Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 13:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe
-
Size
452KB
-
MD5
8e8808c2d771557dc8659462242b2f51
-
SHA1
e71c1397686aea58de2bcac3a7a8751b417b5549
-
SHA256
79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9
-
SHA512
8f2a9b7fb69589d66c95e3b061bafcae0aa2391e8dcc188e17eead506e5b1c9ee28c4c92410975af16e37829bee0962bc59b03be5cd1474674fc0ce831ffb227
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/1380-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-52-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2824-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-54-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2900-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-89-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2332-109-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2976-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1168-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-251-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1780-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-269-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2116-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-321-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1896-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-361-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2060-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/644-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-569-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2608-646-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2764-656-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2884-666-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2600-675-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2380-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-720-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2476-753-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1260-804-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/896-861-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2360-888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-963-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1876-995-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1992-1143-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2100 tbnbtb.exe 2520 206626.exe 2680 m6400.exe 380 20662.exe 2744 824022.exe 2824 htnbnh.exe 2900 9djdj.exe 2832 a6828.exe 2736 202622.exe 2596 frlrrlr.exe 2332 rrxxlff.exe 2380 jpvjp.exe 1484 862260.exe 2976 80260.exe 2840 9frlfxx.exe 1876 a0222.exe 1752 fllfxxr.exe 2952 thnhhb.exe 2472 nhtbnn.exe 1168 vdjpp.exe 2176 42028.exe 2584 42006.exe 968 hbnttb.exe 3068 c640602.exe 780 420644.exe 2268 hbhbbt.exe 2120 084848.exe 1780 86860.exe 2116 822206.exe 1492 xxrxrrf.exe 236 268406.exe 2440 828400.exe 1584 82008.exe 2168 tthttt.exe 1896 i606884.exe 2520 4206228.exe 2576 08624.exe 2320 g4880.exe 2812 i240880.exe 2728 3lffxrr.exe 2824 26402.exe 2060 6840448.exe 2880 4240006.exe 2768 6044064.exe 1668 86446.exe 2596 xrllxxx.exe 2672 g4446.exe 688 lrrffff.exe 1112 e68220.exe 2976 lxrrrll.exe 2864 lfxlflr.exe 928 dvpvj.exe 908 c266288.exe 1648 2084006.exe 2860 dpvdj.exe 2932 9nbtnn.exe 2324 dvjdj.exe 2196 jdvdj.exe 2164 04680.exe 876 nnbhtt.exe 1064 7rffrxx.exe 1772 3hhnnn.exe 1680 dvpvj.exe 1332 688882.exe -
