Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 00:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe
-
Size
456KB
-
MD5
aebfd66057fce37eb6f6d86f2a5cb55a
-
SHA1
a49856f6249404b4496cc68886a1aaee1d89e8f9
-
SHA256
93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd
-
SHA512
83e9d4bf9f040d86092870dca79eb4791445f721cbe03d30a6a10c1b4d94d100cfecfc27ec025abff080a7df40975bf79a37e915ce6b56f1d17610e833644194
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRh:q7Tc2NYHUrAwfMp3CDRh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2756-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-48-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2684-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/764-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1348-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-128-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1832-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-148-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1556-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-228-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2512-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1400-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/748-308-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2800-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-434-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1788-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/828-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-902-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2400-970-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2184 426060.exe 2712 2000488.exe 2780 5djdj.exe 2852 428448.exe 2596 bnbbnn.exe 2684 240404.exe 2588 42400.exe 1776 xlrrxrx.exe 764 bnthnb.exe 3064 640460.exe 1348 k20448.exe 2188 nhtnnh.exe 1424 4026006.exe 1832 420026.exe 540 m0266.exe 2988 268448.exe 1556 868288.exe 1996 7ddvp.exe 2244 vvjvv.exe 2240 20288.exe 1544 8682200.exe 2228 nbnnnn.exe 1140 a2448.exe 2460 pvdvp.exe 2512 e64842.exe 1856 bhnhhn.exe 1720 5ttnbb.exe 1400 1ntnhb.exe 748 862664.exe 2352 9hbbbt.exe 2344 3jddv.exe 2792 rfrrxlr.exe 2800 5rrlfxr.exe 2804 2022262.exe 2604 24666.exe 2768 e08800.exe 2572 9htttn.exe 2628 9bnhhb.exe 2820 rxlllll.exe 2360 02484.exe 2928 q28682.exe 1992 a6884.exe 1196 80266.exe 1340 vjvdv.exe 2100 thnhhh.exe 2872 rlxrlff.exe 2752 9xffxxl.exe 2876 pdvpd.exe 2900 5rrrlfl.exe 2764 224826.exe 1944 a0282.exe 1892 m8000.exe 2176 hbtthh.exe 1948 1jddv.exe 2544 hbnbbt.exe 1788 bnhnnt.exe 752 c648440.exe 408 hhhnhn.exe 2196 246222.exe 896 9vvpv.exe 908 26062.exe 1204 hbhhhn.exe 1616 080466.exe 2540 84826.exe -
resource yara_rule behavioral1/memory/2756-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-127-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1832-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/828-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-836-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2612-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-932-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-996-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q44022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c288440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c862060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4620482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8626668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4200628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6606284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040840.