Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 03:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe
-
Size
454KB
-
MD5
3fb5a98edeadf8ebe864ffb15eb38127
-
SHA1
90cd09ff227538ecf13bfb81584ee945f0a6072f
-
SHA256
c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678
-
SHA512
5bac707f6fe5a6deaaa2e0388bf24c4338536323878ff45d16ca96a4aaed64dc04eeba4ef4006c3555edcd87e184408906bbaed7d6c352cc6076731503e7139d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2368-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-107-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1576-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-179-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2168-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-215-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1768-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/868-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-415-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2740-409-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1368-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-460-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2136-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-480-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1392-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1392-537-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/568-544-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1640-550-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-683-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1436-700-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2744-702-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1492-717-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2060-736-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2060-763-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2508-861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-862-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2860-865-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2884-901-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1724-963-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2316 vpdjd.exe 2300 flflrxl.exe 3000 o422440.exe 1780 5pjpv.exe 2896 nthnbb.exe 2984 vjvpv.exe 2836 48624.exe 2472 5vppp.exe 2740 nnbhtb.exe 2724 26266.exe 2240 7rflxrr.exe 1576 vpdjj.exe 3036 jdvjp.exe 1856 684882.exe 2664 s0806.exe 2764 046840.exe 2476 rlxxxxl.exe 2056 5nttnn.exe 2168 vjvdd.exe 1732 c680000.exe 1772 u428480.exe 2228 1ntntb.exe 1324 7vjjp.exe 2124 xlflrlr.exe 984 vpddd.exe 1768 68006.exe 2180 lflxfxf.exe 2520 flrllfl.exe 868 dvddp.exe 1748 tbnttb.exe 2600 k68444.exe 2380 02488.exe 1584 064042.exe 1992 00840.exe 1804 9bbhnt.exe 2544 nhbhnn.exe 2804 7fxrxrr.exe 2964 422266.exe 2808 7rxxxff.exe 2984 jppdj.exe 3060 864082.exe 2988 nnnbhh.exe 2688 c488042.exe 2740 48668.exe 2036 44064.exe 2240 fffxlrx.exe 1616 lflrxxf.exe 3012 ttnbnb.exe 1724 60884.exe 1368 64284.exe 2112 042462.exe 1728 lrllrfl.exe 2560 fflxflr.exe 2232 dvppp.exe 2384 6088624.exe 2772 802202.exe 1732 7vdvp.exe 2136 jjjpp.exe 2020 rrlrxxl.exe 1320 8228248.exe 1324 8268284.exe 2556 08660.exe 1752 rrlrxlx.exe 1392 08006.exe -
