Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 00:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6d5621adc952ebc3ffc00d7e419fcd9b4ef24c60f5096400616bee4d565a7dc4.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
6d5621adc952ebc3ffc00d7e419fcd9b4ef24c60f5096400616bee4d565a7dc4.exe
-
Size
454KB
-
MD5
559e2de7a656aff0215aafd4b91ef8ac
-
SHA1
c5bd2a8273cc989b38bfa3b214b340bcf615b594
-
SHA256
6d5621adc952ebc3ffc00d7e419fcd9b4ef24c60f5096400616bee4d565a7dc4
-
SHA512
42068daf6f2536e564796435a732ac14631ba3e7fff2fff7c9d6a90cf73bc586031f55b9aca3cdec62e81af813ea9d9f796e9ebe8fcfdea748cb7ce36f6be696
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbem:q7Tc2NYHUrAwfMp3CDm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2620-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/308-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-134-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2568-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-160-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2996-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-213-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1864-211-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1984-218-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1984-223-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/924-238-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/896-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-529-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1916-570-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2100-575-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2736-641-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/844-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-679-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/3064-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-826-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2296-929-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2996-979-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2084-996-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2180-1006-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2136-1021-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1984-1038-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-1236-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2332-1266-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1732 nhbhnt.exe 1964 rfrfrrr.exe 2768 q86222.exe 2144 htntnb.exe 2912 m6846.exe 2404 vdddp.exe 2944 8246268.exe 3036 7bhbbb.exe 2852 s4666.exe 308 5bhbnh.exe 2556 hbtbbt.exe 636 6428840.exe 1828 7xlrxfl.exe 3060 frffffl.exe 2740 20228.exe 2568 vvvjv.exe 2996 6462484.exe 1512 ddvdj.exe 1760 q60024.exe 2180 3nbnnn.exe 1192 5bnbbb.exe 1864 pvppv.exe 1984 nnttbb.exe 896 0868840.exe 924 g6844.exe 2644 3rfxflr.exe 2288 nnbtbh.exe 2208 9dpjj.exe 272 3pddp.exe 1920 hthnhh.exe 2592 60802.exe 2060 3dddd.exe 2100 u800044.exe 1740 thntbt.exe 2432 868406.exe 2932 3lxrxrr.exe 2916 864022.exe 2896 k86240.exe 2800 w02840.exe 2240 bnbthh.exe 2820 9jvdv.exe 2796 jddjp.exe 2696 82062.exe 2732 thbbbt.exe 2296 8244440.exe 624 btbbht.exe 2684 m8662.exe 2784 48602.exe 2976 04240.exe 2860 btthnb.exe 3012 8862046.exe 2668 c806228.exe 2960 pdpdd.exe 1124 dvjjp.exe 3032 1nbbhh.exe 3056 pjvdj.exe 2412 lllrxfx.exe 2616 26060.exe 980 1tbbbt.exe 1604 e80602.exe 1360 dpjdd.exe 1296 frfllll.exe 1984 k82868.exe 1492 7frlrrf.exe -
