Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 22:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4c656e330bba99c2faee30851892e40d41db8d9d9ff7238c777851b21047a214.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4c656e330bba99c2faee30851892e40d41db8d9d9ff7238c777851b21047a214.exe
-
Size
335KB
-
MD5
06fe926242a7b7bbbcc01b7c0bc38e89
-
SHA1
a5e723e1dd703b57ee3ec4c970422a6f4e6c0111
-
SHA256
4c656e330bba99c2faee30851892e40d41db8d9d9ff7238c777851b21047a214
-
SHA512
fce2126fb3a8e76b712cd417b017a197615a9c758b6a800e785ebe289737867180aa0a8bb63c343f3ba31102565839ed5f2bd6687d2d6a7e89d0183a763e2a18
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhJ:F7Tc8JdSjylh2b77BoTMA9gX59sTsuT5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2272-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-53-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2944-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-346-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2464-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-406-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2264-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1384-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-701-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2236-966-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-1023-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1920-1048-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2996-1085-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2848-1123-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1968-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/588-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/304-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-454-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2152-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-1187-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2044-1189-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2276-1215-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2096-1307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2316 3bbbbt.exe 1008 ttnthn.exe 2948 u640268.exe 1496 bnbbhn.exe 3060 pjpvp.exe 2908 fxrxffr.exe 2824 886622.exe 2944 lxllllr.exe 3012 k86866.exe 2932 8684006.exe 2744 046866.exe 2712 6088006.exe 2188 1vpvj.exe 2196 608466.exe 2340 9hnnht.exe 2236 820648.exe 1528 26062.exe 844 s0222.exe 2456 s6806.exe 1684 42662.exe 1272 bhnnnb.exe 2016 6484006.exe 1752 7vvdp.exe 968 7tnhht.exe 1124 htbntb.exe 2588 0426446.exe 2348 e80062.exe 2536 0846268.exe 2228 s4668.exe 2148 084400.exe 2704 nhtbtt.exe 2492 60224.exe 2360 fxfflll.exe 2524 868400.exe 3036 3jpvv.exe 2852 800080.exe 928 m4266.exe 2812 xxrrrrf.exe 3060 424606.exe 2908 hbbhhh.exe 2464 hbnbhn.exe 3008 3lfxxxf.exe 2672 bbbbnh.exe 2688 86884.exe 2788 vpdjv.exe 2720 hbtnbb.exe 2744 vdjvd.exe 2496 u202402.exe 1816 82466.exe 2264 8640262.exe 2448 m2062.exe 2376 m0400.exe 2152 48026.exe 2304 28220.exe 1256 5xxxxlx.exe 1156 824042.exe 2052 9bhhnt.exe 304 1jddd.exe 1824 tnhntb.exe 1272 8000246.exe 1764 vpdjv.exe 1384 jdpjp.exe 1164 208844.exe 1696 20668.exe -
