Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 04:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe
-
Size
453KB
-
MD5
449db5e2ba1d90fa8df02673681433a0
-
SHA1
6a9571d43f8ba7022b72ab378f0f866d67c0f389
-
SHA256
86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418
-
SHA512
db33643d176f162397a60e881763185e8b3280f66ae6e56290a308b7c413d8507db02d87be2624de7c51424be454806efee429d6a7400b63ccc7bbf8cc6a7ebd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/1244-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-74-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2792-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-88-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2624-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/988-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/660-398-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1700-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1348-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-614-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2872-636-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2848-676-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2572-738-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2572-758-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2776-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-1226-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2684 bhtnhb.exe 2540 208444.exe 1956 pjvvd.exe 2456 86446.exe 2740 bnbbnh.exe 2916 ththhh.exe 2612 htnntt.exe 2792 bbntbh.exe 2656 404080.exe 2624 e20622.exe 1980 824200.exe 2064 hbtbtn.exe 1784 pvjdp.exe 2904 20888.exe 1312 xffxlfr.exe 1700 462888.exe 1760 824066.exe 2092 4284440.exe 2552 htnnbb.exe 2116 dpvpv.exe 1920 646288.exe 3016 04264.exe 1348 8066624.exe 2472 4200600.exe 2468 2460662.exe 908 5rfrlfx.exe 904 8646486.exe 2440 20222.exe 580 g2062.exe 1152 hthnnn.exe 880 7xflrrx.exe 2208 lfxflll.exe 2688 6028440.exe 2300 xrffllr.exe 2684 5dvpj.exe 2364 5ddpj.exe 988 080622.exe 2564 vdjjj.exe 2140 08662.exe 2872 2084848.exe 2860 7tbntt.exe 2852 7rllrll.exe 3068 42444.exe 1808 nhtbhn.exe 2660 1pdvv.exe 2636 dvdjp.exe 660 08620.exe 1980 42680.exe 2064 226222.exe 2396 820640.exe 2952 60846.exe 1984 04064.exe 1328 7jvpd.exe 1700 k80060.exe 1560 684466.exe 2572 7dppv.exe 2700 2680666.exe 2532 3rxxxfx.exe 1032 4844262.exe 348 424000.exe 2644 ddvvp.exe 1396 9dpvp.exe 1348 vjpvj.exe 1064 6080468.exe -
resource yara_rule behavioral1/memory/1244-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/672-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-909-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-1045-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-1070-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-1111-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c640224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6006864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8640262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4862024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e20680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0424606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1244 wrote to memory of 2684 1244 86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe 30 PID 1244 wrote to memory of 2684 1244 86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe 30 PID 1244 wrote to memory of 2684 1244 86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe 30 PID 1244 wrote to memory