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2184 2756 93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe 31 PID 2756 wrote to memory of 2184 2756 93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe 31 PID 2756 wrote to memory of 2184 2756 93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe 31 PID 2756 wrote to memory of 2184 2756 93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe 31 PID 2184 wrote to memory of 2712 2184 426060.exe 32 PID 2184 wrote to memory of 2712 2184 426060.exe 32 PID 2184 wrote to memory of 2712 2184 426060.exe 32 PID 2184 wrote to memory of 2712 2184 426060.exe 32 PID 2712 wrote to memory of 2780 2712 2000488.exe 33 PID 2712 wrote to memory of 2780 2712 2000488.exe 33 PID 2712 wrote to memory of 2780 2712 2000488.exe 33 PID 2712 wrote to memory of 2780 2712 2000488.exe 33 PID 2780 wrote to memory of 2852 2780 5djdj.exe 34 PID 2780 wrote to memory of 2852 2780 5djdj.exe 34 PID 2780 wrote to memory of 2852 2780 5djdj.exe 34 PID 2780 wrote to memory of 2852 2780 5djdj.exe 34 PID 2852 wrote to memory of 2596 2852 428448.exe 35 PID 2852 wrote to memory of 2596 2852 428448.exe 35 PID 2852 wrote to memory of 2596 2852 428448.exe 35 PID 2852 wrote to memory of 2596 2852 428448.exe 35 PID 2596 wrote to memory of 2684 2596 bnbbnn.exe 36 PID 2596 wrote to memory of 2684 2596 bnbbnn.exe 36 PID 2596 wrote to memory of 2684 2596 bnbbnn.exe 36 PID 2596 wrote to memory of 2684 2596 bnbbnn.exe 36 PID 2684 wrote to memory of 2588 2684 240404.exe 37 PID 2684 wrote to memory of 2588 2684 240404.exe 37 PID 2684 wrote to memory of 2588 2684 240404.exe 37 PID 2684 wrote to memory of 2588 2684 240404.exe 37 PID 2588 wrote to memory of 1776 2588 42400.exe 38 PID 2588 wrote to memory of 1776 2588 42400.exe 38 PID 2588 wrote to memory of 1776 2588 42400.exe 38 PID 2588 wrote to memory of 1776 2588 42400.exe 38 PID 1776 wrote to memory of 764 1776 xlrrxrx.exe 39 PID 1776 wrote to memory of 764 1776 xlrrxrx.exe 39 PID 1776 wrote to memory of 764 1776 xlrrxrx.exe 39 PID 1776 wrote to memory of 764 1776 xlrrxrx.exe 39 PID 764 wrote to memory of 3064 764 bnthnb.exe 40 PID 764 wrote to memory of 3064 764 bnthnb.exe 40 PID 764 wrote to memory of 3064 764 bnthnb.exe 40 PID 764 wrote to memory of 3064 764 bnthnb.exe 40 PID 3064 wrote to memory of 1348 3064 640460.exe 41 PID 3064 wrote to memory of 1348 3064 640460.exe 41 PID 3064 wrote to memory of 1348 3064 640460.exe 41 PID 3064 wrote to memory of 1348 3064 640460.exe 41 PID 1348 wrote to memory of 2188 1348 k20448.exe 42 PID 1348 wrote to memory of 2188 1348 k20448.exe 42 PID 1348 wrote to memory of 2188 1348 k20448.exe 42 PID 1348 wrote to memory of 2188 1348 k20448.exe 42 PID 2188 wrote to memory of 1424 2188 nhtnnh.exe 43 PID 2188 wrote to memory of 1424 2188 nhtnnh.exe 43 PID 2188 wrote to memory of 1424 2188 nhtnnh.exe 43 PID 2188 wrote to memory of 1424 2188 nhtnnh.exe 43 PID 1424 wrote to memory of 1832 1424 4026006.exe 44 PID 1424 wrote to memory of 1832 1424 4026006.exe 44 PID 1424 wrote to memory of 1832 1424 4026006.exe 44 PID 1424 wrote to memory of 1832 1424 4026006.exe 44 PID 1832 wrote to memory of 540 1832 420026.exe 45 PID 1832 wrote to memory of 540 1832 420026.exe 45 PID 1832 wrote to memory of 540 1832 420026.exe 45 PID 1832 wrote to memory of 540 1832 420026.exe 45 PID 540 wrote to memory of 2988 540 m0266.exe 46 PID 540 wrote to memory of 2988 540 m0266.exe 46 PID 540 wrote to memory of 2988 540 m0266.exe 46 PID 540 wrote to memory of 2988 540 m0266.