resource yara_rule behavioral1/memory/2620-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/924-238-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/924-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/272-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-679-0x0000000000350000-0x000000000037A000-memory.dmp upx behavioral1/memory/3064-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-808-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2248-889-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-1064-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1124-1241-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2264842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6042864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8204662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrllxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bththn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lflllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o868466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428444.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2620 wrote to memory of 1732 2620 6d5621adc952ebc3ffc00d7e419fcd9b4ef24c60f5096400616bee4d565a7dc4.exe 30 PID 2620 wrote to memory of 1732 2620 6d5621adc952ebc3ffc00d7e419fcd9b4ef24c60f5096400616bee4d565a7dc4.exe 30 PID 2620 wrote to memory of 1732 2620 6d5621adc952ebc3ffc00d7e419fcd9b4ef24c60f5096400616bee4d565a7dc4.exe 30 PID 2620 wrote to memory of 1732 2620 6d5621adc952ebc3ffc00d7e419fcd9b4ef24c60f5096400616bee4d565a7dc4.exe 30 PID 1732 wrote to memory of 1964 1732 nhbhnt.exe 31 PID 1732 wrote to memory of 1964 1732 nhbhnt.exe 31 PID 1732 wrote to memory of 1964 1732 nhbhnt.exe 31 PID 1732 wrote to memory of 1964 1732 nhbhnt.exe 31 PID 1964 wrote to memory of 2768 1964 rfrfrrr.exe 32 PID 1964 wrote to memory of 2768 1964 rfrfrrr.exe 32 PID 1964 wrote to memory of 2768 1964 rfrfrrr.exe 32 PID 1964 wrote to memory of 2768 1964 rfrfrrr.exe 32 PID 2768 wrote to memory of 2144 2768 q86222.exe 33 PID 2768 wrote to memory of 2144 2768 q86222.exe 33 PID 2768 wrote to memory of 2144 2768 q86222.exe 33 PID 2768 wrote to memory of 2144 2768 q86222.exe 33 PID 2144 wrote to memory of 2912 2144 htntnb.exe 34 PID 2144 wrote to memory of 2912 2144 htntnb.exe 34 PID 2144 wrote to memory of 2912 2144 htntnb.exe 34 PID 2144 wrote to memory of 2912 2144 htntnb.exe 34 PID 2912 wrote to memory of 2404 2912 m6846.exe 35 PID 2912 wrote to memory of 2404 2912 m6846.exe 35 PID 2912 wrote to memory of 2404 2912 m6846.exe 35 PID 2912 wrote to memory of 2404 2912 m6846.exe 35 PID 2404 wrote to memory of 2944 2404 vdddp.exe 36 PID 2404 wrote to memory of 2944 2404 vdddp.exe 36 PID 2404 