resource yara_rule behavioral1/memory/2368-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-179-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2168-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-480-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2020-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-626-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2744-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-861-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-876-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-950-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-963-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xllfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o420228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4200844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4244008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2316 2368 c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe 31 PID 2368 wrote to memory of 2316 2368 c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe 31 PID 2368 wrote to memory of 2316 2368 c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe 31 PID 2368 wrote to memory of 2316 2368 c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe 31 PID 2316 wrote to memory of 2300 2316 vpdjd.exe 32 PID 2316 wrote to memory of 2300 2316 vpdjd.exe 32 PID 2316 wrote to memory of 2300 2316 vpdjd.exe 32 PID 2316 wrote to memory of 2300 2316 vpdjd.exe 32 PID 2300 wrote to memory of 3000 2300 flflrxl.exe 33 PID 2300 wrote to memory of 3000 2300 flflrxl.exe 33 PID 2300 wrote to memory of 3000 2300 flflrxl.exe 33 PID 2300 wrote to memory of 3000 2300 flflrxl.exe 33 PID 3000 wrote to memory of 1780 3000 o422440.exe 34 PID 3000 wrote to memory of 1780 3000 o422440.exe 34 PID 3000 wrote to memory of 1780 3000 o422440.exe 34 PID 3000 wrote to memory of 1780 3000 o422440.exe 34 PID 1780 wrote to memory of 2896 1780 5pjpv.exe 35 PID 1780 wrote to memory of 2896 1780 5pjpv.exe 35 PID 1780 wrote to memory of 2896 1780 5pjpv.exe 35 PID 1780 wrote to memory of 2896 1780 5pjpv.exe 35 PID 2896 wrote to memory of 2984 2896 nthnbb.exe 36 PID 2896 wrote to memory of 2984 2896 nthnbb.exe 36 PID 2896 wrote to memory of 2984 2896 nthnbb.exe 36 PID 2896 wrote to memory of 2984 2896 nthnbb.exe 36 PID 2984 wrote to memory of 2836 2984 vjvpv.exe 37 PID 2984 wrote to memory of 2836 2984 vjvpv.exe 37 PID 2984 wrote to memory of 2836 2984 vjvpv.exe 37 PID 2984 wrote to memory of 2836 2984 vjvpv.exe 37 PID 2836 wrote to memory of 2472 2836 48624.exe 38 PID 2836 wrote to memory of 2472 2836 48624.exe 38 PID 2836 wrote to memory of 2472 2836 48624.exe 38 PID 2836 wrote to memory of 2472 2836 48624.exe 38 PID 2472 wrote to memory of 2740 2472 5vppp.exe 39 PID 2472 wrote to memory of 2740 2472 5vppp.exe 39 PID 2472 wrote to memory of 2740 2472 5vppp.exe 39 PID 2472 wrote to memory of 2740 2472 5vppp.exe 39 PID 2740 wrote to memory of 2724 2740 nnbhtb.exe 40 PID 2740 wrote to memory of 2724 2740 nnbhtb.exe 40 PID 2740 wrote to memory of 2724 2740 nnbhtb.exe 40 PID 2740 wrote to memory of 2724 2740 nnbhtb.exe 40 PID 2724 wrote to memory of 2240 2724 26266.exe 41 PID 2724 wrote to memory of 2240 2724 26266.exe 41 PID 2724 wrote to memory of 2240 2724 26266.exe 41 PID 2724 wrote to memory of 2240 2724 26266.exe 41 PID 2240 wrote to memory of 1576 2240 7rflxrr.exe 42 PID 2240 wrote to memory of 1576 2240 7rflxrr.exe 42 PID 2240 wrote to memory of 1576 2240 7rflxrr.exe 42 PID 2240 wrote to memory of 1576 2240 7rflxrr.exe 42 PID 1576 wrote to memory of 3036 1576 vpdjj.exe 43 PID 1576 wrote to memory of 3036 1576 vpdjj.exe 43 PID 1576 wrote to memory of 3036 1576 vpdjj.exe 43 PID 1576 wrote to memory of 3036 1576 vpdjj.exe 43 PID 3036 wrote to memory of 1856 3036 jdvjp.exe 44 PID 3036 wrote to memory of 1856 3036 jdvjp.exe 44 PID 3036 wrote to memory of 1856 3036 jdvjp.exe 44 PID 3036 wrote to memory of 1856 3036 jdvjp.exe 44 PID 1856 wrote to memory of 2664 1856 684882.exe 45 PID 1856 wrote to memory of 2664 1856 684882.exe 45 PID 1856 wrote to memory of 2664 1856 684882.exe 45 PID 1856 wrote to memory of 2664 1856 684882.exe 45 PID 2664 wrote to memory of 2764 2664 s0806.exe 46 PID 2664 wrote to memory of 2764 2664 s0806.exe 46 PID 2664 wrote to memory of 2764 2664 s0806.exe 46 PID 2664 wrote to memory of 2764 2664 s0806.