resource yara_rule behavioral1/memory/2272-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-966-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-1150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-1190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-1203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-1218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-1238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-1300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-1307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-1344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-1369-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u422424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w62244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2316 2272 4c656e330bba99c2faee30851892e40d41db8d9d9ff7238c777851b21047a214.exe 30 PID 2272 wrote to memory of 2316 2272 4c656e330bba99c2faee30851892e40d41db8d9d9ff7238c777851b21047a214.exe 30 PID 2272 wrote to memory of 2316 2272 4c656e330bba99c2faee30851892e40d41db8d9d9ff7238c777851b21047a214.exe 30 PID 2272 wrote to memory of 2316 2272 4c656e330bba99c2faee30851892e40d41db8d9d9ff7238c777851b21047a214.exe 30 PID 2316 wrote to memory of 1008 2316 3bbbbt.exe 31 PID 2316 wrote to memory of 1008 2316 3bbbbt.exe 31 PID 2316 wrote to memory of 1008 2316 3bbbbt.exe 31 PID 2316 wrote to memory of 1008 2316 3bbbbt.exe 31 PID 1008 wrote to memory of 2948 1008 ttnthn.exe 32 PID 1008 wrote to memory of 2948 1008 ttnthn.exe 32 PID 1008 wrote to memory of 2948 1008 ttnthn.exe 32 PID 1008 wrote to memory of 2948 1008 ttnthn.exe 32 PID 2948 wrote to memory of 1496 2948 u640268.exe 33 PID 2948 wrote to memory of 1496 2948 u640268.exe 33 PID 2948 wrote to memory of 1496 2948 u640268.exe 33 PID 2948 wrote to memory of 1496 2948 u640268.exe 33 PID 1496 wrote to memory of 3060 1496 bnbbhn.exe 68 PID 1496 wrote to memory of 3060 1496 bnbbhn.exe 68 PID 1496 wrote to memory of 3060 1496 bnbbhn.exe 68 PID 1496 wrote to memory of 3060 1496 bnbbhn.exe 68 PID 3060 wrote to memory of 2908 3060 pjpvp.exe 69 PID 3060 wrote to memory of 2908 3060 pjpvp.exe 69 PID 3060 wrote to memory of 2908 3060 pjpvp.exe 69 PID 3060 wrote to memory of 2908 3060 pjpvp.exe 69 PID 2908 wrote to memory of 2824 2908 fxrxffr.exe 36 PID 2908 wrote to memory of 2824 2908 fxrxffr.exe 36 PID 2908 wrote to memory of 2824 2908 fxrxffr.exe 36 PID 2908 wrote to memory of 2824 2908 fxrxffr.exe 36 PID 2824 wrote to memory of 2944 2824 886622.exe 37 PID 2824 wrote to memory of 2944 2824 886622.exe 37 PID 2824 wrote to memory of 2944 2824 886622.exe 37 PID 2824 wrote to memory of 2944 2824 886622.exe 37 PID 2944 wrote to memory of 3012 2944 lxllllr.exe 38 PID 2944 wrote to memory of 3012 2944 