resource yara_rule behavioral1/memory/1380-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-89-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2380-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-251-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/1780-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-321-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/1896-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-862-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-888-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-970-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-995-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2244-1014-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-1099-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-1112-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2088884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1380 wrote to memory of 2100 1380 79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe 30 PID 1380 wrote to memory of 2100 1380 79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe 30 PID 1380 wrote to memory of 2100 1380 79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe 30 PID 1380 wrote to memory of 2100 1380 79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe 30 PID 2100 wrote to memory of 2520 2100 tbnbtb.exe 31 PID 2100 wrote to memory of 2520 2100 tbnbtb.exe 31 PID 2100 wrote to memory of 2520 2100 tbnbtb.exe 31 PID 2100 wrote to memory of 2520 2100 tbnbtb.exe 31 PID 2520 wrote to memory of 2680 2520 206626.exe 32 PID 2520 wrote to memory of 2680 2520 206626.exe 32 PID 2520 wrote to memory of 2680 2520 206626.exe 32 PID 2520 wrote to memory of 2680 2520 206626.exe 32 PID 2680 wrote to memory of 380 2680 m6400.exe 33 PID 2680 wrote to memory of 380 2680 m6400.exe 33 PID 2680 wrote to memory of 380 2680 m6400.exe 33 PID 2680 wrote to memory of 380 2680 m6400.exe 33 PID 380 wrote to memory of 2744 380 20662.exe 34 PID 380 wrote to memory of 2744 380 20662.exe 34 PID 380 wrote to memory of 2744 380 20662.exe 34 PID 380 wrote to memory of 2744 380 20662.exe 34 PID 2744 wrote to memory of 2824 2744 824022.exe 35 PID 2744 wrote to memory of 2824 2744 824022.exe 35 PID 2744 wrote to memory of 2824 2744 824022.exe 35 PID 2744 wrote to memory of 2824 2744 824022.exe 35 PID 2824 wrote to memory of 2900 2824 htnbnh.exe 36 PID 2824 wrote to memory of 2900 2824 htnbnh.exe 36 PID 2824 wrote to memory of 2900 2824 htnbnh.exe 36 PID 2824 wrote to memory of 2900 2824 htnbnh.exe 36 PID 2900 wrote to memory of 2832 2900 9djdj.exe 37 PID 2900 wrote to memory of 2832 2900 9djdj.exe 37 PID 2900 wrote to memory of 2832 2900 9djdj.exe 37 PID 2900 wrote to memory of 2832 2900 9djdj.exe 37 PID 2832 wrote to memory of 2736 2832 a6828.exe 38 PID 2832 wrote to memory of 2736 2832 a6828.exe 38 PID 2832 wrote to memory of 2736 2832 a6828.exe 38 PID 2832 wrote to memory of 2736 2832 a6828.exe 38 PID 2736 wrote to memory of 2596 2736 202622.exe 39 PID 2736 wrote to memory of 2596 2736 202622.exe 39 PID 2736 wrote to memory of 2596 2736 202622.exe 39 PID 2736 wrote to memory of 2596 2736 202622.exe 39 PID 2596 wrote to memory of 2332 2596 frlrrlr.exe 40 PID 2596 wrote to memory of 2332 2596 frlrrlr.exe 40 PID 2596 wrote to memory of 2332 2596 frlrrlr.exe 40 PID 2596 wrote to memory of 2332 2596 frlrrlr.exe 40 PID 2332 wrote to memory of 2380 2332 rrxxlff.exe 41 PID 2332 wrote to memory of 2380 2332 rrxxlff.exe 41 PID 2332 wrote to memory of 2380 2332 rrxxlff.exe 41 PID 2332 wrote to memory of 2380 2332 rrxxlff.exe 41 PID 2380 wrote to memory of 1484 2380 jpvjp.exe 42 PID 2380 wrote to memory of 1484 2380 jpvjp.exe 42 PID 2380 wrote to memory of 1484 2380 jpvjp.exe 42 PID 2380 wrote to memory of 1484 2380 jpvjp.exe 42 PID 1484 wrote to memory of 2976 1484 862260.exe 43 PID 1484 wrote to memory of 2976 1484 862260.exe 43 PID 1484 wrote to memory of 2976 1484 862260.exe 43 PID 1484 wrote to memory of 2976 1484 862260.exe 43 PID 2976 wrote to memory of 2840 2976 80260.exe 44 PID 2976 wrote to memory of 2840 2976 80260.exe 44 PID 2976 wrote to memory of 2840 2976 80260.exe 44 PID 2976 wrote to memory of 2840 2976 80260.exe 44 PID 2840 wrote to memory of 1876 2840 9frlfxx.exe 45 PID 2840 wrote to memory of 1876 2840 9frlfxx.exe 45 PID 2840 wrote to memory of 1876 2840 9frlfxx.exe 45 PID 2840 wrote to memory of 1876 2840 9frlfxx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe"C:\Users\Admin\AppData\Local\Temp\79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\tbnbtb.exec:\tbnbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\206626.exec:\206626.