Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 13:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94657ad8d38d86d5a664cd6ad353a0bed68a3b50df4ab75332d5e501429dbee9.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
94657ad8d38d86d5a664cd6ad353a0bed68a3b50df4ab75332d5e501429dbee9.exe
-
Size
455KB
-
MD5
f569e1d1796ba6d3fb637beead40263b
-
SHA1
c5266af2ac7e2a278432d969679d6b07aa7ec3bf
-
SHA256
94657ad8d38d86d5a664cd6ad353a0bed68a3b50df4ab75332d5e501429dbee9
-
SHA512
2b794500676b90613cad560920ce011864389c72aef9e33f310987a95fb256e8ceb6421cf32b51df4c608ef7e89d8acb631bae58f829f6a3db041ed93cfa50fa
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/388-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-27-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1824-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/272-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-218-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2356-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-258-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1640-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-295-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/284-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/740-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-479-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/844-493-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/840-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-540-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2160-553-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/876-567-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2120-607-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2120-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-640-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2744-647-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1044-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-699-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2344-718-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/444-749-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/444-768-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/1716-775-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2168-813-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2536-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-870-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2872-913-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2916-938-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2688-945-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3060-1115-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2692-1130-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2536 684406.exe 1824 btbhtn.exe 2472 g6844.exe 2720 nbntbn.exe 2860 684048.exe 2744 3hbnnn.exe 2728 q86282.exe 2808 tnhbhh.exe 2668 nbhbbt.exe 2676 2066824.exe 2032 4824642.exe 272 8622262.exe 2952 vpddj.exe 1948 5htbhh.exe 320 6088680.exe 2044 0468406.exe 3056 082844.exe 2212 e48684.exe 1312 lrfrfxl.exe 2284 60242.exe 1752 5nhhbh.exe 2496 dvjpp.exe 2348 tnhnnb.exe 1696 8686644.exe 1564 08440.exe 2356 xrffffr.exe 1768 nnthtt.exe 2196 4844006.exe 2276 