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe"C:\Users\Admin\AppData\Local\Temp\c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\vpdjd.exec:\vpdjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\flflrxl.exec:\flflrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\o422440.exec:\o422440.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\5pjpv.exec:\5pjpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\nthnbb.exec:\nthnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\vjvpv.exec:\vjvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\48624.exec:\48624.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\5vppp.exec:\5vppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\nnbhtb.exec:\nnbhtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\26266.exec:\26266.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\7rflxrr.exec:\7rflxrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\vpdjj.exec:\vpdjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\jdvjp.exec:\jdvjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\684882.exec:\684882.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\s0806.exec:\s0806.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\046840.exec:\046840.exe17⤵
- Executes dropped EXE
PID:2764 -
\??\c:\rlxxxxl.exec:\rlxxxxl.exe18⤵
- Executes dropped EXE
PID:2476 -
\??\c:\5nttnn.exec:\5nttnn.exe19⤵
- Executes dropped EXE
PID:2056 -
\??\c:\vjvdd.exec:\vjvdd.exe20⤵
- Executes dropped EXE
PID:2168 -
\??\c:\c680000.exec:\c680000.exe21⤵
- Executes dropped EXE
PID:1732 -
\??\c:\u428480.exec:\u428480.exe22⤵
- Executes dropped EXE
PID:1772 -
\??\c:\1ntntb.exec:\1ntntb.exe23⤵
- Executes dropped EXE
PID:2228 -
\??\c:\7vjjp.exec:\7vjjp.exe24⤵
- Executes dropped EXE
PID:1324 -
\??\c:\xlflrlr.exec:\xlflrlr.exe25⤵
- Executes dropped EXE
PID:2124 -
\??\c:\vpddd.exec:\vpddd.exe26⤵
- Executes dropped EXE
PID:984 -
\??\c:\68006.exec:\68006.exe27⤵
- Executes dropped EXE
PID:1768 -
\??\c:\lflxfxf.exec:\lflxfxf.exe28⤵
- Executes dropped EXE
PID:2180 -
\??\c:\flrllfl.exec:\flrllfl.exe29⤵
- Executes dropped EXE
PID:2520 -
\??\c:\dvddp.exec:\dvddp.exe30⤵
- Executes dropped EXE
PID:868 -
\??\c:\tbnttb.exec:\tbnttb.exe31⤵
- Executes dropped EXE
PID:1748 -
\??\c:\k68444.exec:\k68444.exe32⤵
- Executes dropped EXE
PID:2600 -
\??\c:\02488.exec:\02488.exe33⤵
- Executes dropped EXE
PID:2380 -
\??\c:\064042.exec:\064042.exe34⤵
- Executes dropped EXE
PID:1584 -
\??\c:\00840.exec:\00840.exe35⤵
- Executes dropped EXE
PID:1992 -
\??\c:\9bbhnt.exec:\9bbhnt.exe36⤵
- Executes dropped EXE
PID:1804 -
\??\c:\nhbhnn.exec:\nhbhnn.exe37⤵
- Executes dropped EXE
PID:2544 -
\??\c:\7fxrxrr.exec:\7fxrxrr.exe38⤵
- Executes dropped EXE
PID:2804 -
\??\c:\422266.exec:\422266.exe39⤵
- Executes dropped EXE
PID:2964 -
\??\c:\7rxxxff.exec:\7rxxxff.exe40⤵
- Executes dropped EXE
PID:2808 -
\??\c:\jppdj.exec:\jppdj.exe41⤵
- Executes dropped EXE
PID:2984 -
\??\c:\864082.exec:\864082.exe42⤵
- Executes dropped EXE
PID:3060 -
\??\c:\nnnbhh.exec:\nnnbhh.exe43⤵
- Executes dropped EXE
PID:2988 -
\??\c:\c488042.exec:\c488042.exe44⤵
- Executes dropped EXE
PID:2688 -
\??\c:\48668.exec:\48668.exe45⤵
- Executes dropped EXE
PID:2740 -
\??\c:\44064.exec:\44064.exe46⤵
- Executes dropped EXE
PID:2036 -
\??\c:\fffxlrx.exec:\fffxlrx.exe47⤵
- Executes dropped EXE
PID:2240 -
\??\c:\lflrxxf.exec:\lflrxxf.exe48⤵
- Executes dropped EXE
PID:1616 -
\??\c:\ttnbnb.exec:\ttnbnb.exe49⤵
