Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 22:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
533c971a93c68cc2acd4d805306c1d7c37217abb3582210de44923afb5ce0bb0.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
533c971a93c68cc2acd4d805306c1d7c37217abb3582210de44923afb5ce0bb0.exe
-
Size
453KB
-
MD5
642160d240df6ab9ff7b1492c16c89e9
-
SHA1
82a5ac74014ab882e7905d6c4ed4013aec181f9d
-
SHA256
533c971a93c68cc2acd4d805306c1d7c37217abb3582210de44923afb5ce0bb0
-
SHA512
22b2d5573b8e82a5dce995b4c182c86c488914afe3b3ffb29851530242cd8d10557acd3cbd3edc83aa857c16e15a778b1bbe8db522604fe8ed03ecae8f02b3da
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2132-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/952-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-339-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2824-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-348-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2364-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1456-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-468-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2112-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-498-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/700-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-554-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2776-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-674-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1632-682-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2800-865-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-872-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2604-1041-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2440-1143-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2508 jpdjp.exe 1048 btttnb.exe 3036 lfxxfxf.exe 1308 9xrrxfl.exe 2312 jdpvd.exe 2908 dvvdp.exe 2820 868466.exe 3000 48020.exe 2428 nhtthh.exe 2832 7hbbhh.exe 2680 8262880.exe 3044 04846.exe 2256 hhhhnn.exe 2392 vpjjp.exe 2184 bbtbtt.exe 2568 048866.exe 2416 5lxxflr.exe 1184 btnnhn.exe 2052 6080224.exe 1544 i862468.exe 1824 lfxfrrf.exe 1748 djdvd.exe 1920 1pvdv.exe 1956 7vpvd.exe 952 7vdvj.exe 1976 88260.exe 2348 btntnh.exe 2536 08000.exe 1656 nhthth.exe 2504 42046.exe 2976 2028444.exe 2152 206666.exe 1592 pjvdp.exe 2488 6464482.exe 3036 6806606.exe 2252 m6484.exe 2776 frlrxrx.exe 2816 hbtbnn.exe 2824 frrflfl.exe 2784 c080220.exe 3012 20846.exe 2932 g0888.exe 2676 864406.exe 3056 xlxxxrr.exe 2180 4864660.exe 2072 lxllfrr.exe 2364 ttnnhh.exe 3040 rlxlxfr.exe 2376 6602686.exe 2248 0428446.exe 1880 42668.exe 1184 4846842.exe 844 42068.exe 2336 5rrfrxx.exe 1456 llxxlll.exe 1684 g2046.exe 1828 tnbntt.exe 1800 tnbbht.exe 2112 4806442.exe 2408 hnhtht.exe 2008 c640880.exe 880 lllfxfx.exe 952 0824064.exe 1976 k20466.exe -
resource yara_rule behavioral1/memory/2132-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-199-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/1748-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-339-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2824-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-899-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-954-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-961-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-1103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-1123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-1157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-1244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-1251-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1httnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c202460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2508 2132 533c971a93c68cc2acd4d805306c1d7c37217abb3582210de44923afb5ce0bb0.exe 30 PID 2132 wrote to memory of 2508 2132 533c971a93c68cc2acd4d805306c1d7c37217abb3582210de44923afb5ce0bb0.exe 30 PID 2132 wrote to memory of 2508 2132 533c971a93c68cc2acd4d805306c1d7c37217abb3582210de44923afb5ce0bb0.exe 30 PID 2132 wrote to memory of 2508 2132 533c971a93c68cc2acd4d805306c1d7c37217abb3582210de44923afb5ce0bb0.exe 30 PID 2508 wrote to memory of 1048 2508 jpdjp.exe 31 PID 2508 wrote to memory of 1048 2508 jpdjp.exe 31 PID 2508 wrote to memory of 1048 2508 jpdjp.exe 31 PID 2508 wrote to memory of 1048 2508 jpdjp.exe 31 PID 1048 wrote to memory of 3036 1048 btttnb.exe 32 PID 1048 wrote to memory of 3036 1048 btttnb.exe 32 PID 1048 wrote to memory of 3036 1048 btttnb.exe 32 PID 1048 wrote to memory of 3036 1048 btttnb.exe 32 PID 3036 wrote to memory of 1308 3036 lfxxfxf.exe 33 PID 3036 wrote to memory of 1308 3036 lfxxfxf.exe 33 PID 3036 wrote to memory of 1308 3036 lfxxfxf.exe 33 PID 3036 wrote to memory of 1308 3036 lfxxfxf.exe 33 PID 1308 wrote to memory of 2312 1308 9xrrxfl.exe 34 PID 1308 wrote to