wrote to memory of 2944 2404 vdddp.exe 36 PID 2404 wrote to memory of 2944 2404 vdddp.exe 36 PID 2944 wrote to memory of 3036 2944 8246268.exe 37 PID 2944 wrote to memory of 3036 2944 8246268.exe 37 PID 2944 wrote to memory of 3036 2944 8246268.exe 37 PID 2944 wrote to memory of 3036 2944 8246268.exe 37 PID 3036 wrote to memory of 2852 3036 7bhbbb.exe 38 PID 3036 wrote to memory of 2852 3036 7bhbbb.exe 38 PID 3036 wrote to memory of 2852 3036 7bhbbb.exe 38 PID 3036 wrote to memory of 2852 3036 7bhbbb.exe 38 PID 2852 wrote to memory of 308 2852 s4666.exe 39 PID 2852 wrote to memory of 308 2852 s4666.exe 39 PID 2852 wrote to memory of 308 2852 s4666.exe 39 PID 2852 wrote to memory of 308 2852 s4666.exe 39 PID 308 wrote to memory of 2556 308 5bhbnh.exe 40 PID 308 wrote to memory of 2556 308 5bhbnh.exe 40 PID 308 wrote to memory of 2556 308 5bhbnh.exe 40 PID 308 wrote to memory of 2556 308 5bhbnh.exe 40 PID 2556 wrote to memory of 636 2556 hbtbbt.exe 41 PID 2556 wrote to memory of 636 2556 hbtbbt.exe 41 PID 2556 wrote to memory of 636 2556 hbtbbt.exe 41 PID 2556 wrote to memory of 636 2556 hbtbbt.exe 41 PID 636 wrote to memory of 1828 636 6428840.exe 42 PID 636 wrote to memory of 1828 636 6428840.exe 42 PID 636 wrote to memory of 1828 636 6428840.exe 42 PID 636 wrote to memory of 1828 636 6428840.exe 42 PID 1828 wrote to memory of 3060 1828 7xlrxfl.exe 43 PID 1828 wrote to memory of 3060 1828 7xlrxfl.exe 43 PID 1828 wrote to memory of 3060 1828 7xlrxfl.exe 43 PID 1828 wrote to memory of 3060 1828 7xlrxfl.exe 43 PID 3060 wrote to memory of 2740 3060 frffffl.exe 44 PID 3060 wrote to memory of 2740 3060 frffffl.exe 44 PID 3060 wrote to memory of 2740 3060 frffffl.exe 44 PID 3060 wrote to memory of 2740 3060 frffffl.exe 44 PID 2740 wrote to memory of 2568 2740 20228.exe 45 PID 2740 wrote to memory of 2568 2740 20228.exe 45 PID 2740 wrote to memory of 2568 2740 20228.exe 45 PID 2740 wrote to memory of 2568 2740 20228.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d5621adc952ebc3ffc00d7e419fcd9b4ef24c60f5096400616bee4d565a7dc4.exe"C:\Users\Admin\AppData\Local\Temp\6d5621adc952ebc3ffc00d7e419fcd9b4ef24c60f5096400616bee4d565a7dc4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\nhbhnt.exec:\nhbhnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\rfrfrrr.exec:\rfrfrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\q86222.exec:\q86222.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\htntnb.exec:\htntnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\m6846.exec:\m6846.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\vdddp.exec:\vdddp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\8246268.exec:\8246268.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\7bhbbb.exec:\7bhbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\s4666.exec:\s4666.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\5bhbnh.exec:\5bhbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:308 -
