\??\c:\c428006.exec:\c428006.exe73⤵PID:840
-
\??\c:\6684628.exec:\6684628.exe74⤵PID:2688
-
\??\c:\xflfxrx.exec:\xflfxrx.exe75⤵PID:2768
-
\??\c:\pvppv.exec:\pvppv.exe76⤵PID:2196
-
\??\c:\bthhhn.exec:\bthhhn.exe77⤵PID:2716
-
\??\c:\04602.exec:\04602.exe78⤵PID:2172
-
\??\c:\826200.exec:\826200.exe79⤵PID:2592
-
\??\c:\7nntbb.exec:\7nntbb.exe80⤵PID:2896
-
\??\c:\nhnhtb.exec:\nhnhtb.exe81⤵PID:2804
-
\??\c:\m2662.exec:\m2662.exe82⤵PID:2572
-
\??\c:\dpvjd.exec:\dpvjd.exe83⤵PID:2140
-
\??\c:\g4006.exec:\g4006.exe84⤵PID:1528
-
\??\c:\64280.exec:\64280.exe85⤵PID:1984
-
\??\c:\3pjjv.exec:\3pjjv.exe86⤵PID:1884
-
\??\c:\tnbhhb.exec:\tnbhhb.exe87⤵PID:2360
-
\??\c:\k80648.exec:\k80648.exe88⤵PID:1460
-
\??\c:\2028400.exec:\2028400.exe89⤵PID:692
-
\??\c:\8262008.exec:\8262008.exe90⤵PID:1924
-
\??\c:\820022.exec:\820022.exe91⤵PID:2872
-
\??\c:\btnntb.exec:\btnntb.exe92⤵PID:2380
-
\??\c:\rlfxfff.exec:\rlfxfff.exe93⤵PID:1344
-
\??\c:\1hbntb.exec:\1hbntb.exe94⤵PID:2312
-
\??\c:\86066.exec:\86066.exe95⤵PID:1920
-
\??\c:\86844.exec:\86844.exe96⤵PID:628
-
\??\c:\frxxxxx.exec:\frxxxxx.exe97⤵PID:1012
-
\??\c:\dpvvj.exec:\dpvvj.exe98⤵PID:1904
-
\??\c:\lrxrxrr.exec:\lrxrxrr.exe99⤵PID:952
-
\??\c:\hntttn.exec:\hntttn.exe100⤵PID:2516
-
\??\c:\1frlrrr.exec:\1frlrrr.exe101⤵PID:896
-
\??\c:\2022488.exec:\2022488.exe102⤵PID:860
-
\??\c:\e66622.exec:\e66622.exe103⤵PID:1780
-
\??\c:\806604.exec:\806604.exe104⤵PID:1892
-
\??\c:\8660600.exec:\8660600.exe105⤵PID:2416
-
\??\c:\0284040.exec:\0284040.exe106⤵PID:2120
-
\??\c:\0860226.exec:\0860226.exe107⤵PID:1292
-
\??\c:\btbhhb.exec:\btbhhb.exe108⤵PID:2832
-
\??\c:\80662.exec:\80662.exe109⤵PID:996
-
\??\c:\fxfxxrx.exec:\fxfxxrx.exe110⤵PID:1676
-
\??\c:\64662.exec:\64662.exe111⤵PID:1988
-
\??\c:\7bnhhh.exec:\7bnhhh.exe112⤵PID:2124
-
\??\c:\lflrrlr.exec:\lflrrlr.exe113⤵
- System Location Discovery: System Language Discovery
PID:2992 -
\??\c:\m8088.exec:\m8088.exe114⤵PID:3060
-
\??\c:\640660.exec:\640660.exe115⤵PID:1476
-
\??\c:\frfflff.exec:\frfflff.exe116⤵PID:2756
-
\??\c:\424288.exec:\424288.exe117⤵PID:2768
-
\??\c:\xrlxxff.exec:\xrlxxff.exe118⤵PID:2676
-
\??\c:\m8006.exec:\m8006.exe119⤵PID:2928
-
\??\c:\dpvvj.exec:\dpvvj.exe120⤵PID:2736
-
\??\c:\42882.exec:\42882.exe121⤵PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-