Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 21:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
34ba8e6efaae151de8ee551f01e15ce98d423e93b50a6b5fa50765b5c2da559c.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
34ba8e6efaae151de8ee551f01e15ce98d423e93b50a6b5fa50765b5c2da559c.exe
-
Size
454KB
-
MD5
e01dd784c21cd78ae072373a4663564a
-
SHA1
7fbed29a3db6aac77e7db463c64570353906c41d
-
SHA256
34ba8e6efaae151de8ee551f01e15ce98d423e93b50a6b5fa50765b5c2da559c
-
SHA512
062d5ab984a82ffc70d7db4f6ed0eab791ae277b99ae961794950722f510793e1af03f0fa652f90c1e3f5a6f041c15b9e0c05e0a5fc2687c7a2edf8836c9ed0e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2996-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-33-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2552-22-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2816-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-155-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1560-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-165-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1980-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/756-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-336-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2768-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-350-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2760-366-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2808-380-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2796-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/828-502-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/308-516-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/308-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1360-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1356-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1360-551-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2228-586-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2228-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-599-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2228-606-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3000-612-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1676-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-636-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2852-654-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2216-850-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1584-876-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2996 q48842.exe 2552 bbthhn.exe 1908 tbhntb.exe 1924 5pdjd.exe 2816 vpdpv.exe 2776 4262406.exe 2868 pjvdp.exe 3008 nhtbnn.exe 2988 vdpvd.exe 2676 nbbbnn.exe 2648 0406228.exe 2480 268800.exe 2484 60466.exe 1912 bhbtbh.exe 1308 nbnbnn.exe 1560 hnbnbh.exe 1444 0800040.exe 2984 lfxflrf.exe 1732 7flxrxf.exe 1980 4244000.exe 1440 046628.exe 1304 bthntn.exe 2316 ffxlflf.exe 1776 htnnnt.exe 1160 8688402.exe 756 808460.exe 1720 86026.exe 3020 8640046.exe 2516 bhtbhn.exe 984 xfxrxrf.exe 684 48024.exe 2120 04846.exe 1960 860288.exe 1688 s8242.exe 2912 6024626.exe 2328 c462286.exe 844 i220246.exe 2364 q80640.exe 2352 bhbhhn.exe 2460 820802.exe 2768 vpdvp.exe 2732 7xrrflf.exe 2760 m0240.exe 2664 26082.exe 2808 fxrrflx.exe 2904 046800.exe 2872 pjdvj.exe 2700 1nthtn.exe 2148 488062.exe 2796 886246.exe 1628 5flrffx.exe 2472 tthntn.exe 1912 ddppj.exe 1152 862888.exe 1964 680648.exe 1560 c644666.exe 1812 s4280.exe 2952 666480.exe 2280 c240606.exe 1112 xrrfrxx.exe 2176 1frllrr.exe 2072 42840.exe 828 82680.exe 1028 e48804.exe -
