Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 22:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c0b728c5f0634f9228442d887125652a7154084557b341407449c24b6c6add6fN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c0b728c5f0634f9228442d887125652a7154084557b341407449c24b6c6add6fN.exe
-
Size
454KB
-
MD5
cc0bc1fd24568300c632244b7c75c890
-
SHA1
72b1ef4c0ee2959a1aba17f02d4f25ec908fc0aa
-
SHA256
c0b728c5f0634f9228442d887125652a7154084557b341407449c24b6c6add6f
-
SHA512
d1c8cfa8ce402ade83faee3f2a1ffbc3778b3b0f7f421f1778cdccdf54b3f9dbb7c1364c2090d8bbf51044b3e418b28a8d4d5b51b3ccbfd244b13a6da60643f2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/3008-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-93-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2828-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/948-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-285-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1968-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-377-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2408-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-484-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2272-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/688-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-637-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2780-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-729-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/1980-855-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2576-906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-997-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/840-1022-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 800 7rfrxlx.exe 2620 hthntt.exe 2600 nhtbnh.exe 2296 tnbhnt.exe 2788 btbthb.exe 3024 86064.exe 2776 046266.exe 2960 60242.exe 2828 22064.exe 2680 006084.exe 2712 2206026.exe 948 nthnbh.exe 1212 7nhnhn.exe 1436 i006402.exe 2112 tbbnbh.exe 840 60240.exe 2948 vdjvj.exe 2436 llxfrxl.exe 2276 btnnbt.exe 2084 e08062.exe 108 lffxrlf.exe 448 0828402.exe 2272 60468.exe 1312 o480802.exe 1888 hthhnn.exe 3048 9ddpv.exe 1456 nhhttb.exe 2304 82084.exe 2432 04280.exe 2532 hthhnn.exe 2580 lxlrfxl.exe 2292 48668.exe 3060 q42044.exe 1968 06686.exe 1524 w26462.exe 2116 q48046.exe 2364 828406.exe 2368 u804028.exe 2752 0860840.exe 2856 rlfrllx.exe 2812 2666808.exe 2784 i040228.exe 1752 rlflxff.exe 2796 hbthnt.exe 1832 8228624.exe 2832 hnntnb.exe 2732 i444624.exe 2680 2608062.exe 1552 a2280.exe 672 4228846.exe 1212 2400802.exe 1900 1rlrrrl.exe 2020 xrrrxxf.exe 1568 9jdpd.exe 2008 262428.exe 2052 jvjpd.exe 2976 0840008.exe 1684 604026.exe 2244 26468.exe 2408 08224.exe 1620 i206266.exe 2756 xxxxlfl.exe 2988 808822.exe 1500 ttnbhh.exe -
resource yara_rule behavioral1/memory/3008-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-729-0x0000000001C50000-0x0000000001C7A000-memory.dmp upx behavioral1/memory/1560-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-818-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2308-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-855-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2576-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-913-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-950-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-965-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-1004-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-1060-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-1098-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-1135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-1142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-1173-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6640600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4824242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k64800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0862046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 