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe"C:\Users\Admin\AppData\Local\Temp\93cb6dfc541ccb08cca5a6f78b7f2785bd3ef4e3555bdca32010fed497b94bdd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\426060.exec:\426060.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\2000488.exec:\2000488.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\5djdj.exec:\5djdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\428448.exec:\428448.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\bnbbnn.exec:\bnbbnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\240404.exec:\240404.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\42400.exec:\42400.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\xlrrxrx.exec:\xlrrxrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\bnthnb.exec:\bnthnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\640460.exec:\640460.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\k20448.exec:\k20448.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\nhtnnh.exec:\nhtnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\4026006.exec:\4026006.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\420026.exec:\420026.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\m0266.exec:\m0266.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\268448.exec:\268448.exe17⤵
- Executes dropped EXE
PID:2988 -
\??\c:\868288.exec:\868288.exe18⤵
- Executes dropped EXE
PID:1556 -
\??\c:\7ddvp.exec:\7ddvp.exe19⤵
- Executes dropped EXE
PID:1996 -
\??\c:\vvjvv.exec:\vvjvv.exe20⤵
- Executes dropped EXE
PID:2244 -
\??\c:\20288.exec:\20288.exe21⤵
- Executes dropped EXE
PID:2240 -
\??\c:\8682200.exec:\8682200.exe22⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nbnnnn.exec:\nbnnnn.exe23⤵
- Executes dropped EXE
PID:2228 -
\??\c:\a2448.exec:\a2448.exe24⤵
- Executes dropped EXE
PID:1140 -
\??\c:\pvdvp.exec:\pvdvp.exe25⤵
- Executes dropped EXE
PID:2460 -
\??\c:\e64842.exec:\e64842.exe26⤵
- Executes dropped EXE
PID:2512 -
\??\c:\bhnhhn.exec:\bhnhhn.exe27⤵
- Executes dropped EXE
PID:1856 -
\??\c:\5ttnbb.exec:\5ttnbb.exe28⤵
- Executes dropped EXE
PID:1720 -
\??\c:\1ntnhb.exec:\1ntnhb.exe29⤵
- Executes dropped EXE
PID:1400 -
\??\c:\862664.exec:\862664.exe30⤵
- Executes dropped EXE
PID:748 -
\??\c:\9hbbbt.exec:\9hbbbt.exe31⤵
- Executes dropped EXE
PID:2352 -
\??\c:\3jddv.exec:\3jddv.exe32⤵
- Executes dropped EXE
PID:2344 -
\??\c:\rfrrxlr.exec:\rfrrxlr.exe33⤵
- Executes dropped EXE
PID:2792 -
\??\c:\5rrlfxr.exec:\5rrlfxr.exe34⤵
- Executes dropped EXE
PID:2800 -
\??\c:\2022262.exec:\2022262.exe35⤵
- Executes dropped EXE
PID:2804 -
\??\c:\24666.exec:\24666.exe36⤵
- Executes dropped EXE
PID:2604 -
\??\c:\e08800.exec:\e08800.exe37⤵
- Executes dropped EXE
PID:2768 -
\??\c:\9htttn.exec:\9htttn.exe38⤵
- Executes dropped EXE
PID:2572 -
\??\c:\9bnhhb.exec:\9bnhhb.exe39⤵
- Executes dropped EXE
PID:2628 -
\??\c:\rxlllll.exec:\rxlllll.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\02484.exec:\02484.exe41⤵
- Executes dropped EXE
PID:2360 -
\??\c:\q28682.exec:\q28682.exe42⤵
- Executes dropped EXE
PID:2928 -
\??\c:\a6884.exec:\a6884.exe43⤵
- Executes dropped EXE
PID:1992 -
\??\c:\80266.exec:\80266.exe44⤵
- Executes dropped EXE
PID:1196 -
\??\c:\vjvdv.exec:\vjvdv.exe45⤵
- Executes dropped EXE
PID:1340 -
\??\c:\thnhhh.exec:\thnhhh.exe46⤵
- Executes dropped EXE
PID:2100 -
\??\c:\rlxrlff.exec:\rlxrlff.exe47⤵
- Executes dropped EXE
PID:2872 -
\??\c:\9xffxxl.exec:\9xffxxl.exe48⤵
- Executes dropped EXE
PID:2752 -
\??\c:\pdvpd.exec:\pdvpd.exe49⤵
- Executes dropped EXE
PID:2876 -
\??\c:\5rrrlfl.exec:\5rrrlfl.exe50⤵
- Executes dropped EXE
PID:2900 -