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\m6400.exec:\m6400.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\20662.exec:\20662.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\824022.exec:\824022.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\htnbnh.exec:\htnbnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\9djdj.exec:\9djdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\a6828.exec:\a6828.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\202622.exec:\202622.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\frlrrlr.exec:\frlrrlr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\rrxxlff.exec:\rrxxlff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\jpvjp.exec:\jpvjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\862260.exec:\862260.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\80260.exec:\80260.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\9frlfxx.exec:\9frlfxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\a0222.exec:\a0222.exe17⤵
- Executes dropped EXE
PID:1876 -
\??\c:\fllfxxr.exec:\fllfxxr.exe18⤵
- Executes dropped EXE
PID:1752 -
\??\c:\thnhhb.exec:\thnhhb.exe19⤵
- Executes dropped EXE
PID:2952 -
\??\c:\nhtbnn.exec:\nhtbnn.exe20⤵
- Executes dropped EXE
PID:2472 -
\??\c:\vdjpp.exec:\vdjpp.exe21⤵
- Executes dropped EXE
PID:1168 -
\??\c:\42028.exec:\42028.exe22⤵
- Executes dropped EXE
PID:2176 -
\??\c:\42006.exec:\42006.exe23⤵
- Executes dropped EXE
PID:2584 -
\??\c:\hbnttb.exec:\hbnttb.exe24⤵
- Executes dropped EXE
PID:968 -
\??\c:\c640602.exec:\c640602.exe25⤵
- Executes dropped EXE
PID:3068 -
\??\c:\420644.exec:\420644.exe26⤵
- Executes dropped EXE
PID:780 -
\??\c:\hbhbbt.exec:\hbhbbt.exe27⤵
- Executes dropped EXE
PID:2268 -
\??\c:\084848.exec:\084848.exe28⤵
- Executes dropped EXE
PID:2120 -
\??\c:\86860.exec:\86860.exe29⤵
- Executes dropped EXE
PID:1780 -
\??\c:\822206.exec:\822206.exe30⤵
- Executes dropped EXE
PID:2116 -
\??\c:\xxrxrrf.exec:\xxrxrrf.exe31⤵
- Executes dropped EXE
PID:1492 -
\??\c:\268406.exec:\268406.exe32⤵
- Executes dropped EXE
PID:236 -
\??\c:\828400.exec:\828400.exe33⤵
- Executes dropped EXE
PID:2440 -
\??\c:\82008.exec:\82008.exe34⤵
- Executes dropped EXE
PID:1584 -
\??\c:\tthttt.exec:\tthttt.exe35⤵
- Executes dropped EXE
PID:2168 -
\??\c:\i606884.exec:\i606884.exe36⤵
- Executes dropped EXE
PID:1896 -
\??\c:\4206228.exec:\4206228.exe37⤵
- Executes dropped EXE
PID:2520 -
\??\c:\08624.exec:\08624.exe38⤵
- Executes dropped EXE
PID:2576 -
\??\c:\g4880.exec:\g4880.exe39⤵
- Executes dropped EXE
PID:2320 -
\??\c:\i240880.exec:\i240880.exe40⤵
- Executes dropped EXE
PID:2812 -
\??\c:\3lffxrr.exec:\3lffxrr.exe41⤵
- Executes dropped EXE
PID:2728 -
\??\c:\26402.exec:\26402.exe42⤵
- Executes dropped EXE
PID:2824 -
\??\c:\6840448.exec:\6840448.exe43⤵
- Executes dropped EXE
PID:2060 -
\??\c:\4240006.exec:\4240006.exe44⤵
- Executes dropped EXE
PID:2880 -
\??\c:\6044064.exec:\6044064.exe45⤵
- Executes dropped EXE
PID:2768 -
\??\c:\86446.exec:\86446.exe46⤵
- Executes dropped EXE
PID:1668 -
\??\c:\xrllxxx.exec:\xrllxxx.exe47⤵
- Executes dropped EXE
PID:2596 -
\??\c:\g4446.exec:\g4446.exe48⤵
- Executes dropped EXE
PID:2672 -