800 3008 c0b728c5f0634f9228442d887125652a7154084557b341407449c24b6c6add6fN.exe 30 PID 3008 wrote to memory of 800 3008 c0b728c5f0634f9228442d887125652a7154084557b341407449c24b6c6add6fN.exe 30 PID 3008 wrote to memory of 800 3008 c0b728c5f0634f9228442d887125652a7154084557b341407449c24b6c6add6fN.exe 30 PID 3008 wrote to memory of 800 3008 c0b728c5f0634f9228442d887125652a7154084557b341407449c24b6c6add6fN.exe 30 PID 800 wrote to memory of 2620 800 7rfrxlx.exe 31 PID 800 wrote to memory of 2620 800 7rfrxlx.exe 31 PID 800 wrote to memory of 2620 800 7rfrxlx.exe 31 PID 800 wrote to memory of 2620 800 7rfrxlx.exe 31 PID 2620 wrote to memory of 2600 2620 hthntt.exe 32 PID 2620 wrote to memory of 2600 2620 hthntt.exe 32 PID 2620 wrote to memory of 2600 2620 hthntt.exe 32 PID 2620 wrote to memory of 2600 2620 hthntt.exe 32 PID 2600 wrote to memory of 2296 2600 nhtbnh.exe 33 PID 2600 wrote to memory of 2296 2600 nhtbnh.exe 33 PID 2600 wrote to memory of 2296 2600 nhtbnh.exe 33 PID 2600 wrote to memory of 2296 2600 nhtbnh.exe 33 PID 2296 wrote to memory of 2788 2296 tnbhnt.exe 34 PID 2296 wrote to memory of 2788 2296 tnbhnt.exe 34 PID 2296 wrote to memory of 2788 2296 tnbhnt.exe 34 PID 2296 wrote to memory of 2788 2296 tnbhnt.exe 34 PID 2788 wrote to memory of 3024 2788 btbthb.exe 35 PID 2788 wrote to memory of 3024 2788 btbthb.exe 35 PID 2788 wrote to memory of 3024 2788 btbthb.exe 35 PID 2788 wrote to memory of 3024 2788 btbthb.exe 35 PID 3024 wrote to memory of 2776 3024 86064.exe 36 PID 3024 wrote to memory of 2776 3024 86064.exe 36 PID 3024 wrote to memory of 2776 3024 86064.exe 36 PID 3024 wrote to memory of 2776 3024 86064.exe 36 PID 2776 wrote to memory of 2960 2776 046266.exe 37 PID 2776 wrote to memory of 2960 2776 046266.exe 37 PID 2776 wrote to memory of 2960 2776 046266.exe 37 PID 2776 wrote to memory of 2960 2776 046266.exe 37 PID 2960 wrote to memory of 2828 2960 60242.exe 38 PID 2960 wrote to memory of 2828 2960 60242.exe 38 PID 2960 wrote to memory of 2828 2960 60242.exe 38 PID 2960 wrote to memory of 2828 2960 60242.exe 38 PID 2828 wrote to memory of 2680 2828 22064.exe 39 PID 2828 wrote to memory of 2680 2828 22064.exe 39 PID 2828 wrote to memory of 2680 2828 22064.exe 39 PID 2828 wrote to memory of 2680 2828 22064.exe 39 PID 2680 wrote to memory of 2712 2680 006084.exe 40 PID 2680 wrote to memory of 2712 2680 006084.exe 40 PID 2680 wrote to memory of 2712 2680 006084.exe 40 PID 2680 wrote to memory of 2712 2680 006084.exe 40 PID 2712 wrote to memory of 948 2712 2206026.exe 41 PID 2712 wrote to memory of 948 2712 2206026.exe 41 PID 2712 wrote to memory of 948 2712 2206026.exe 41 PID 2712 wrote to memory of 948 2712 2206026.exe 41 PID 948 wrote to memory of 1212 948 nthnbh.exe 42 PID 948 wrote to memory of 1212 948 nthnbh.exe 42 PID 948 wrote to memory of 1212 948 nthnbh.exe 42 PID 948 wrote to memory of 1212 948 nthnbh.exe 42 PID 1212 wrote to memory of 1436 1212 7nhnhn.exe 43 PID 1212 wrote to memory of 1436 1212 7nhnhn.exe 43 PID 1212 wrote to memory of 1436 1212 7nhnhn.exe 43 PID 1212 wrote to memory of 1436 1212 7nhnhn.exe 43 PID 1436 wrote to memory of 2112 1436 i006402.exe 44 PID 1436 wrote to memory of 2112 1436 i006402.exe 44 PID 1436 wrote to memory of 2112 1436 i006402.exe 44 PID 1436 wrote to memory of 2112 1436 i006402.exe 44 PID 2112 wrote to memory of 840 2112 tbbnbh.exe 45 PID 2112 wrote to memory of 840 2112 tbbnbh.exe 45 PID 2112 wrote