of 2684 1244 86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe 30 PID 2684 wrote to memory of 2540 2684 bhtnhb.exe 31 PID 2684 wrote to memory of 2540 2684 bhtnhb.exe 31 PID 2684 wrote to memory of 2540 2684 bhtnhb.exe 31 PID 2684 wrote to memory of 2540 2684 bhtnhb.exe 31 PID 2540 wrote to memory of 1956 2540 208444.exe 32 PID 2540 wrote to memory of 1956 2540 208444.exe 32 PID 2540 wrote to memory of 1956 2540 208444.exe 32 PID 2540 wrote to memory of 1956 2540 208444.exe 32 PID 1956 wrote to memory of 2456 1956 pjvvd.exe 33 PID 1956 wrote to memory of 2456 1956 pjvvd.exe 33 PID 1956 wrote to memory of 2456 1956 pjvvd.exe 33 PID 1956 wrote to memory of 2456 1956 pjvvd.exe 33 PID 2456 wrote to memory of 2740 2456 86446.exe 34 PID 2456 wrote to memory of 2740 2456 86446.exe 34 PID 2456 wrote to memory of 2740 2456 86446.exe 34 PID 2456 wrote to memory of 2740 2456 86446.exe 34 PID 2740 wrote to memory of 2916 2740 bnbbnh.exe 35 PID 2740 wrote to memory of 2916 2740 bnbbnh.exe 35 PID 2740 wrote to memory of 2916 2740 bnbbnh.exe 35 PID 2740 wrote to memory of 2916 2740 bnbbnh.exe 35 PID 2916 wrote to memory of 2612 2916 ththhh.exe 36 PID 2916 wrote to memory of 2612 2916 ththhh.exe 36 PID 2916 wrote to memory of 2612 2916 ththhh.exe 36 PID 2916 wrote to memory of 2612 2916 ththhh.exe 36 PID 2612 wrote to memory of 2792 2612 htnntt.exe 37 PID 2612 wrote to memory of 2792 2612 htnntt.exe 37 PID 2612 wrote to memory of 2792 2612 htnntt.exe 37 PID 2612 wrote to memory of 2792 2612 htnntt.exe 37 PID 2792 wrote to memory of 2656 2792 bbntbh.exe 38 PID 2792 wrote to memory of 2656 2792 bbntbh.exe 38 PID 2792 wrote to memory of 2656 2792 bbntbh.exe 38 PID 2792 wrote to memory of 2656 2792 bbntbh.exe 38 PID 2656 wrote to memory of 2624 2656 404080.exe 39 PID 2656 wrote to memory of 2624 2656 404080.exe 39 PID 2656 wrote to memory of 2624 2656 404080.exe 39 PID 2656 wrote to memory of 2624 2656 404080.exe 39 PID 2624 wrote to memory of 1980 2624 e20622.exe 40 PID 2624 wrote to memory of 1980 2624 e20622.exe 40 PID 2624 wrote to memory of 1980 2624 e20622.exe 40 PID 2624 wrote to memory of 1980 2624 e20622.exe 40 PID 1980 wrote to memory of 2064 1980 824200.exe 41 PID 1980 wrote to memory of 2064 1980 824200.exe 41 PID 1980 wrote to memory of 2064 1980 824200.exe 41 PID 1980 wrote to memory of 2064 1980 824200.exe 41 PID 2064 wrote to memory of 1784 2064 hbtbtn.exe 42 PID 2064 wrote to memory of 1784 2064 hbtbtn.exe 42 PID 2064 wrote to memory of 1784 2064 hbtbtn.exe 42 PID 2064 wrote to memory of 1784 2064 hbtbtn.exe 42 PID 1784 wrote to memory of 2904 1784 pvjdp.exe 43 PID 1784 wrote to memory of 2904 1784 pvjdp.exe 43 PID 1784 wrote to memory of 2904 1784 pvjdp.exe 43 PID 1784 wrote to memory of 2904 1784 pvjdp.exe 43 PID 2904 wrote to memory of 1312 2904 20888.exe 44 PID 2904 wrote to memory of 1312 2904 20888.exe 44 PID 2904 wrote to memory of 1312 2904 20888.exe 44 PID 2904 wrote to memory of 1312 2904 20888.exe 44 PID 1312 wrote to memory of 1700 1312 xffxlfr.exe 45 PID 1312 wrote to memory of 1700 1312 xffxlfr.exe 45 PID 1312 wrote to memory of 1700 1312 xffxlfr.exe 45 PID 1312 wrote to memory of 1700 1312 xffxlfr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe"C:\Users\Admin\AppData\Local\Temp\86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\bhtnhb.exec:\bhtnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\208444.exec:\208444.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\pjvvd.exec:\pjvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\86446.exec:\86446.