xlrxxff.exe 2596 frfffxf.exe 1640 20286.exe 2540 2288644.exe 2520 pjdjv.exe 1600 424442.exe 284 64082.exe 1728 082286.exe 2252 4244262.exe 2740 0404622.exe 740 nhhbtn.exe 2872 ffxrfxf.exe 2828 864462.exe 2744 tnttnh.exe 2932 1pjpd.exe 1144 hbnntn.exe 2776 468888.exe 2664 pvpvd.exe 2084 7frrfxf.exe 2092 xlrrfxf.exe 2964 nhbbtt.exe 2928 46266.exe 2672 q48828.exe 2804 e66026.exe 320 8684264.exe 1904 jdpdj.exe 1232 o684606.exe 2984 bhnhhb.exe 2164 xrflxxl.exe 2224 pdvjj.exe 2404 046800.exe 2492 2046446.exe 1752 046200.exe 844 jjpdv.exe 1356 i262446.exe 840 820622.exe -
resource yara_rule behavioral1/memory/388-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/272-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-218-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2356-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-295-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/284-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-486-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/840-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-540-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2160-553-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/876-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-567-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/868-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-607-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2120-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-775-0x0000000000530000-0x000000000055A000-memory.dmp upx behavioral1/memory/1772-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/748-970-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e20666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8648062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2288644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e48844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 388 wrote to memory of 2536 388 94657ad8d38d86d5a664cd6ad353a0bed68a3b50df4ab75332d5e501429dbee9.exe 31 PID 388 wrote to memory of 2536 388 94657ad8d38d86d5a664cd6ad353a0bed68a3b50df4ab75332d5e501429dbee9.exe 31 PID 388 wrote to memory of 2536 388 94657ad8d38d86d5a664cd6ad353a0bed68a3b50df4ab75332d5e501429dbee9.exe 31 PID 388 wrote to memory of 2536 388 94657ad8d38d86d5a664cd6ad353a0bed68a3b50df4ab75332d5e501429dbee9.exe 31 PID 2536 wrote to memory of 1824 2536 684406.exe 32 PID 2536 wrote to memory of 1824 2536 684406.exe 32 PID 2536 wrote to memory of 1824 2536 684406.exe 32 PID 2536 wrote to memory of 1824 2536 684406.exe 32 PID 1824 wrote to memory of 2472 1824 btbhtn.exe 33 PID 1824 wrote to memory of 2472 1824 btbhtn.exe 33 PID 1824 wrote to memory of 2472 1824 btbhtn.exe 33 PID 1824 wrote to memory of 2472 1824 btbhtn.exe 33 PID 2472 wrote to memory of 2720 2472 g6844.exe 34 PID 2472 wrote to memory of 2720 2472 g6844.exe 34 PID 2472 wrote to memory of 2720 2472 g6844.exe 34 PID 2472 wrote to memory of 2720 2472 g6844.exe 34 PID 2720 wrote to memory of 2860 2720 nbntbn.exe 35 PID 2720 wrote to memory of 2860 2720 nbntbn.exe 35 PID 2720 wrote to memory of 2860 2720 nbntbn.exe 35 PID 2720 wrote to memory of 2860 2720 nbntbn.exe 35 PID 2860 wrote to memory of 2744 2860 