to memory of 840 2112 tbbnbh.exe 45 PID 2112 wrote to memory of 840 2112 tbbnbh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0b728c5f0634f9228442d887125652a7154084557b341407449c24b6c6add6fN.exe"C:\Users\Admin\AppData\Local\Temp\c0b728c5f0634f9228442d887125652a7154084557b341407449c24b6c6add6fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\7rfrxlx.exec:\7rfrxlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\hthntt.exec:\hthntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\nhtbnh.exec:\nhtbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\tnbhnt.exec:\tnbhnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\btbthb.exec:\btbthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\86064.exec:\86064.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\046266.exec:\046266.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\60242.exec:\60242.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\22064.exec:\22064.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\006084.exec:\006084.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\2206026.exec:\2206026.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\nthnbh.exec:\nthnbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\7nhnhn.exec:\7nhnhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\i006402.exec:\i006402.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\tbbnbh.exec:\tbbnbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\60240.exec:\60240.exe17⤵
- Executes dropped EXE
PID:840 -
\??\c:\vdjvj.exec:\vdjvj.exe18⤵
- Executes dropped EXE
PID:2948 -
\??\c:\llxfrxl.exec:\llxfrxl.exe19⤵
- Executes dropped EXE
PID:2436 -
\??\c:\btnnbt.exec:\btnnbt.exe20⤵
- Executes dropped EXE
PID:2276 -
\??\c:\e08062.exec:\e08062.exe21⤵
- Executes dropped EXE
PID:2084 -
\??\c:\lffxrlf.exec:\lffxrlf.exe22⤵
- Executes dropped EXE
PID:108 -
\??\c:\0828402.exec:\0828402.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\60468.exec:\60468.exe24⤵
- Executes dropped EXE
PID:2272 -
\??\c:\o480802.exec:\o480802.exe25⤵
- Executes dropped EXE
PID:1312 -
\??\c:\hthhnn.exec:\hthhnn.exe26⤵
- Executes dropped EXE
PID:1888 -
\??\c:\9ddpv.exec:\9ddpv.exe27⤵
- Executes dropped EXE
PID:3048 -
\??\c:\nhhttb.exec:\nhhttb.exe28⤵
- Executes dropped EXE
PID:1456 -
\??\c:\82084.exec:\82084.exe29⤵
- Executes dropped EXE
PID:2304 -
\??\c:\04280.exec:\04280.exe30⤵
- Executes dropped EXE
PID:2432 -
\??\c:\hthhnn.exec:\hthhnn.exe31⤵
- Executes dropped EXE
PID:2532 -
\??\c:\lxlrfxl.exec:\lxlrfxl.exe32⤵
- Executes dropped EXE
PID:2580 -
\??\c:\48668.exec:\48668.exe33⤵
- Executes dropped EXE
PID:2292 -
\??\c:\q42044.exec:\q42044.exe34⤵
- Executes dropped EXE
PID:3060 -
\??\c:\06686.exec:\06686.exe35⤵
- Executes dropped EXE
PID:1968 -
\??\c:\w26462.exec:\w26462.exe36⤵
- Executes dropped EXE
PID:1524 -
\??\c:\q48046.exec:\q48046.exe37⤵
- Executes dropped EXE
PID:2116 -
\??\c:\828406.exec:\828406.exe38⤵
- Executes dropped EXE
PID:2364 -
\??\c:\u804028.exec:\u804028.exe39⤵
- Executes dropped EXE
PID:2368 -
\??\c:\0860840.exec:\0860840.exe40⤵
- Executes dropped EXE
PID:2752 -
\??\c:\rlfrllx.exec:\rlfrllx.exe41⤵
- Executes dropped EXE
PID:2856 -
\??\c:\2666808.exec:\2666808.exe42⤵
- Executes dropped EXE
PID:2812 -
\??\c:\i040228.exec:\i040228.exe43⤵
- Executes dropped EXE
PID:2784 -
\??\c:\rlflxff.exec:\rlflxff.exe44⤵
- Executes dropped EXE
PID:1752 -
\??\c:\hbthnt.exec:\hbthnt.exe45⤵
- Executes dropped EXE
PID:2796 -
\??\c:\8228624.exec:\8228624.exe46⤵
- Executes dropped EXE
PID:1832 -
\??\c:\hnntnb.exec:\hnntnb.exe47⤵
- Executes dropped EXE
PID:2832 -
\??\c:\i444624.exec:\i444624.exe48⤵
- Executes dropped EXE
PID:2732 -
\??\c:\2608062.exec:\2608062.exe49⤵
- Executes dropped EXE
PID:2680 -