resource yara_rule behavioral1/memory/2996-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-33-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/2816-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-145-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1308-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-165-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2984-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/756-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/828-502-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/308-516-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/308-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-695-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2644-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-792-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2216-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-843-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 024000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1httbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q42846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8206840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6080624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthntn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2996 2708 34ba8e6efaae151de8ee551f01e15ce98d423e93b50a6b5fa50765b5c2da559c.exe 30 PID 2708 wrote to memory of 2996 2708 34ba8e6efaae151de8ee551f01e15ce98d423e93b50a6b5fa50765b5c2da559c.exe 30 PID 2708 wrote to memory of 2996 2708 34ba8e6efaae151de8ee551f01e15ce98d423e93b50a6b5fa50765b5c2da559c.exe 30 PID 2708 wrote to memory of 2996 2708 34ba8e6efaae151de8ee551f01e15ce98d423e93b50a6b5fa50765b5c2da559c.exe 30 PID 2996 wrote to memory of 2552 2996 q48842.exe 31 PID 2996 wrote to memory of 2552 2996 q48842.exe 31 PID 2996 wrote to memory of 2552 2996 q48842.exe 31 PID 2996 wrote to memory of 2552 2996 q48842.exe 31 PID 2552 wrote to memory of 1908 2552 bbthhn.exe 32 PID 2552 wrote to memory of 1908 2552 bbthhn.exe 32 PID 2552 wrote to memory of 1908 2552 bbthhn.exe 32 PID 2552 wrote to memory of 1908 2552 bbthhn.exe 32 PID 1908 wrote to memory of 1924 1908 tbhntb.exe 33 PID 1908 wrote to memory of 1924 1908 tbhntb.exe 33 PID 1908 wrote to memory of 1924 1908 tbhntb.exe 33 PID 1908 wrote to memory of 1924 1908 tbhntb.exe 33 PID 1924 wrote to memory of 2816 1924 5pdjd.exe 34 PID 1924 wrote to memory of 2816 1924 5pdjd.exe 34 PID 1924 wrote to memory of 2816 1924 5pdjd.exe 34 PID 1924 wrote to memory of 2816 1924 5pdjd.exe 34 PID 2816 wrote to memory of 2776 2816 vpdpv.exe 35 PID 2816 wrote to memory of 2776 2816 vpdpv.exe 35 PID 2816 wrote to memory of 2776 2816 vpdpv.exe 35 PID 2816 wrote to memory of 