\??\c:\lrrffff.exec:\lrrffff.exe49⤵
- Executes dropped EXE
PID:688 -
\??\c:\e68220.exec:\e68220.exe50⤵
- Executes dropped EXE
PID:1112 -
\??\c:\lxrrrll.exec:\lxrrrll.exe51⤵
- Executes dropped EXE
PID:2976 -
\??\c:\lfxlflr.exec:\lfxlflr.exe52⤵
- Executes dropped EXE
PID:2864 -
\??\c:\dvpvj.exec:\dvpvj.exe53⤵
- Executes dropped EXE
PID:928 -
\??\c:\c266288.exec:\c266288.exe54⤵
- Executes dropped EXE
PID:908 -
\??\c:\2084006.exec:\2084006.exe55⤵
- Executes dropped EXE
PID:1648 -
\??\c:\dpvdj.exec:\dpvdj.exe56⤵
- Executes dropped EXE
PID:2860 -
\??\c:\9nbtnn.exec:\9nbtnn.exe57⤵
- Executes dropped EXE
PID:2932 -
\??\c:\dvjdj.exec:\dvjdj.exe58⤵
- Executes dropped EXE
PID:2324 -
\??\c:\jdvdj.exec:\jdvdj.exe59⤵
- Executes dropped EXE
PID:2196 -
\??\c:\04680.exec:\04680.exe60⤵
- Executes dropped EXE
PID:2164 -
\??\c:\nnbhtt.exec:\nnbhtt.exe61⤵
- Executes dropped EXE
PID:876 -
\??\c:\7rffrxx.exec:\7rffrxx.exe62⤵
- Executes dropped EXE
PID:1064 -
\??\c:\3hhnnn.exec:\3hhnnn.exe63⤵
- Executes dropped EXE
PID:1772 -
\??\c:\dvpvj.exec:\dvpvj.exe64⤵
- Executes dropped EXE
PID:1680 -
\??\c:\688882.exec:\688882.exe65⤵
- Executes dropped EXE
PID:1332 -
\??\c:\xrrrffr.exec:\xrrrffr.exe66⤵PID:484
-
\??\c:\xxrrffx.exec:\xxrrffx.exe67⤵PID:2852
-
\??\c:\xrlrlfr.exec:\xrlrlfr.exe68⤵PID:1020
-
\??\c:\e26468.exec:\e26468.exe69⤵PID:2468
-
\??\c:\1lxllrf.exec:\1lxllrf.exe70⤵PID:3024
-
\??\c:\46204.exec:\46204.exe71⤵PID:2392
-
\??\c:\24224.exec:\24224.exe72⤵PID:644
-
\??\c:\frllllr.exec:\frllllr.exe73⤵PID:1000
-
\??\c:\o868402.exec:\o868402.exe74⤵PID:1056
-
\??\c:\42066.exec:\42066.exe75⤵PID:2016
-
\??\c:\08224.exec:\08224.exe76⤵PID:2032
-
\??\c:\frfrrlr.exec:\frfrrlr.exe77⤵PID:1588
-
\??\c:\hhtbhh.exec:\hhtbhh.exe78⤵PID:3020
-
\??\c:\lflllff.exec:\lflllff.exe79⤵PID:2108
-
\??\c:\ddvvd.exec:\ddvvd.exe80⤵
- System Location Discovery: System Language Discovery
PID:2448 -
\??\c:\ppvjp.exec:\ppvjp.exe81⤵PID:2780
-
\??\c:\820622.exec:\820622.exe82⤵PID:1852
-
\??\c:\5xrrlfr.exec:\5xrrlfr.exe83⤵PID:2452
-
\??\c:\48684.exec:\48684.exe84⤵PID:2796
-
\??\c:\xfrllfl.exec:\xfrllfl.exe85⤵PID:3040
-
\??\c:\4282400.exec:\4282400.exe86⤵PID:2608
-
\??\c:\8688422.exec:\8688422.exe87⤵PID:2732
-
\??\c:\rflflff.exec:\rflflff.exe88⤵PID:2764
-
\??\c:\8644606.exec:\8644606.exe89⤵PID:2884
-
\??\c:\862626.exec:\862626.exe90⤵PID:2600
-
\??\c:\dvvvv.exec:\dvvvv.exe91⤵PID:1304
-
\??\c:\46222.exec:\46222.exe92⤵PID:1732
-
\??\c:\bntttt.exec:\bntttt.exe93⤵PID:2380
-
\??\c:\hthhhh.exec:\hthhhh.exe94⤵PID:1484
-
\??\c:\5nttnh.exec:\5nttnh.exe95⤵PID:1520
-
\??\c:\5lrfxrl.exec:\5lrfxrl.exe96⤵PID:2840
-
\??\c:\w46000.exec:\w46000.exe97⤵PID:2848
-
\??\c:\7lrrrrx.exec:\7lrrrrx.exe98⤵PID:1892
-
\??\c:\s0822.exec:\s0822.exe99⤵PID:680
-
\??\c:\9htnbh.exec:\9htnbh.exe100⤵PID:2312
-
\??\c:\rlrffrx.exec:\rlrffrx.exe101⤵PID:2152
-
\??\c:\nhnnnh.exec:\nhnnnh.exe102⤵PID:2476
-
\??\c:\vjjvp.exec:\vjjvp.exe103⤵PID:2316
-
\??\c:\40226.exec:\40226.exe104⤵PID:1168
-
\??\c:\q46604.exec:\q46604.exe105⤵PID:2004
-
\??\c:\pdjdj.exec:\pdjdj.exe106⤵PID:664
-
\??\c:\3xlllll.exec:\3xlllll.exe107⤵PID:2008
-
\??\c:\u244448.exec:\u244448.exe108⤵PID:1680
-
\??\c:\djpdv.exec:\djpdv.exe109⤵PID:3068
-
\??\c:\46888.exec:\46888.exe110⤵PID:1260
-
\??\c:\7pvjd.exec:\7pvjd.exe111⤵PID:2852
-
\??\c:\2064444.exec:\2064444.exe112⤵PID:1420
-
\??\c:\pvvvp.exec:\pvvvp.exe113⤵PID:2468
-
\??\c:\rxfffff.exec:\rxfffff.exe114⤵PID:1744
-
\??\c:\1nnhht.exec:\1nnhht.exe115⤵PID:2392
-
\??\c:\3ppjv.exec:\3ppjv.exe116⤵PID:1500
-
\??\c:\pdjjj.exec:\pdjjj.exe117⤵PID:2416
-
\??\c:\9rxrlff.exec:\9rxrlff.exe118⤵PID:2300
-
\??\c:\64644.exec:\64644.exe119⤵PID:896
-
\??\c:\k20064.exec:\k20064.exe120⤵PID:2184
-
\??\c:\rffxrlr.exec:\rffxrlr.exe121⤵PID:1588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-