- Executes dropped EXE
PID:3012 -
\??\c:\60884.exec:\60884.exe50⤵
- Executes dropped EXE
PID:1724 -
\??\c:\64284.exec:\64284.exe51⤵
- Executes dropped EXE
PID:1368 -
\??\c:\042462.exec:\042462.exe52⤵
- Executes dropped EXE
PID:2112 -
\??\c:\lrllrfl.exec:\lrllrfl.exe53⤵
- Executes dropped EXE
PID:1728 -
\??\c:\fflxflr.exec:\fflxflr.exe54⤵
- Executes dropped EXE
PID:2560 -
\??\c:\dvppp.exec:\dvppp.exe55⤵
- Executes dropped EXE
PID:2232 -
\??\c:\6088624.exec:\6088624.exe56⤵
- Executes dropped EXE
PID:2384 -
\??\c:\802202.exec:\802202.exe57⤵
- Executes dropped EXE
PID:2772 -
\??\c:\7vdvp.exec:\7vdvp.exe58⤵
- Executes dropped EXE
PID:1732 -
\??\c:\jjjpp.exec:\jjjpp.exe59⤵
- Executes dropped EXE
PID:2136 -
\??\c:\rrlrxxl.exec:\rrlrxxl.exe60⤵
- Executes dropped EXE
PID:2020 -
\??\c:\8228248.exec:\8228248.exe61⤵
- Executes dropped EXE
PID:1320 -
\??\c:\8268284.exec:\8268284.exe62⤵
- Executes dropped EXE
PID:1324 -
\??\c:\08660.exec:\08660.exe63⤵
- Executes dropped EXE
PID:2556 -
\??\c:\rrlrxlx.exec:\rrlrxlx.exe64⤵
- Executes dropped EXE
PID:1752 -
\??\c:\08006.exec:\08006.exe65⤵
- Executes dropped EXE
PID:1392 -
\??\c:\820628.exec:\820628.exe66⤵PID:1332
-
\??\c:\88880.exec:\88880.exe67⤵PID:1096
-
\??\c:\k64062.exec:\k64062.exe68⤵PID:2180
-
\??\c:\jjjvj.exec:\jjjvj.exe69⤵PID:568
-
\??\c:\fxxxxxf.exec:\fxxxxxf.exe70⤵PID:1640
-
\??\c:\fxrlxfr.exec:\fxrlxfr.exe71⤵PID:1052
-
\??\c:\lfflxrf.exec:\lfflxrf.exe72⤵PID:828
-
\??\c:\202248.exec:\202248.exe73⤵PID:840
-
\??\c:\2044008.exec:\2044008.exe74⤵PID:1216
-
\??\c:\fxrxllx.exec:\fxrxllx.exe75⤵PID:1564
-
\??\c:\nbntbb.exec:\nbntbb.exe76⤵PID:1584
-
\??\c:\046240.exec:\046240.exe77⤵PID:2288
-
\??\c:\4840880.exec:\4840880.exe78⤵PID:2444
-
\??\c:\xrlrllf.exec:\xrlrllf.exe79⤵PID:2196
-
\??\c:\lxrxlrf.exec:\lxrxlrf.exe80⤵PID:2904
-
\??\c:\lfxflrr.exec:\lfxflrr.exe81⤵PID:2140
-
\??\c:\6084662.exec:\6084662.exe82⤵PID:2792
-
\??\c:\xfxlxfr.exec:\xfxlxfr.exe83⤵PID:2200
-
\??\c:\hhthnt.exec:\hhthnt.exe84⤵PID:2912
-
\??\c:\820028.exec:\820028.exe85⤵PID:2788
-
\??\c:\202684.exec:\202684.exe86⤵PID:2708
-
\??\c:\1vpjp.exec:\1vpjp.exe87⤵PID:2796
-
\??\c:\86884.exec:\86884.exe88⤵PID:2736
-
\??\c:\82402.exec:\82402.exe89⤵PID:332
-
\??\c:\nnthhh.exec:\nnthhh.exe90⤵PID:2240
-
\??\c:\8640464.exec:\8640464.exe91⤵PID:1436
-
\??\c:\i040286.exec:\i040286.exe92⤵PID:1568
-
\??\c:\820640.exec:\820640.exe93⤵PID:1688
-
\??\c:\8688402.exec:\8688402.exe94⤵PID:2744
-
\??\c:\vpvpv.exec:\vpvpv.exe95⤵PID:2764
-
\??\c:\dvpvp.exec:\dvpvp.exe96⤵PID:1492
-
\??\c:\s2680.exec:\s2680.exe97⤵PID:2476
-
\??\c:\9vjvj.exec:\9vjvj.exe98⤵PID:1388
-
\??\c:\w26404.exec:\w26404.exe99⤵PID:2060
-
\??\c:\9bbhnn.exec:\9bbhnn.exe100⤵PID:796
-
\??\c:\btnbnt.exec:\btnbnt.exe101⤵PID:1632
-
\??\c:\o080228.exec:\o080228.exe102⤵PID:900
-
\??\c:\5pdjv.exec:\5pdjv.exe103⤵PID:1772
-
\??\c:\vpdvj.exec:\vpdvj.exe104⤵PID:1260
-
\??\c:\84622.exec:\84622.exe105⤵PID:1624
-
\??\c:\3lffllr.exec:\3lffllr.exe106⤵PID:848
-
\??\c:\642866.exec:\642866.exe107⤵PID:2464
-
\??\c:\04686.exec:\04686.exe108⤵PID:1628
-
\??\c:\646244.exec:\646244.exe109⤵PID:600
-
\??\c:\jdvjv.exec:\jdvjv.exe110⤵PID:2128
-
\??\c:\448406.exec:\448406.exe111⤵PID:2040
-
\??\c:\264062.exec:\264062.exe112⤵PID:1636
-
\??\c:\rlxllll.exec:\rlxllll.exe113⤵PID:1640
-
\??\c:\844244.exec:\844244.exe114⤵PID:1052
-
\??\c:\2602846.exec:\2602846.exe115⤵PID:2308
-
\??\c:\btbbht.exec:\btbbht.exe116⤵PID:840
-
\??\c:\8202846.exec:\8202846.exe117⤵PID:1216
-
\??\c:\5bnhnt.exec:\5bnhnt.exe118⤵PID:2508
-
\??\c:\tnntbb.exec:\tnntbb.exe119⤵PID:2860
-
\??\c:\42280.exec:\42280.exe120⤵PID:1516
-
\??\c:\rlfrffl.exec:\rlfrffl.exe121⤵PID:2884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-