2776 2816 vpdpv.exe 35 PID 2776 wrote to memory of 2868 2776 4262406.exe 36 PID 2776 wrote to memory of 2868 2776 4262406.exe 36 PID 2776 wrote to memory of 2868 2776 4262406.exe 36 PID 2776 wrote to memory of 2868 2776 4262406.exe 36 PID 2868 wrote to memory of 3008 2868 pjvdp.exe 37 PID 2868 wrote to memory of 3008 2868 pjvdp.exe 37 PID 2868 wrote to memory of 3008 2868 pjvdp.exe 37 PID 2868 wrote to memory of 3008 2868 pjvdp.exe 37 PID 3008 wrote to memory of 2988 3008 nhtbnn.exe 38 PID 3008 wrote to memory of 2988 3008 nhtbnn.exe 38 PID 3008 wrote to memory of 2988 3008 nhtbnn.exe 38 PID 3008 wrote to memory of 2988 3008 nhtbnn.exe 38 PID 2988 wrote to memory of 2676 2988 vdpvd.exe 39 PID 2988 wrote to memory of 2676 2988 vdpvd.exe 39 PID 2988 wrote to memory of 2676 2988 vdpvd.exe 39 PID 2988 wrote to memory of 2676 2988 vdpvd.exe 39 PID 2676 wrote to memory of 2648 2676 nbbbnn.exe 40 PID 2676 wrote to memory of 2648 2676 nbbbnn.exe 40 PID 2676 wrote to memory of 2648 2676 nbbbnn.exe 40 PID 2676 wrote to memory of 2648 2676 nbbbnn.exe 40 PID 2648 wrote to memory of 2480 2648 0406228.exe 41 PID 2648 wrote to memory of 2480 2648 0406228.exe 41 PID 2648 wrote to memory of 2480 2648 0406228.exe 41 PID 2648 wrote to memory of 2480 2648 0406228.exe 41 PID 2480 wrote to memory of 2484 2480 268800.exe 42 PID 2480 wrote to memory of 2484 2480 268800.exe 42 PID 2480 wrote to memory of 2484 2480 268800.exe 42 PID 2480 wrote to memory of 2484 2480 268800.exe 42 PID 2484 wrote to memory of 1912 2484 60466.exe 43 PID 2484 wrote to memory of 1912 2484 60466.exe 43 PID 2484 wrote to memory of 1912 2484 60466.exe 43 PID 2484 wrote to memory of 1912 2484 60466.exe 43 PID 1912 wrote to memory of 1308 1912 bhbtbh.exe 44 PID 1912 wrote to memory of 1308 1912 bhbtbh.exe 44 PID 1912 wrote to memory of 1308 1912 bhbtbh.exe 44 PID 1912 wrote to memory of 1308 1912 bhbtbh.exe 44 PID 1308 wrote to memory of 1560 1308 nbnbnn.exe 45 PID 1308 wrote to memory of 1560 1308 nbnbnn.exe 45 PID 1308 wrote to memory of 1560 1308 nbnbnn.exe 45 PID 1308 wrote to memory of 1560 1308 nbnbnn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\34ba8e6efaae151de8ee551f01e15ce98d423e93b50a6b5fa50765b5c2da559c.exe"C:\Users\Admin\AppData\Local\Temp\34ba8e6efaae151de8ee551f01e15ce98d423e93b50a6b5fa50765b5c2da559c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\q48842.exec:\q48842.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\bbthhn.exec:\bbthhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\tbhntb.exec:\tbhntb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\5pdjd.exec:\5pdjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\vpdpv.exec:\vpdpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\4262406.exec:\4262406.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\pjvdp.exec:\pjvdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\nhtbnn.exec:\nhtbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\vdpvd.exec:\vdpvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\nbbbnn.exec:\nbbbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\0406228.exec:\0406228.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\268800.exec:\268800.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\60466.exec:\60466.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\bhbtbh.exec:\bhbtbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\nbnbnn.exec:\nbnbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\hnbnbh.exec:\hnbnbh.exe17⤵