684048.exe 36 PID 2860 wrote to memory of 2744 2860 684048.exe 36 PID 2860 wrote to memory of 2744 2860 684048.exe 36 PID 2860 wrote to memory of 2744 2860 684048.exe 36 PID 2744 wrote to memory of 2728 2744 3hbnnn.exe 37 PID 2744 wrote to memory of 2728 2744 3hbnnn.exe 37 PID 2744 wrote to memory of 2728 2744 3hbnnn.exe 37 PID 2744 wrote to memory of 2728 2744 3hbnnn.exe 37 PID 2728 wrote to memory of 2808 2728 q86282.exe 38 PID 2728 wrote to memory of 2808 2728 q86282.exe 38 PID 2728 wrote to memory of 2808 2728 q86282.exe 38 PID 2728 wrote to memory of 2808 2728 q86282.exe 38 PID 2808 wrote to memory of 2668 2808 tnhbhh.exe 39 PID 2808 wrote to memory of 2668 2808 tnhbhh.exe 39 PID 2808 wrote to memory of 2668 2808 tnhbhh.exe 39 PID 2808 wrote to memory of 2668 2808 tnhbhh.exe 39 PID 2668 wrote to memory of 2676 2668 nbhbbt.exe 40 PID 2668 wrote to memory of 2676 2668 nbhbbt.exe 40 PID 2668 wrote to memory of 2676 2668 nbhbbt.exe 40 PID 2668 wrote to memory of 2676 2668 nbhbbt.exe 40 PID 2676 wrote to memory of 2032 2676 2066824.exe 41 PID 2676 wrote to memory of 2032 2676 2066824.exe 41 PID 2676 wrote to memory of 2032 2676 2066824.exe 41 PID 2676 wrote to memory of 2032 2676 2066824.exe 41 PID 2032 wrote to memory of 272 2032 4824642.exe 42 PID 2032 wrote to memory of 272 2032 4824642.exe 42 PID 2032 wrote to memory of 272 2032 4824642.exe 42 PID 2032 wrote to memory of 272 2032 4824642.exe 42 PID 272 wrote to memory of 2952 272 8622262.exe 43 PID 272 wrote to memory of 2952 272 8622262.exe 43 PID 272 wrote to memory of 2952 272 8622262.exe 43 PID 272 wrote to memory of 2952 272 8622262.exe 43 PID 2952 wrote to memory of 1948 2952 vpddj.exe 44 PID 2952 wrote to memory of 1948 2952 vpddj.exe 44 PID 2952 wrote to memory of 1948 2952 vpddj.exe 44 PID 2952 wrote to memory of 1948 2952 vpddj.exe 44 PID 1948 wrote to memory of 320 1948 5htbhh.exe 45 PID 1948 wrote to memory of 320 1948 5htbhh.exe 45 PID 1948 wrote to memory of 320 1948 5htbhh.exe 45 PID 1948 wrote to memory of 320 1948 5htbhh.exe 45 PID 320 wrote to memory of 2044 320 6088680.exe 46 PID 320 wrote to memory of 2044 320 6088680.exe 46 PID 320 wrote to memory of 2044 320 6088680.exe 46 PID 320 wrote to memory of 2044 320 6088680.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\94657ad8d38d86d5a664cd6ad353a0bed68a3b50df4ab75332d5e501429dbee9.exe"C:\Users\Admin\AppData\Local\Temp\94657ad8d38d86d5a664cd6ad353a0bed68a3b50df4ab75332d5e501429dbee9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\684406.exec:\684406.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\btbhtn.exec:\btbhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\g6844.exec:\g6844.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\nbntbn.exec:\nbntbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\684048.exec:\684048.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\3hbnnn.exec:\3hbnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\q86282.exec:\q86282.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\tnhbhh.exec:\tnhbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\nbhbbt.exec:\nbhbbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\2066824.exec:\2066824.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\4824642.exec:\4824642.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\8622262.exec:\8622262.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:272 -