lxllllr.exe 38 PID 2944 wrote to memory of 3012 2944 lxllllr.exe 38 PID 2944 wrote to memory of 3012 2944 lxllllr.exe 38 PID 3012 wrote to memory of 2932 3012 k86866.exe 39 PID 3012 wrote to memory of 2932 3012 k86866.exe 39 PID 3012 wrote to memory of 2932 3012 k86866.exe 39 PID 3012 wrote to memory of 2932 3012 k86866.exe 39 PID 2932 wrote to memory of 2744 2932 8684006.exe 76 PID 2932 wrote to memory of 2744 2932 8684006.exe 76 PID 2932 wrote to memory of 2744 2932 8684006.exe 76 PID 2932 wrote to memory of 2744 2932 8684006.exe 76 PID 2744 wrote to memory of 2712 2744 046866.exe 41 PID 2744 wrote to memory of 2712 2744 046866.exe 41 PID 2744 wrote to memory of 2712 2744 046866.exe 41 PID 2744 wrote to memory of 2712 2744 046866.exe 41 PID 2712 wrote to memory of 2188 2712 6088006.exe 42 PID 2712 wrote to memory of 2188 2712 6088006.exe 42 PID 2712 wrote to memory of 2188 2712 6088006.exe 42 PID 2712 wrote to memory of 2188 2712 6088006.exe 42 PID 2188 wrote to memory of 2196 2188 1vpvj.exe 122 PID 2188 wrote to memory of 2196 2188 1vpvj.exe 122 PID 2188 wrote to memory of 2196 2188 1vpvj.exe 122 PID 2188 wrote to memory of 2196 2188 1vpvj.exe 122 PID 2196 wrote to memory of 2340 2196 608466.exe 44 PID 2196 wrote to memory of 2340 2196 608466.exe 44 PID 2196 wrote to memory of 2340 2196 608466.exe 44 PID 2196 wrote to memory of 2340 2196 608466.exe 44 PID 2340 wrote to memory of 2236 2340 9hnnht.exe 45 PID 2340 wrote to memory of 2236 2340 9hnnht.exe 45 PID 2340 wrote to memory of 2236 2340 9hnnht.exe 45 PID 2340 wrote to memory of 2236 2340 9hnnht.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c656e330bba99c2faee30851892e40d41db8d9d9ff7238c777851b21047a214.exe"C:\Users\Admin\AppData\Local\Temp\4c656e330bba99c2faee30851892e40d41db8d9d9ff7238c777851b21047a214.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\3bbbbt.exec:\3bbbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\ttnthn.exec:\ttnthn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\u640268.exec:\u640268.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\bnbbhn.exec:\bnbbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\pjpvp.exec:\pjpvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\fxrxffr.exec:\fxrxffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\886622.exec:\886622.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\lxllllr.exec:\lxllllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\k86866.exec:\k86866.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\8684006.exec:\8684006.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\046866.exec:\046866.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\6088006.exec:\6088006.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\1vpvj.exec:\1vpvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\608466.exec:\608466.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\9hnnht.exec:\9hnnht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\820648.exec:\820648.exe17⤵