- Executes dropped EXE
PID:1560 -
\??\c:\0800040.exec:\0800040.exe18⤵
- Executes dropped EXE
PID:1444 -
\??\c:\lfxflrf.exec:\lfxflrf.exe19⤵
- Executes dropped EXE
PID:2984 -
\??\c:\7flxrxf.exec:\7flxrxf.exe20⤵
- Executes dropped EXE
PID:1732 -
\??\c:\4244000.exec:\4244000.exe21⤵
- Executes dropped EXE
PID:1980 -
\??\c:\046628.exec:\046628.exe22⤵
- Executes dropped EXE
PID:1440 -
\??\c:\bthntn.exec:\bthntn.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1304 -
\??\c:\ffxlflf.exec:\ffxlflf.exe24⤵
- Executes dropped EXE
PID:2316 -
\??\c:\htnnnt.exec:\htnnnt.exe25⤵
- Executes dropped EXE
PID:1776 -
\??\c:\8688402.exec:\8688402.exe26⤵
- Executes dropped EXE
PID:1160 -
\??\c:\808460.exec:\808460.exe27⤵
- Executes dropped EXE
PID:756 -
\??\c:\86026.exec:\86026.exe28⤵
- Executes dropped EXE
PID:1720 -
\??\c:\8640046.exec:\8640046.exe29⤵
- Executes dropped EXE
PID:3020 -
\??\c:\bhtbhn.exec:\bhtbhn.exe30⤵
- Executes dropped EXE
PID:2516 -
\??\c:\xfxrxrf.exec:\xfxrxrf.exe31⤵
- Executes dropped EXE
PID:984 -
\??\c:\48024.exec:\48024.exe32⤵
- Executes dropped EXE
PID:684 -
\??\c:\04846.exec:\04846.exe33⤵
- Executes dropped EXE
PID:2120 -
\??\c:\860288.exec:\860288.exe34⤵
- Executes dropped EXE
PID:1960 -
\??\c:\s8242.exec:\s8242.exe35⤵
- Executes dropped EXE
PID:1688 -
\??\c:\6024626.exec:\6024626.exe36⤵
- Executes dropped EXE
PID:2912 -
\??\c:\c462286.exec:\c462286.exe37⤵
- Executes dropped EXE
PID:2328 -
\??\c:\i220246.exec:\i220246.exe38⤵
- Executes dropped EXE
PID:844 -
\??\c:\q80640.exec:\q80640.exe39⤵
- Executes dropped EXE
PID:2364 -
\??\c:\bhbhhn.exec:\bhbhhn.exe40⤵
- Executes dropped EXE
PID:2352 -
\??\c:\820802.exec:\820802.exe41⤵
- Executes dropped EXE
PID:2460 -
\??\c:\vpdvp.exec:\vpdvp.exe42⤵
- Executes dropped EXE
PID:2768 -
\??\c:\7xrrflf.exec:\7xrrflf.exe43⤵
- Executes dropped EXE
PID:2732 -
\??\c:\m0240.exec:\m0240.exe44⤵
- Executes dropped EXE
PID:2760 -
\??\c:\26082.exec:\26082.exe45⤵
- Executes dropped EXE
PID:2664 -
\??\c:\fxrrflx.exec:\fxrrflx.exe46⤵
- Executes dropped EXE
PID:2808 -
\??\c:\046800.exec:\046800.exe47⤵
- Executes dropped EXE
PID:2904 -
\??\c:\pjdvj.exec:\pjdvj.exe48⤵
- Executes dropped EXE
PID:2872 -
\??\c:\1nthtn.exec:\1nthtn.exe49⤵
- Executes dropped EXE
PID:2700 -
\??\c:\488062.exec:\488062.exe50⤵
- Executes dropped EXE
PID:2148 -
\??\c:\886246.exec:\886246.exe51⤵
- Executes dropped EXE
PID:2796 -
\??\c:\5flrffx.exec:\5flrffx.exe52⤵
- Executes dropped EXE
PID:1628 -
\??\c:\tthntn.exec:\tthntn.exe53⤵
- Executes dropped EXE
PID:2472 -
\??\c:\ddppj.exec:\ddppj.exe54⤵
- Executes dropped EXE
PID:1912 -
\??\c:\862888.exec:\862888.exe55⤵
- Executes dropped EXE
PID:1152 -
\??\c:\680648.exec:\680648.exe56⤵
- Executes dropped EXE
PID:1964 -
\??\c:\c644666.exec:\c644666.exe57⤵
- Executes dropped EXE
PID:1560 -
\??\c:\s4280.exec:\s4280.exe58⤵