\??\c:\vpddj.exec:\vpddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\5htbhh.exec:\5htbhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\6088680.exec:\6088680.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\0468406.exec:\0468406.exe17⤵
- Executes dropped EXE
PID:2044 -
\??\c:\082844.exec:\082844.exe18⤵
- Executes dropped EXE
PID:3056 -
\??\c:\e48684.exec:\e48684.exe19⤵
- Executes dropped EXE
PID:2212 -
\??\c:\lrfrfxl.exec:\lrfrfxl.exe20⤵
- Executes dropped EXE
PID:1312 -
\??\c:\60242.exec:\60242.exe21⤵
- Executes dropped EXE
PID:2284 -
\??\c:\5nhhbh.exec:\5nhhbh.exe22⤵
- Executes dropped EXE
PID:1752 -
\??\c:\dvjpp.exec:\dvjpp.exe23⤵
- Executes dropped EXE
PID:2496 -
\??\c:\tnhnnb.exec:\tnhnnb.exe24⤵
- Executes dropped EXE
PID:2348 -
\??\c:\8686644.exec:\8686644.exe25⤵
- Executes dropped EXE
PID:1696 -
\??\c:\08440.exec:\08440.exe26⤵
- Executes dropped EXE
PID:1564 -
\??\c:\xrffffr.exec:\xrffffr.exe27⤵
- Executes dropped EXE
PID:2356 -
\??\c:\nnthtt.exec:\nnthtt.exe28⤵
- Executes dropped EXE
PID:1768 -
\??\c:\4844006.exec:\4844006.exe29⤵
- Executes dropped EXE
PID:2196 -
\??\c:\xlrxxff.exec:\xlrxxff.exe30⤵
- Executes dropped EXE
PID:2276 -
\??\c:\frfffxf.exec:\frfffxf.exe31⤵
- Executes dropped EXE
PID:2596 -
\??\c:\20286.exec:\20286.exe32⤵
- Executes dropped EXE
PID:1640 -
\??\c:\2288644.exec:\2288644.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540 -
\??\c:\pjdjv.exec:\pjdjv.exe34⤵
- Executes dropped EXE
PID:2520 -
\??\c:\424442.exec:\424442.exe35⤵
- Executes dropped EXE
PID:1600 -
\??\c:\64082.exec:\64082.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:284 -
\??\c:\082286.exec:\082286.exe37⤵
- Executes dropped EXE
PID:1728 -
\??\c:\4244262.exec:\4244262.exe38⤵
- Executes dropped EXE
PID:2252 -
\??\c:\0404622.exec:\0404622.exe39⤵
- Executes dropped EXE
PID:2740 -
\??\c:\nhhbtn.exec:\nhhbtn.exe40⤵
- Executes dropped EXE
PID:740 -
\??\c:\ffxrfxf.exec:\ffxrfxf.exe41⤵
- Executes dropped EXE
PID:2872 -
\??\c:\864462.exec:\864462.exe42⤵
- Executes dropped EXE
PID:2828 -
\??\c:\tnttnh.exec:\tnttnh.exe43⤵
- Executes dropped EXE
PID:2744 -
\??\c:\1pjpd.exec:\1pjpd.exe44⤵
- Executes dropped EXE
PID:2932 -
\??\c:\hbnntn.exec:\hbnntn.exe45⤵
- Executes dropped EXE
PID:1144 -
\??\c:\468888.exec:\468888.exe46⤵
- Executes dropped EXE
PID:2776 -
\??\c:\pvpvd.exec:\pvpvd.exe47⤵
- Executes dropped EXE
PID:2664 -
\??\c:\7frrfxf.exec:\7frrfxf.exe48⤵
- Executes dropped EXE
PID:2084 -
\??\c:\xlrrfxf.exec:\xlrrfxf.exe49⤵
- Executes dropped EXE
PID:2092 -
\??\c:\nhbbtt.exec:\nhbbtt.exe50⤵
- Executes dropped EXE
PID:2964 -
\??\c:\46266.exec:\46266.exe51⤵
- Executes dropped EXE
PID:2928 -
\??\c:\q48828.exec:\q48828.exe52⤵
- Executes dropped EXE
PID:2672 -
\??\c:\e66026.exec:\e66026.exe53⤵
- Executes dropped EXE
PID:2804 -
\??\c:\8684264.exec:\8684264.exe54⤵
- Executes dropped EXE
PID:320 -
\??\c:\jdpdj.exec:\jdpdj.exe55⤵
- Executes dropped EXE
PID:1904 -
\??\c:\o684606.exec:\o684606.exe56⤵
- Executes dropped EXE
PID:1232 -
\??\c:\bhnhhb.exec:\bhnhhb.exe57⤵
- Executes dropped EXE