- Executes dropped EXE
PID:2236 -
\??\c:\26062.exec:\26062.exe18⤵
- Executes dropped EXE
PID:1528 -
\??\c:\s0222.exec:\s0222.exe19⤵
- Executes dropped EXE
PID:844 -
\??\c:\s6806.exec:\s6806.exe20⤵
- Executes dropped EXE
PID:2456 -
\??\c:\42662.exec:\42662.exe21⤵
- Executes dropped EXE
PID:1684 -
\??\c:\bhnnnb.exec:\bhnnnb.exe22⤵
- Executes dropped EXE
PID:1272 -
\??\c:\6484006.exec:\6484006.exe23⤵
- Executes dropped EXE
PID:2016 -
\??\c:\7vvdp.exec:\7vvdp.exe24⤵
- Executes dropped EXE
PID:1752 -
\??\c:\7tnhht.exec:\7tnhht.exe25⤵
- Executes dropped EXE
PID:968 -
\??\c:\htbntb.exec:\htbntb.exe26⤵
- Executes dropped EXE
PID:1124 -
\??\c:\0426446.exec:\0426446.exe27⤵
- Executes dropped EXE
PID:2588 -
\??\c:\e80062.exec:\e80062.exe28⤵
- Executes dropped EXE
PID:2348 -
\??\c:\0846268.exec:\0846268.exe29⤵
- Executes dropped EXE
PID:2536 -
\??\c:\s4668.exec:\s4668.exe30⤵
- Executes dropped EXE
PID:2228 -
\??\c:\084400.exec:\084400.exe31⤵
- Executes dropped EXE
PID:2148 -
\??\c:\nhtbtt.exec:\nhtbtt.exe32⤵
- Executes dropped EXE
PID:2704 -
\??\c:\60224.exec:\60224.exe33⤵
- Executes dropped EXE
PID:2492 -
\??\c:\fxfflll.exec:\fxfflll.exe34⤵
- Executes dropped EXE
PID:2360 -
\??\c:\868400.exec:\868400.exe35⤵
- Executes dropped EXE
PID:2524 -
\??\c:\3jpvv.exec:\3jpvv.exe36⤵
- Executes dropped EXE
PID:3036 -
\??\c:\800080.exec:\800080.exe37⤵
- Executes dropped EXE
PID:2852 -
\??\c:\m4266.exec:\m4266.exe38⤵
- Executes dropped EXE
PID:928 -
\??\c:\xxrrrrf.exec:\xxrrrrf.exe39⤵
- Executes dropped EXE
PID:2812 -
\??\c:\424606.exec:\424606.exe40⤵
- Executes dropped EXE
PID:3060 -
\??\c:\hbbhhh.exec:\hbbhhh.exe41⤵
- Executes dropped EXE
PID:2908 -
\??\c:\hbnbhn.exec:\hbnbhn.exe42⤵
- Executes dropped EXE
PID:2464 -
\??\c:\3lfxxxf.exec:\3lfxxxf.exe43⤵
- Executes dropped EXE
PID:3008 -
\??\c:\bbbbnh.exec:\bbbbnh.exe44⤵
- Executes dropped EXE
PID:2672 -
\??\c:\86884.exec:\86884.exe45⤵
- Executes dropped EXE
PID:2688 -
\??\c:\vpdjv.exec:\vpdjv.exe46⤵
- Executes dropped EXE
PID:2788 -
\??\c:\hbtnbb.exec:\hbtnbb.exe47⤵
- Executes dropped EXE
PID:2720 -
\??\c:\vdjvd.exec:\vdjvd.exe48⤵
- Executes dropped EXE
PID:2744 -
\??\c:\u202402.exec:\u202402.exe49⤵
- Executes dropped EXE
PID:2496 -
\??\c:\82466.exec:\82466.exe50⤵
- Executes dropped EXE
PID:1816 -
\??\c:\8640262.exec:\8640262.exe51⤵
- Executes dropped EXE
PID:2264 -
\??\c:\m2062.exec:\m2062.exe52⤵
- Executes dropped EXE
PID:2448 -
\??\c:\m0400.exec:\m0400.exe53⤵
- Executes dropped EXE
PID:2376 -
\??\c:\48026.exec:\48026.exe54⤵
- Executes dropped EXE
PID:2152 -
\??\c:\28220.exec:\28220.exe55⤵
- Executes dropped EXE
PID:2304 -
\??\c:\5xxxxlx.exec:\5xxxxlx.exe56⤵
- Executes dropped EXE
PID:1256 -
\??\c:\824042.exec:\824042.exe57⤵
- Executes dropped EXE
PID:1156 -
\??\c:\9bhhnt.exec:\9bhhnt.exe58⤵
- Executes dropped EXE
PID:2052 -
\??\c:\1jddd.exec:\1jddd.exe59⤵
- Executes dropped EXE
PID:304 -
\??\c:\tnhntb.exec:\tnhntb.exe60⤵