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\bnbbnh.exec:\bnbbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\ththhh.exec:\ththhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\htnntt.exec:\htnntt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\bbntbh.exec:\bbntbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\404080.exec:\404080.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\e20622.exec:\e20622.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\824200.exec:\824200.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\hbtbtn.exec:\hbtbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\pvjdp.exec:\pvjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\20888.exec:\20888.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\xffxlfr.exec:\xffxlfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\462888.exec:\462888.exe17⤵
- Executes dropped EXE
PID:1700 -
\??\c:\824066.exec:\824066.exe18⤵
- Executes dropped EXE
PID:1760 -
\??\c:\4284440.exec:\4284440.exe19⤵
- Executes dropped EXE
PID:2092 -
\??\c:\htnnbb.exec:\htnnbb.exe20⤵
- Executes dropped EXE
PID:2552 -
\??\c:\dpvpv.exec:\dpvpv.exe21⤵
- Executes dropped EXE
PID:2116 -
\??\c:\646288.exec:\646288.exe22⤵
- Executes dropped EXE
PID:1920 -
\??\c:\04264.exec:\04264.exe23⤵
- Executes dropped EXE
PID:3016 -
\??\c:\8066624.exec:\8066624.exe24⤵
- Executes dropped EXE
PID:1348 -
\??\c:\4200600.exec:\4200600.exe25⤵
- Executes dropped EXE
PID:2472 -
\??\c:\2460662.exec:\2460662.exe26⤵
- Executes dropped EXE
PID:2468 -
\??\c:\5rfrlfx.exec:\5rfrlfx.exe27⤵
- Executes dropped EXE
PID:908 -
\??\c:\8646486.exec:\8646486.exe28⤵
- Executes dropped EXE
PID:904 -
\??\c:\20222.exec:\20222.exe29⤵
- Executes dropped EXE
PID:2440 -
\??\c:\g2062.exec:\g2062.exe30⤵
- Executes dropped EXE
PID:580 -
\??\c:\hthnnn.exec:\hthnnn.exe31⤵
- Executes dropped EXE
PID:1152 -
\??\c:\7xflrrx.exec:\7xflrrx.exe32⤵
- Executes dropped EXE
PID:880 -
\??\c:\lfxflll.exec:\lfxflll.exe33⤵
- Executes dropped EXE
PID:2208 -
\??\c:\6028440.exec:\6028440.exe34⤵
- Executes dropped EXE
PID:2688 -
\??\c:\xrffllr.exec:\xrffllr.exe35⤵
- Executes dropped EXE
PID:2300 -
\??\c:\5dvpj.exec:\5dvpj.exe36⤵
- Executes dropped EXE
PID:2684 -
\??\c:\5ddpj.exec:\5ddpj.exe37⤵
- Executes dropped EXE
PID:2364 -
\??\c:\080622.exec:\080622.exe38⤵
- Executes dropped EXE
PID:988 -
\??\c:\vdjjj.exec:\vdjjj.exe39⤵
- Executes dropped EXE
PID:2564 -
\??\c:\08662.exec:\08662.exe40⤵
- Executes dropped EXE
PID:2140 -
\??\c:\2084848.exec:\2084848.exe41⤵
- Executes dropped EXE
PID:2872 -
\??\c:\7tbntt.exec:\7tbntt.exe42⤵
- Executes dropped EXE
PID:2860 -
\??\c:\7rllrll.exec:\7rllrll.exe43⤵
- Executes dropped EXE
PID:2852 -
\??\c:\42444.exec:\42444.exe44⤵
- Executes dropped EXE
PID:3068 -
\??\c:\nhtbhn.exec:\nhtbhn.exe45⤵
- Executes dropped EXE
PID:1808 -
\??\c:\1pdvv.exec:\1pdvv.exe46⤵
- Executes dropped EXE
PID:2660 -
\??\c:\dvdjp.exec:\dvdjp.exe47⤵
- Executes dropped EXE
PID:2636 -
\??\c:\08620.exec:\08620.exe48⤵
- Executes dropped EXE
PID:660 -
\??\c:\42680.exec:\42680.exe49⤵
- Executes dropped EXE
PID:1980 -
\??\c:\226222.exec:\226222.exe50⤵
- Executes dropped EXE
PID:2064 -
\??\c:\820640.exec:\820640.exe51⤵
- Executes dropped EXE
PID:2396 -
\??\c:\60846.exec:\60846.exe52⤵
- Executes dropped EXE
PID:2952 -
\??\c:\04064.exec:\04064.exe53⤵
- Executes dropped EXE
PID:1984 -
\??\c:\7jvpd.exec:\7jvpd.exe54⤵
- Executes dropped EXE
PID:1328 -
\??\c:\k80060.exec:\k80060.exe55⤵