\??\c:\a2280.exec:\a2280.exe50⤵
- Executes dropped EXE
PID:1552 -
\??\c:\4228846.exec:\4228846.exe51⤵
- Executes dropped EXE
PID:672 -
\??\c:\2400802.exec:\2400802.exe52⤵
- Executes dropped EXE
PID:1212 -
\??\c:\1rlrrrl.exec:\1rlrrrl.exe53⤵
- Executes dropped EXE
PID:1900 -
\??\c:\xrrrxxf.exec:\xrrrxxf.exe54⤵
- Executes dropped EXE
PID:2020 -
\??\c:\9jdpd.exec:\9jdpd.exe55⤵
- Executes dropped EXE
PID:1568 -
\??\c:\262428.exec:\262428.exe56⤵
- Executes dropped EXE
PID:2008 -
\??\c:\jvjpd.exec:\jvjpd.exe57⤵
- Executes dropped EXE
PID:2052 -
\??\c:\0840008.exec:\0840008.exe58⤵
- Executes dropped EXE
PID:2976 -
\??\c:\604026.exec:\604026.exe59⤵
- Executes dropped EXE
PID:1684 -
\??\c:\26468.exec:\26468.exe60⤵
- Executes dropped EXE
PID:2244 -
\??\c:\08224.exec:\08224.exe61⤵
- Executes dropped EXE
PID:2408 -
\??\c:\i206266.exec:\i206266.exe62⤵
- Executes dropped EXE
PID:1620 -
\??\c:\xxxxlfl.exec:\xxxxlfl.exe63⤵
- Executes dropped EXE
PID:2756 -
\??\c:\808822.exec:\808822.exe64⤵
- Executes dropped EXE
PID:2988 -
\??\c:\ttnbhh.exec:\ttnbhh.exe65⤵
- Executes dropped EXE
PID:1500 -
\??\c:\1frrlrl.exec:\1frrlrl.exe66⤵PID:2272
-
\??\c:\0428628.exec:\0428628.exe67⤵PID:1428
-
\??\c:\648082.exec:\648082.exe68⤵PID:1864
-
\??\c:\vjddd.exec:\vjddd.exe69⤵PID:1884
-
\??\c:\3tnbtt.exec:\3tnbtt.exe70⤵PID:688
-
\??\c:\3flfffl.exec:\3flfffl.exe71⤵PID:1456
-
\??\c:\226204.exec:\226204.exe72⤵PID:2392
-
\??\c:\hhbnbh.exec:\hhbnbh.exe73⤵PID:1536
-
\??\c:\vjddj.exec:\vjddj.exe74⤵PID:2532
-
\??\c:\86400.exec:\86400.exe75⤵PID:1976
-
\??\c:\7htthh.exec:\7htthh.exe76⤵PID:972
-
\??\c:\86802.exec:\86802.exe77⤵PID:2044
-
\??\c:\48624.exec:\48624.exe78⤵PID:1808
-
\??\c:\7htthb.exec:\7htthb.exe79⤵PID:2088
-
\??\c:\vvjpd.exec:\vvjpd.exe80⤵PID:2488
-
\??\c:\o440262.exec:\o440262.exe81⤵PID:844
-
\??\c:\dpdjp.exec:\dpdjp.exe82⤵PID:2332
-
\??\c:\bthhnn.exec:\bthhnn.exe83⤵PID:2508
-
\??\c:\4848028.exec:\4848028.exe84⤵PID:2768
-
\??\c:\k24826.exec:\k24826.exe85⤵PID:2808
-
\??\c:\jdpvj.exec:\jdpvj.exe86⤵PID:2804
-
\??\c:\jvppp.exec:\jvppp.exe87⤵PID:2876
-
\??\c:\642400.exec:\642400.exe88⤵PID:2820
-
\??\c:\vpdjp.exec:\vpdjp.exe89⤵PID:2940
-
\??\c:\420262.exec:\420262.exe90⤵PID:2660
-
\??\c:\202828.exec:\202828.exe91⤵PID:2828
-
\??\c:\4806482.exec:\4806482.exe92⤵PID:2736
-
\??\c:\o860662.exec:\o860662.exe93⤵PID:2780
-
\??\c:\lflxfff.exec:\lflxfff.exe94⤵PID:2712
-
\??\c:\2284062.exec:\2284062.exe95⤵PID:980
-
\??\c:\u400004.exec:\u400004.exe96⤵PID:772
-
\??\c:\nnhnht.exec:\nnhnht.exe97⤵PID:1344
-
\??\c:\bhhntb.exec:\bhhntb.exe98⤵PID:1408
-
\??\c:\6620482.exec:\6620482.exe99⤵PID:620
-
\??\c:\2622440.exec:\2622440.exe100⤵PID:2004
-
\??\c:\fxrfllx.exec:\fxrfllx.exe101⤵PID:1560
-
\??\c:\3vjdj.exec:\3vjdj.exe102⤵PID:2036
-
\??\c:\5tbbbt.exec:\5tbbbt.exe103⤵PID:2256
-
\??\c:\820026.exec:\820026.exe104⤵PID:1700
-
\??\c:\7dvvd.exec:\7dvvd.exe105⤵PID:1740
-
\??\c:\442824.exec:\442824.exe106⤵PID:2200
-
\??\c:\xlxfrxf.exec:\xlxfrxf.exe107⤵PID:828
-
\??\c:\82668.exec:\82668.exe108⤵PID:2952
-
\??\c:\7jjjp.exec:\7jjjp.exe109⤵PID:1476
-
\??\c:\08406.exec:\08406.exe110⤵PID:2252
-
\??\c:\e60622.exec:\e60622.exe111⤵PID:1296
-
\??\c:\2644040.exec:\2644040.exe112⤵PID:848
-
\??\c:\a0402.exec:\a0402.exe113⤵PID:1908
-
\??\c:\xlxxfxf.exec:\xlxxfxf.exe114⤵PID:1400
-
\??\c:\bnbhhb.exec:\bnbhhb.exe115⤵PID:768
-
\??\c:\g4286.exec:\g4286.exe116⤵
- System Location Discovery: System Language Discovery
PID:1644 -
\??\c:\6484628.exec:\6484628.exe117⤵PID:1972
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe118⤵PID:2308
-
\??\c:\3tnbhn.exec:\3tnbhn.exe119⤵PID:1980
-
\??\c:\s4028.exec:\s4028.exe120⤵PID:1920
-
\??\c:\u468446.exec:\u468446.exe121⤵PID:1424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-