\??\c:\hbtbbt.exec:\hbtbbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\6428840.exec:\6428840.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\7xlrxfl.exec:\7xlrxfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\frffffl.exec:\frffffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\20228.exec:\20228.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\vvvjv.exec:\vvvjv.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
\??\c:\6462484.exec:\6462484.exe18⤵
- Executes dropped EXE
PID:2996 -
\??\c:\ddvdj.exec:\ddvdj.exe19⤵
- Executes dropped EXE
PID:1512 -
\??\c:\q60024.exec:\q60024.exe20⤵
- Executes dropped EXE
PID:1760 -
\??\c:\3nbnnn.exec:\3nbnnn.exe21⤵
- Executes dropped EXE
PID:2180 -
\??\c:\5bnbbb.exec:\5bnbbb.exe22⤵
- Executes dropped EXE
PID:1192 -
\??\c:\pvppv.exec:\pvppv.exe23⤵
- Executes dropped EXE
PID:1864 -
\??\c:\nnttbb.exec:\nnttbb.exe24⤵
- Executes dropped EXE
PID:1984 -
\??\c:\0868840.exec:\0868840.exe25⤵
- Executes dropped EXE
PID:896 -
\??\c:\g6844.exec:\g6844.exe26⤵
- Executes dropped EXE
PID:924 -
\??\c:\3rfxflr.exec:\3rfxflr.exe27⤵
- Executes dropped EXE
PID:2644 -
\??\c:\nnbtbh.exec:\nnbtbh.exe28⤵
- Executes dropped EXE
PID:2288 -
\??\c:\9dpjj.exec:\9dpjj.exe29⤵
- Executes dropped EXE
PID:2208 -
\??\c:\3pddp.exec:\3pddp.exe30⤵
- Executes dropped EXE
PID:272 -
\??\c:\hthnhh.exec:\hthnhh.exe31⤵
- Executes dropped EXE
PID:1920 -
\??\c:\60802.exec:\60802.exe32⤵
- Executes dropped EXE
PID:2592 -
\??\c:\3dddd.exec:\3dddd.exe33⤵
- Executes dropped EXE
PID:2060 -
\??\c:\u800044.exec:\u800044.exe34⤵
- Executes dropped EXE
PID:2100 -
\??\c:\thntbt.exec:\thntbt.exe35⤵
- Executes dropped EXE
PID:1740 -
\??\c:\868406.exec:\868406.exe36⤵
- Executes dropped EXE
PID:2432 -
\??\c:\3lxrxrr.exec:\3lxrxrr.exe37⤵
- Executes dropped EXE
PID:2932 -
\??\c:\864022.exec:\864022.exe38⤵
- Executes dropped EXE
PID:2916 -
\??\c:\k86240.exec:\k86240.exe39⤵
- Executes dropped EXE
PID:2896 -
\??\c:\w02840.exec:\w02840.exe40⤵
- Executes dropped EXE
PID:2800 -
\??\c:\bnbthh.exec:\bnbthh.exe41⤵
- Executes dropped EXE
PID:2240 -
\??\c:\9jvdv.exec:\9jvdv.exe42⤵
- Executes dropped EXE
PID:2820 -
\??\c:\jddjp.exec:\jddjp.exe43⤵
- Executes dropped EXE
PID:2796 -
\??\c:\82062.exec:\82062.exe44⤵
- Executes dropped EXE
PID:2696 -
\??\c:\thbbbt.exec:\thbbbt.exe45⤵
- Executes dropped EXE
PID:2732 -
\??\c:\8244440.exec:\8244440.exe46⤵
- Executes dropped EXE
PID:2296 -
\??\c:\btbbht.exec:\btbbht.exe47⤵
- Executes dropped EXE
PID:624 -
\??\c:\m8662.exec:\m8662.exe48⤵
- Executes dropped EXE
PID:2684 -
\??\c:\48602.exec:\48602.exe49⤵
- Executes dropped EXE
PID:2784 -
\??\c:\04240.exec:\04240.exe50⤵
- Executes dropped EXE
PID:2976 -
\??\c:\btthnb.exec:\btthnb.exe51⤵
- Executes dropped EXE
PID:2860 -
\??\c:\8862046.exec:\8862046.exe52⤵
- Executes dropped EXE
PID:3012 -
\??\c:\c806228.exec:\c806228.exe53⤵
- Executes dropped EXE
PID:2668 -
\??\c:\pdpdd.exec:\pdpdd.exe54⤵
- Executes dropped EXE
PID:2960 -
\??\c:\dvjjp.exec:\dvjjp.exe55⤵
- Executes dropped EXE
PID:1124 -
\??\c:\1nbbhh.exec:\1nbbhh.exe56⤵
- Executes dropped EXE
PID:3032 -
\??\c:\pjvdj.exec:\pjvdj.exe57⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lllrxfx.exec:\lllrxfx.exe58⤵
- Executes dropped EXE