- Executes dropped EXE
PID:1700 -
\??\c:\684466.exec:\684466.exe56⤵
- Executes dropped EXE
PID:1560 -
\??\c:\7dppv.exec:\7dppv.exe57⤵
- Executes dropped EXE
PID:2572 -
\??\c:\2680666.exec:\2680666.exe58⤵
- Executes dropped EXE
PID:2700 -
\??\c:\3rxxxfx.exec:\3rxxxfx.exe59⤵
- Executes dropped EXE
PID:2532 -
\??\c:\4844262.exec:\4844262.exe60⤵
- Executes dropped EXE
PID:1032 -
\??\c:\424000.exec:\424000.exe61⤵
- Executes dropped EXE
PID:348 -
\??\c:\ddvvp.exec:\ddvvp.exe62⤵
- Executes dropped EXE
PID:2644 -
\??\c:\9dpvp.exec:\9dpvp.exe63⤵
- Executes dropped EXE
PID:1396 -
\??\c:\vjpvj.exec:\vjpvj.exe64⤵
- Executes dropped EXE
PID:1348 -
\??\c:\6080468.exec:\6080468.exe65⤵
- Executes dropped EXE
PID:1064 -
\??\c:\djjdd.exec:\djjdd.exe66⤵PID:1932
-
\??\c:\8622444.exec:\8622444.exe67⤵PID:1768
-
\??\c:\868888.exec:\868888.exe68⤵PID:1536
-
\??\c:\fxfrrrf.exec:\fxfrrrf.exe69⤵PID:3040
-
\??\c:\hbntbt.exec:\hbntbt.exe70⤵PID:2440
-
\??\c:\4200600.exec:\4200600.exe71⤵PID:1924
-
\??\c:\nhthnn.exec:\nhthnn.exe72⤵
- System Location Discovery: System Language Discovery
PID:2088 -
\??\c:\6806200.exec:\6806200.exe73⤵PID:1508
-
\??\c:\862604.exec:\862604.exe74⤵PID:1492
-
\??\c:\1ddvv.exec:\1ddvv.exe75⤵PID:1596
-
\??\c:\i800048.exec:\i800048.exe76⤵PID:1592
-
\??\c:\4206844.exec:\4206844.exe77⤵PID:2960
-
\??\c:\vdpjj.exec:\vdpjj.exe78⤵PID:2376
-
\??\c:\flxxxrx.exec:\flxxxrx.exe79⤵PID:2040
-
\??\c:\vpvdj.exec:\vpvdj.exe80⤵PID:796
-
\??\c:\6462828.exec:\6462828.exe81⤵PID:2268
-
\??\c:\rxrlfxx.exec:\rxrlfxx.exe82⤵PID:2912
-
\??\c:\lflllll.exec:\lflllll.exe83⤵PID:2828
-
\??\c:\042246.exec:\042246.exe84⤵PID:2872
-
\??\c:\hbnnbb.exec:\hbnnbb.exe85⤵
- System Location Discovery: System Language Discovery
PID:2796 -
\??\c:\042406.exec:\042406.exe86⤵PID:2792
-
\??\c:\tnbbhn.exec:\tnbbhn.exe87⤵PID:2848
-
\??\c:\jvjjp.exec:\jvjjp.exe88⤵PID:2648
-
\??\c:\1llrxfr.exec:\1llrxfr.exe89⤵PID:672
-
\??\c:\0462884.exec:\0462884.exe90⤵PID:1732
-
\??\c:\6422402.exec:\6422402.exe91⤵PID:852
-
\??\c:\602244.exec:\602244.exe92⤵PID:2880
-
\??\c:\jvvpp.exec:\jvvpp.exe93⤵PID:1784
-
\??\c:\vpdvv.exec:\vpdvv.exe94⤵PID:1676
-
\??\c:\608622.exec:\608622.exe95⤵PID:2952
-
\??\c:\8688840.exec:\8688840.exe96⤵PID:2984
-
\??\c:\q82288.exec:\q82288.exe97⤵PID:1328
-
\??\c:\8262064.exec:\8262064.exe98⤵PID:1988
-
\??\c:\62204.exec:\62204.exe99⤵PID:2972
-
\??\c:\266406.exec:\266406.exe100⤵PID:2572
-
\??\c:\dpdjv.exec:\dpdjv.exe101⤵PID:2236
-
\??\c:\tnbbtt.exec:\tnbbtt.exe102⤵PID:2552
-
\??\c:\608028.exec:\608028.exe103⤵PID:444
-
\??\c:\pjddp.exec:\pjddp.exe104⤵PID:1856
-
\??\c:\jvvvj.exec:\jvvvj.exe105⤵PID:2332
-
\??\c:\vjdjp.exec:\vjdjp.exe106⤵PID:1396
-
\??\c:\4244440.exec:\4244440.exe107⤵PID:2472
-
\??\c:\3dvjp.exec:\3dvjp.exe108⤵PID:2448
-
\??\c:\llxxxxx.exec:\llxxxxx.exe109⤵PID:1668
-
\??\c:\jdpdj.exec:\jdpdj.exe110⤵PID:1360
-
\??\c:\dpdvp.exec:\dpdvp.exe111⤵
- System Location Discovery: System Language Discovery
PID:1036 -
\??\c:\46268.exec:\46268.exe112⤵PID:2992
-
\??\c:\c026228.exec:\c026228.exe113⤵PID:2084
-
\??\c:\lfrrfxf.exec:\lfrrfxf.exe114⤵PID:580
-
\??\c:\3lxlxfl.exec:\3lxlxfl.exe115⤵PID:1924
-
\??\c:\c444484.exec:\c444484.exe116⤵PID:2088
-
\??\c:\4862024.exec:\4862024.exe117⤵
- System Location Discovery: System Language Discovery
PID:1964 -
\??\c:\8628488.exec:\8628488.exe118⤵PID:1492
-
\??\c:\2868402.exec:\2868402.exe119⤵PID:1596
-
\??\c:\60840.exec:\60840.exe120⤵PID:1528
-
\??\c:\9lrrrrr.exec:\9lrrrrr.exe121⤵PID:2300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-