- Executes dropped EXE
PID:1812 -
\??\c:\666480.exec:\666480.exe59⤵
- Executes dropped EXE
PID:2952 -
\??\c:\c240606.exec:\c240606.exe60⤵
- Executes dropped EXE
PID:2280 -
\??\c:\xrrfrxx.exec:\xrrfrxx.exe61⤵
- Executes dropped EXE
PID:1112 -
\??\c:\1frllrr.exec:\1frllrr.exe62⤵
- Executes dropped EXE
PID:2176 -
\??\c:\42840.exec:\42840.exe63⤵
- Executes dropped EXE
PID:2072 -
\??\c:\82680.exec:\82680.exe64⤵
- Executes dropped EXE
PID:828 -
\??\c:\e48804.exec:\e48804.exe65⤵
- Executes dropped EXE
PID:1028 -
\??\c:\m0284.exec:\m0284.exe66⤵PID:308
-
\??\c:\8228464.exec:\8228464.exe67⤵PID:940
-
\??\c:\a0840.exec:\a0840.exe68⤵PID:1360
-
\??\c:\ttnbht.exec:\ttnbht.exe69⤵PID:1532
-
\??\c:\0806884.exec:\0806884.exe70⤵PID:1356
-
\??\c:\02622.exec:\02622.exe71⤵PID:324
-
\??\c:\u202840.exec:\u202840.exe72⤵PID:696
-
\??\c:\vvjdj.exec:\vvjdj.exe73⤵PID:2936
-
\??\c:\nbnbbt.exec:\nbnbbt.exe74⤵PID:984
-
\??\c:\pjpjv.exec:\pjpjv.exe75⤵PID:684
-
\??\c:\xlrlfxf.exec:\xlrlfxf.exe76⤵PID:2228
-
\??\c:\fxrrffr.exec:\fxrrffr.exe77⤵PID:2160
-
\??\c:\xffxlrx.exec:\xffxlrx.exe78⤵PID:2464
-
\??\c:\a0600.exec:\a0600.exe79⤵PID:1556
-
\??\c:\q80006.exec:\q80006.exe80⤵PID:3000
-
\??\c:\rfrxffr.exec:\rfrxffr.exe81⤵PID:1676
-
\??\c:\42662.exec:\42662.exe82⤵PID:2112
-
\??\c:\820424.exec:\820424.exe83⤵PID:2380
-
\??\c:\020022.exec:\020022.exe84⤵PID:1700
-
\??\c:\868222.exec:\868222.exe85⤵PID:3024
-
\??\c:\hhtbnn.exec:\hhtbnn.exe86⤵PID:2852
-
\??\c:\1bbtnh.exec:\1bbtnh.exe87⤵PID:2788
-
\??\c:\04802.exec:\04802.exe88⤵PID:2664
-
\??\c:\i624040.exec:\i624040.exe89⤵PID:2824
-
\??\c:\1llrxxl.exec:\1llrxxl.exe90⤵PID:2668
-
\??\c:\5tnttb.exec:\5tnttb.exe91⤵PID:2872
-
\??\c:\0862406.exec:\0862406.exe92⤵PID:2740
-
\??\c:\lfrxffl.exec:\lfrxffl.exe93⤵PID:2148
-
\??\c:\e42248.exec:\e42248.exe94⤵PID:2644
-
\??\c:\pdjvp.exec:\pdjvp.exe95⤵PID:1628
-
\??\c:\bbnnbh.exec:\bbnnbh.exe96⤵PID:2484
-
\??\c:\m0686.exec:\m0686.exe97⤵PID:1564
-
\??\c:\vjdvd.exec:\vjdvd.exe98⤵PID:1312
-
\??\c:\468482.exec:\468482.exe99⤵PID:1816
-
\??\c:\3dpvd.exec:\3dpvd.exe100⤵PID:2976
-
\??\c:\024000.exec:\024000.exe101⤵
- System Location Discovery: System Language Discovery
PID:2956 -
\??\c:\02804.exec:\02804.exe102⤵PID:2992
-
\??\c:\jdvjj.exec:\jdvjj.exe103⤵PID:2184
-
\??\c:\jpddp.exec:\jpddp.exe104⤵PID:2388
-
\??\c:\btbttt.exec:\btbttt.exe105⤵PID:2252
-
\??\c:\g6262.exec:\g6262.exe106⤵PID:448
-
\??\c:\5tnntb.exec:\5tnntb.exe107⤵PID:1304
-
\??\c:\08400.exec:\08400.exe108⤵PID:1084
-
\??\c:\86444.exec:\86444.exe109⤵
- System Location Discovery: System Language Discovery
PID:1596 -
\??\c:\42806.exec:\42806.exe110⤵PID:1160
-
\??\c:\xrlrxfr.exec:\xrlrxfr.exe111⤵PID:1296
-
\??\c:\vdpjj.exec:\vdpjj.exe112⤵PID:1524
-
\??\c:\24662.exec:\24662.exe113⤵PID:2216
-
\??\c:\jdppv.exec:\jdppv.exe114⤵PID:1356
-
\??\c:\rlxrffl.exec:\rlxrffl.exe115⤵PID:2516
-
\??\c:\jdjjv.exec:\jdjjv.exe116⤵PID:2196
-
\??\c:\vjvvv.exec:\vjvvv.exe117⤵PID:2936
-
\??\c:\jvddd.exec:\jvddd.exe118⤵PID:2348
-
\??\c:\u806262.exec:\u806262.exe119⤵PID:684
-
\??\c:\44622.exec:\44622.exe120⤵PID:1584
-
\??\c:\2044040.exec:\2044040.exe121⤵PID:2160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-