\??\c:\224826.exec:\224826.exe51⤵
- Executes dropped EXE
PID:2764 -
\??\c:\a0282.exec:\a0282.exe52⤵
- Executes dropped EXE
PID:1944 -
\??\c:\m8000.exec:\m8000.exe53⤵
- Executes dropped EXE
PID:1892 -
\??\c:\hbtthh.exec:\hbtthh.exe54⤵
- Executes dropped EXE
PID:2176 -
\??\c:\1jddv.exec:\1jddv.exe55⤵
- Executes dropped EXE
PID:1948 -
\??\c:\hbnbbt.exec:\hbnbbt.exe56⤵
- Executes dropped EXE
PID:2544 -
\??\c:\bnhnnt.exec:\bnhnnt.exe57⤵
- Executes dropped EXE
PID:1788 -
\??\c:\c648440.exec:\c648440.exe58⤵
- Executes dropped EXE
PID:752 -
\??\c:\hhhnhn.exec:\hhhnhn.exe59⤵
- Executes dropped EXE
PID:408 -
\??\c:\246222.exec:\246222.exe60⤵
- Executes dropped EXE
PID:2196 -
\??\c:\9vvpv.exec:\9vvpv.exe61⤵
- Executes dropped EXE
PID:896 -
\??\c:\26062.exec:\26062.exe62⤵
- Executes dropped EXE
PID:908 -
\??\c:\hbhhhn.exec:\hbhhhn.exe63⤵
- Executes dropped EXE
PID:1204 -
\??\c:\080466.exec:\080466.exe64⤵
- Executes dropped EXE
PID:1616 -
\??\c:\84826.exec:\84826.exe65⤵
- Executes dropped EXE
PID:2540 -
\??\c:\frxrrrx.exec:\frxrrrx.exe66⤵PID:984
-
\??\c:\rrrflrf.exec:\rrrflrf.exe67⤵PID:2476
-
\??\c:\5rfxxrr.exec:\5rfxxrr.exe68⤵PID:3052
-
\??\c:\5ntnnn.exec:\5ntnnn.exe69⤵PID:888
-
\??\c:\btbbbb.exec:\btbbbb.exe70⤵PID:1416
-
\??\c:\0468484.exec:\0468484.exe71⤵PID:2172
-
\??\c:\3tttnn.exec:\3tttnn.exe72⤵PID:2352
-
\??\c:\vpdvd.exec:\vpdvd.exe73⤵PID:1764
-
\??\c:\64228.exec:\64228.exe74⤵PID:1516
-
\??\c:\1ppjj.exec:\1ppjj.exe75⤵PID:2776
-
\??\c:\pdpjj.exec:\pdpjj.exe76⤵PID:2848
-
\??\c:\c244888.exec:\c244888.exe77⤵PID:2688
-
\??\c:\djpjd.exec:\djpjd.exe78⤵PID:1200
-
\??\c:\jjdjv.exec:\jjdjv.exe79⤵
- System Location Discovery: System Language Discovery
PID:2624 -
\??\c:\vjvdd.exec:\vjvdd.exe80⤵PID:2736
-
\??\c:\bnbnnh.exec:\bnbnnh.exe81⤵PID:2580
-
\??\c:\420444.exec:\420444.exe82⤵PID:2424
-
\??\c:\240448.exec:\240448.exe83⤵PID:1776
-
\??\c:\frxlllr.exec:\frxlllr.exe84⤵PID:2256
-
\??\c:\g0868.exec:\g0868.exe85⤵PID:2148
-
\??\c:\vjjjp.exec:\vjjjp.exe86⤵PID:2140
-
\??\c:\bnhhhb.exec:\bnhhhb.exe87⤵PID:1920
-
\??\c:\42484.exec:\42484.exe88⤵PID:2972
-
\??\c:\jvvjd.exec:\jvvjd.exe89⤵PID:2760
-
\??\c:\442622.exec:\442622.exe90⤵PID:2300
-
\??\c:\xfrrrlr.exec:\xfrrrlr.exe91⤵PID:2880
-
\??\c:\bnhhtt.exec:\bnhhtt.exe92⤵PID:2888
-
\??\c:\2684006.exec:\2684006.exe93⤵PID:1388
-
\??\c:\9rlrflx.exec:\9rlrflx.exe94⤵PID:1828
-
\??\c:\fflfllx.exec:\fflfllx.exe95⤵PID:2316
-
\??\c:\e62664.exec:\e62664.exe96⤵PID:1648
-
\??\c:\tnhnbh.exec:\tnhnbh.exe97⤵PID:3028
-
\??\c:\3nnnbb.exec:\3nnnbb.exe98⤵PID:1740
-
\??\c:\nbhbtt.exec:\nbhbtt.exe99⤵PID:2932
-
\??\c:\rrxxxxf.exec:\rrxxxxf.exe100⤵PID:1708
-
\??\c:\rflflfl.exec:\rflflfl.exe101⤵PID:2224
-
\??\c:\q42666.exec:\q42666.exe102⤵PID:2232
-
\??\c:\hthbtt.exec:\hthbtt.exe103⤵PID:828
-
\??\c:\42062.exec:\42062.exe104⤵PID:1140
-
\??\c:\5vjvj.exec:\5vjvj.exe105⤵PID:2460
-
\??\c:\dpvpp.exec:\dpvpp.exe106⤵PID:1684
-
\??\c:\q28222.exec:\q28222.exe107⤵PID:2540
-
\??\c:\1hbbhn.exec:\1hbbhn.exe108⤵PID:2472
-
\??\c:\86888.exec:\86888.exe109⤵PID:2288
-
\??\c:\6466224.exec:\6466224.exe110⤵PID:316
-
\??\c:\8004448.exec:\8004448.exe111⤵PID:1192
-
\??\c:\a6482.exec:\a6482.exe112⤵PID:824
-
\??\c:\448228.exec:\448228.exe113⤵PID:2436
-
\??\c:\e24488.exec:\e24488.exe114⤵PID:2860
-
\??\c:\5rrrrff.exec:\5rrrrff.exe115⤵PID:2184
-
\??\c:\20284.exec:\20284.exe116⤵PID:2704
-
\??\c:\48022.exec:\48022.exe117⤵PID:2576
-
\??\c:\1pvpj.exec:\1pvpj.exe118⤵PID:1508
-
\??\c:\vjpjj.exec:\vjpjj.exe119⤵PID:2864
-
\??\c:\46826.exec:\46826.exe120⤵PID:2908
-
\??\c:\pdpjj.exec:\pdpjj.exe121⤵PID:2612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-