- Executes dropped EXE
PID:1824 -
\??\c:\8000246.exec:\8000246.exe61⤵
- Executes dropped EXE
PID:1272 -
\??\c:\vpdjv.exec:\vpdjv.exe62⤵
- Executes dropped EXE
PID:1764 -
\??\c:\jdpjp.exec:\jdpjp.exe63⤵
- Executes dropped EXE
PID:1384 -
\??\c:\208844.exec:\208844.exe64⤵
- Executes dropped EXE
PID:1164 -
\??\c:\20668.exec:\20668.exe65⤵
- Executes dropped EXE
PID:1696 -
\??\c:\2684842.exec:\2684842.exe66⤵PID:2876
-
\??\c:\o200828.exec:\o200828.exe67⤵PID:1776
-
\??\c:\m8606.exec:\m8606.exe68⤵PID:588
-
\??\c:\04446.exec:\04446.exe69⤵PID:2860
-
\??\c:\pjddj.exec:\pjddj.exe70⤵PID:1524
-
\??\c:\vpjvd.exec:\vpjvd.exe71⤵PID:2504
-
\??\c:\o406668.exec:\o406668.exe72⤵PID:1756
-
\??\c:\4206228.exec:\4206228.exe73⤵PID:2704
-
\??\c:\hbttbb.exec:\hbttbb.exe74⤵PID:3064
-
\??\c:\86220.exec:\86220.exe75⤵PID:1808
-
\??\c:\20842.exec:\20842.exe76⤵PID:2360
-
\??\c:\4266446.exec:\4266446.exe77⤵PID:2484
-
\??\c:\a4224.exec:\a4224.exe78⤵PID:2752
-
\??\c:\3thbnn.exec:\3thbnn.exe79⤵PID:712
-
\??\c:\pdjpv.exec:\pdjpv.exe80⤵PID:1148
-
\??\c:\4828268.exec:\4828268.exe81⤵PID:2920
-
\??\c:\k64066.exec:\k64066.exe82⤵PID:2800
-
\??\c:\nhtthb.exec:\nhtthb.exe83⤵PID:2940
-
\??\c:\ttnttt.exec:\ttnttt.exe84⤵PID:2440
-
\??\c:\vjvpv.exec:\vjvpv.exe85⤵PID:1064
-
\??\c:\dpjpp.exec:\dpjpp.exe86⤵PID:2892
-
\??\c:\fxxxflx.exec:\fxxxflx.exe87⤵PID:2660
-
\??\c:\xxllxxf.exec:\xxllxxf.exe88⤵PID:1744
-
\??\c:\4644864.exec:\4644864.exe89⤵PID:2724
-
\??\c:\480240.exec:\480240.exe90⤵PID:2072
-
\??\c:\btnbbh.exec:\btnbbh.exe91⤵PID:2592
-
\??\c:\rrffrxf.exec:\rrffrxf.exe92⤵PID:2496
-
\??\c:\2206406.exec:\2206406.exe93⤵PID:2288
-
\??\c:\dpvdj.exec:\dpvdj.exe94⤵PID:2196
-
\??\c:\jdjjj.exec:\jdjjj.exe95⤵
- System Location Discovery: System Language Discovery
PID:2200 -
\??\c:\8664088.exec:\8664088.exe96⤵PID:2376
-
\??\c:\488428.exec:\488428.exe97⤵PID:2284
-
\??\c:\6428628.exec:\6428628.exe98⤵PID:1184
-
\??\c:\3dvdp.exec:\3dvdp.exe99⤵PID:1256
-
\??\c:\604084.exec:\604084.exe100⤵PID:1156
-
\??\c:\6088668.exec:\6088668.exe101⤵PID:1836
-
\??\c:\tnhnbh.exec:\tnhnbh.exe102⤵PID:2112
-
\??\c:\5nhnhb.exec:\5nhnhb.exe103⤵PID:1968
-
\??\c:\26408.exec:\26408.exe104⤵PID:1564
-
\??\c:\w42840.exec:\w42840.exe105⤵PID:2632
-
\??\c:\tthnbh.exec:\tthnbh.exe106⤵PID:1396
-
\??\c:\9bhbhh.exec:\9bhbhh.exe107⤵PID:2028
-
\??\c:\7ntbhn.exec:\7ntbhn.exe108⤵PID:2652
-
\??\c:\3vddd.exec:\3vddd.exe109⤵PID:1012
-
\??\c:\4248046.exec:\4248046.exe110⤵PID:1784
-
\??\c:\xxlrrrl.exec:\xxlrrrl.exe111⤵PID:2164
-
\??\c:\u684662.exec:\u684662.exe112⤵PID:1060
-
\??\c:\0084628.exec:\0084628.exe113⤵PID:1524
-
\??\c:\00280.exec:\00280.exe114⤵PID:2996
-
\??\c:\m4246.exec:\m4246.exe115⤵PID:2976
-
\??\c:\482802.exec:\482802.exe116⤵PID:1628
-
\??\c:\648800.exec:\648800.exe117⤵PID:1416
-
\??\c:\42446.exec:\42446.exe118⤵PID:2316
-
\??\c:\pdjpv.exec:\pdjpv.exe119⤵PID:1708
-
\??\c:\vpjvp.exec:\vpjvp.exe120⤵PID:2848
-
\??\c:\btbbnt.exec:\btbbnt.exe121⤵PID:2852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-