PID:2984 -
\??\c:\xrflxxl.exec:\xrflxxl.exe58⤵
- Executes dropped EXE
PID:2164 -
\??\c:\pdvjj.exec:\pdvjj.exe59⤵
- Executes dropped EXE
PID:2224 -
\??\c:\046800.exec:\046800.exe60⤵
- Executes dropped EXE
PID:2404 -
\??\c:\2046446.exec:\2046446.exe61⤵
- Executes dropped EXE
PID:2492 -
\??\c:\046200.exec:\046200.exe62⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jjpdv.exec:\jjpdv.exe63⤵
- Executes dropped EXE
PID:844 -
\??\c:\i262446.exec:\i262446.exe64⤵
- Executes dropped EXE
PID:1356 -
\??\c:\820622.exec:\820622.exe65⤵
- Executes dropped EXE
PID:840 -
\??\c:\nhtbnt.exec:\nhtbnt.exe66⤵PID:296
-
\??\c:\7djdd.exec:\7djdd.exe67⤵PID:860
-
\??\c:\nnhtbh.exec:\nnhtbh.exe68⤵PID:2356
-
\??\c:\1jvjp.exec:\1jvjp.exe69⤵PID:1768
-
\??\c:\hhbhnt.exec:\hhbhnt.exe70⤵PID:1932
-
\??\c:\dpddp.exec:\dpddp.exe71⤵PID:2460
-
\??\c:\080644.exec:\080644.exe72⤵PID:2160
-
\??\c:\i204066.exec:\i204066.exe73⤵PID:1500
-
\??\c:\820028.exec:\820028.exe74⤵PID:876
-
\??\c:\nthnnb.exec:\nthnnb.exe75⤵PID:1740
-
\??\c:\s6880.exec:\s6880.exe76⤵PID:1692
-
\??\c:\7nhhbh.exec:\7nhhbh.exe77⤵PID:2520
-
\??\c:\xxllflx.exec:\xxllflx.exe78⤵PID:868
-
\??\c:\20684.exec:\20684.exe79⤵PID:284
-
\??\c:\3pjdv.exec:\3pjdv.exe80⤵
- System Location Discovery: System Language Discovery
PID:2120 -
\??\c:\k08844.exec:\k08844.exe81⤵PID:2752
-
\??\c:\jjvvd.exec:\jjvvd.exe82⤵PID:2716
-
\??\c:\e02022.exec:\e02022.exe83⤵PID:2476
-
\??\c:\u642884.exec:\u642884.exe84⤵PID:2736
-
\??\c:\pjvdj.exec:\pjvdj.exe85⤵PID:2828
-
\??\c:\3nhbnt.exec:\3nhbnt.exe86⤵PID:2744
-
\??\c:\642806.exec:\642806.exe87⤵PID:2616
-
\??\c:\rlxfffr.exec:\rlxfffr.exe88⤵PID:2876
-
\??\c:\w08288.exec:\w08288.exe89⤵PID:1044
-
\??\c:\bnbbnt.exec:\bnbbnt.exe90⤵PID:1996
-
\??\c:\04420.exec:\04420.exe91⤵PID:2600
-
\??\c:\nhtbhn.exec:\nhtbhn.exe92⤵PID:796
-
\??\c:\hnhbhn.exec:\hnhbhn.exe93⤵PID:2964
-
\??\c:\864062.exec:\864062.exe94⤵PID:2344
-
\??\c:\9hbhbn.exec:\9hbhbn.exe95⤵PID:1700
-
\??\c:\xrllflx.exec:\xrllflx.exe96⤵
- System Location Discovery: System Language Discovery
PID:1440 -
\??\c:\hnhttn.exec:\hnhttn.exe97⤵PID:320
-
\??\c:\1xlrffx.exec:\1xlrffx.exe98⤵PID:3056
-
\??\c:\8200660.exec:\8200660.exe99⤵PID:2216
-
\??\c:\ddvjj.exec:\ddvjj.exe100⤵PID:1856
-
\??\c:\208466.exec:\208466.exe101⤵PID:2244
-
\??\c:\a8624.exec:\a8624.exe102⤵PID:444
-
\??\c:\88686.exec:\88686.exe103⤵PID:2028
-
\??\c:\btnthn.exec:\btnthn.exe104⤵PID:800
-
\??\c:\o080628.exec:\o080628.exe105⤵PID:1752
-
\??\c:\ffxlrxf.exec:\ffxlrxf.exe106⤵PID:1716
-
\??\c:\lrxrfxf.exec:\lrxrfxf.exe107⤵PID:1468
-
\??\c:\26402.exec:\26402.exe108⤵PID:1612
-
\??\c:\6488624.exec:\6488624.exe109⤵PID:2388
-
\??\c:\4606288.exec:\4606288.exe110⤵PID:1772
-
\??\c:\60624.exec:\60624.exe111⤵PID:2380
-
\??\c:\042844.exec:\042844.exe112⤵PID:2168
-
\??\c:\k28400.exec:\k28400.exe113⤵PID:2184
-
\??\c:\826200.exec:\826200.exe114⤵PID:2276
-
\??\c:\400602.exec:\400602.exe115⤵PID:1980
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe116⤵PID:3060
-
\??\c:\00802.exec:\00802.exe117⤵PID:980
-
\??\c:\vpjpd.exec:\vpjpd.exe118⤵PID:2420
-
\??\c:\8262880.exec:\8262880.exe119⤵PID:388
-
\??\c:\jdjpv.exec:\jdjpv.exe120⤵PID:2536
-
\??\c:\tttbnt.exec:\tttbnt.exe121⤵PID:684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-