PID:2412 -
\??\c:\26060.exec:\26060.exe59⤵
- Executes dropped EXE
PID:2616 -
\??\c:\1tbbbt.exec:\1tbbbt.exe60⤵
- Executes dropped EXE
PID:980 -
\??\c:\e80602.exec:\e80602.exe61⤵
- Executes dropped EXE
PID:1604 -
\??\c:\dpjdd.exec:\dpjdd.exe62⤵
- Executes dropped EXE
PID:1360 -
\??\c:\frfllll.exec:\frfllll.exe63⤵
- Executes dropped EXE
PID:1296 -
\??\c:\k82868.exec:\k82868.exe64⤵
- Executes dropped EXE
PID:1984 -
\??\c:\7frlrrf.exec:\7frlrrf.exe65⤵
- Executes dropped EXE
PID:1492 -
\??\c:\vvvdj.exec:\vvvdj.exe66⤵PID:1808
-
\??\c:\rxrffxx.exec:\rxrffxx.exe67⤵PID:1252
-
\??\c:\60808.exec:\60808.exe68⤵PID:2644
-
\??\c:\xrfrflx.exec:\xrfrflx.exe69⤵PID:1988
-
\??\c:\lxfxxrf.exec:\lxfxxrf.exe70⤵PID:1736
-
\??\c:\k86206.exec:\k86206.exe71⤵PID:1100
-
\??\c:\rlxfrrl.exec:\rlxfrrl.exe72⤵PID:2316
-
\??\c:\hntbnt.exec:\hntbnt.exe73⤵PID:536
-
\??\c:\e44426.exec:\e44426.exe74⤵PID:2600
-
\??\c:\066206.exec:\066206.exe75⤵PID:1916
-
\??\c:\m8062.exec:\m8062.exe76⤵PID:2100
-
\??\c:\pjdjj.exec:\pjdjj.exe77⤵PID:2260
-
\??\c:\600246.exec:\600246.exe78⤵PID:2264
-
\??\c:\822468.exec:\822468.exe79⤵PID:1268
-
\??\c:\9lrlfll.exec:\9lrlfll.exe80⤵PID:2812
-
\??\c:\dvppj.exec:\dvppj.exe81⤵PID:2816
-
\??\c:\86402.exec:\86402.exe82⤵PID:2836
-
\??\c:\i040286.exec:\i040286.exe83⤵PID:2248
-
\??\c:\642402.exec:\642402.exe84⤵PID:2872
-
\??\c:\5btbhh.exec:\5btbhh.exe85⤵PID:2820
-
\??\c:\flrrxrl.exec:\flrrxrl.exe86⤵PID:2736
-
\??\c:\268844.exec:\268844.exe87⤵PID:2696
-
\??\c:\m2440.exec:\m2440.exe88⤵PID:2732
-
\??\c:\pdpjd.exec:\pdpjd.exe89⤵PID:2296
-
\??\c:\m0028.exec:\m0028.exe90⤵PID:1248
-
\??\c:\u828440.exec:\u828440.exe91⤵PID:844
-
\??\c:\ppdjp.exec:\ppdjp.exe92⤵PID:3016
-
\??\c:\xrffffl.exec:\xrffffl.exe93⤵PID:1744
-
\??\c:\u400262.exec:\u400262.exe94⤵PID:2860
-
\??\c:\vpjdp.exec:\vpjdp.exe95⤵PID:2568
-
\??\c:\tnhhhh.exec:\tnhhhh.exe96⤵PID:2668
-
\??\c:\268808.exec:\268808.exe97⤵PID:3000
-
\??\c:\7jvjj.exec:\7jvjj.exe98⤵PID:1560
-
\??\c:\02400.exec:\02400.exe99⤵PID:3064
-
\??\c:\1ddvp.exec:\1ddvp.exe100⤵
- System Location Discovery: System Language Discovery
PID:3040 -
\??\c:\pjpjp.exec:\pjpjp.exe101⤵PID:1152
-
\??\c:\48000.exec:\48000.exe102⤵PID:1868
-
\??\c:\6022224.exec:\6022224.exe103⤵PID:2544
-
\??\c:\3fflrrr.exec:\3fflrrr.exe104⤵PID:2640
-
\??\c:\nntthb.exec:\nntthb.exe105⤵PID:1756
-
\??\c:\lfrxfll.exec:\lfrxfll.exe106⤵PID:1296
-
\??\c:\bthbhb.exec:\bthbhb.exe107⤵PID:896
-
\??\c:\bbthnt.exec:\bbthnt.exe108⤵PID:1668
-
\??\c:\q82848.exec:\q82848.exe109⤵PID:1808
-
\??\c:\260282.exec:\260282.exe110⤵PID:1720
-
\??\c:\u844680.exec:\u844680.exe111⤵PID:2644
-
\??\c:\208406.exec:\208406.exe112⤵PID:1616
-
\??\c:\g6888.exec:\g6888.exe113⤵PID:1052
-
\??\c:\3nbtbb.exec:\3nbtbb.exe114⤵PID:1704
-
\??\c:\djjpj.exec:\djjpj.exe115⤵PID:2580
-
\??\c:\1xllrxf.exec:\1xllrxf.exe116⤵PID:2564
-
\??\c:\82620.exec:\82620.exe117⤵PID:2596
-
\??\c:\28222.exec:\28222.exe118⤵PID:2768
-
\??\c:\2644280.exec:\2644280.exe119⤵PID:2100
-
\??\c:\9dvdj.exec:\9dvdj.exe120⤵PID:2260
-
\??\c:\208288.exec:\208288.exe121⤵PID:2264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-