memory of 2312 1308 9xrrxfl.exe 34 PID 1308 wrote to memory of 2312 1308 9xrrxfl.exe 34 PID 1308 wrote to memory of 2312 1308 9xrrxfl.exe 34 PID 2312 wrote to memory of 2908 2312 jdpvd.exe 35 PID 2312 wrote to memory of 2908 2312 jdpvd.exe 35 PID 2312 wrote to memory of 2908 2312 jdpvd.exe 35 PID 2312 wrote to memory of 2908 2312 jdpvd.exe 35 PID 2908 wrote to memory of 2820 2908 dvvdp.exe 36 PID 2908 wrote to memory of 2820 2908 dvvdp.exe 36 PID 2908 wrote to memory of 2820 2908 dvvdp.exe 36 PID 2908 wrote to memory of 2820 2908 dvvdp.exe 36 PID 2820 wrote to memory of 3000 2820 868466.exe 37 PID 2820 wrote to memory of 3000 2820 868466.exe 37 PID 2820 wrote to memory of 3000 2820 868466.exe 37 PID 2820 wrote to memory of 3000 2820 868466.exe 37 PID 3000 wrote to memory of 2428 3000 48020.exe 38 PID 3000 wrote to memory of 2428 3000 48020.exe 38 PID 3000 wrote to memory of 2428 3000 48020.exe 38 PID 3000 wrote to memory of 2428 3000 48020.exe 38 PID 2428 wrote to memory of 2832 2428 nhtthh.exe 39 PID 2428 wrote to memory of 2832 2428 nhtthh.exe 39 PID 2428 wrote to memory of 2832 2428 nhtthh.exe 39 PID 2428 wrote to memory of 2832 2428 nhtthh.exe 39 PID 2832 wrote to memory of 2680 2832 7hbbhh.exe 40 PID 2832 wrote to memory of 2680 2832 7hbbhh.exe 40 PID 2832 wrote to memory of 2680 2832 7hbbhh.exe 40 PID 2832 wrote to memory of 2680 2832 7hbbhh.exe 40 PID 2680 wrote to memory of 3044 2680 8262880.exe 41 PID 2680 wrote to memory of 3044 2680 8262880.exe 41 PID 2680 wrote to memory of 3044 2680 8262880.exe 41 PID 2680 wrote to memory of 3044 2680 8262880.exe 41 PID 3044 wrote to memory of 2256 3044 04846.exe 42 PID 3044 wrote to memory of 2256 3044 04846.exe 42 PID 3044 wrote to memory of 2256 3044 04846.exe 42 PID 3044 wrote to memory of 2256 3044 04846.exe 42 PID 2256 wrote to memory of 2392 2256 hhhhnn.exe 43 PID 2256 wrote to memory of 2392 2256 hhhhnn.exe 43 PID 2256 wrote to memory of 2392 2256 hhhhnn.exe 43 PID 2256 wrote to memory of 2392 2256 hhhhnn.exe 43 PID 2392 wrote to memory of 2184 2392 vpjjp.exe 44 PID 2392 wrote to memory of 2184 2392 vpjjp.exe 44 PID 2392 wrote to memory of 2184 2392 vpjjp.exe 44 PID 2392 wrote to memory of 2184 2392 vpjjp.exe 44 PID 2184 wrote to memory of 2568 2184 bbtbtt.exe 45 PID 2184 wrote to memory of 2568 2184 bbtbtt.exe 45 PID 2184 wrote to memory of 2568 2184 bbtbtt.exe 45 PID 2184 wrote to memory of 2568 2184 bbtbtt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\533c971a93c68cc2acd4d805306c1d7c37217abb3582210de44923afb5ce0bb0.exe"C:\Users\Admin\AppData\Local\Temp\533c971a93c68cc2acd4d805306c1d7c37217abb3582210de44923afb5ce0bb0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\jpdjp.exec:\jpdjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\btttnb.exec:\btttnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\lfxxfxf.exec:\lfxxfxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\9xrrxfl.exec:\9xrrxfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\jdpvd.exec:\jdpvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\dvvdp.exec:\dvvdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\868466.exec:\868466.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\48020.exec:\48020.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\nhtthh.exec:\nhtthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\7hbbhh.exec:\7hbbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\8262880.exec:\8262880.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\04846.exec:\04846.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\hhhhnn.exec:\hhhhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\vpjjp.exec:\vpjjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\bbtbtt.exec:\bbtbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\048866.exec:\048866.exe17⤵
- Executes dropped EXE
PID:2568 -
\??\c:\5lxxflr.exec:\5lxxflr.exe18⤵
- Executes dropped EXE
PID:2416 -
\??\c:\btnnhn.exec:\btnnhn.exe19⤵
- Executes dropped EXE
PID:1184 -
\??\c:\6080224.exec:\6080224.exe20⤵
- Executes dropped EXE
PID:2052 -
\??\c:\i862468.exec:\i862468.exe21⤵
- Executes dropped EXE
PID:1544 -
\??\c:\lfxfrrf.exec:\lfxfrrf.exe22⤵
- Executes dropped EXE
PID:1824 -
\??\c:\djdvd.exec:\djdvd.exe23⤵
- Executes dropped EXE
PID:1748 -
\??\c:\1pvdv.exec:\1pvdv.exe24⤵
- Executes dropped EXE
PID:1920 -
\??\c:\7vpvd.exec:\7vpvd.exe25⤵
- Executes dropped EXE
PID:1956 -
\??\c:\7vdvj.exec:\7vdvj.exe26⤵
- Executes dropped EXE
PID:952 -
\??\c:\88260.exec:\88260.exe27⤵
- Executes dropped EXE
PID:1976 -
\??\c:\btntnh.exec:\btntnh.exe28⤵
- Executes dropped EXE
PID:2348 -
\??\c:\08000.exec:\08000.exe29⤵
- Executes dropped EXE
PID:2536 -
\??\c:\nhthth.exec:\nhthth.exe30⤵
- Executes dropped EXE
PID:1656 -
\??\c:\42046.exec:\42046.exe31⤵
- Executes dropped EXE
PID:2504 -
\??\c:\2028444.exec:\2028444.exe32⤵
- Executes dropped EXE
PID:2976 -
\??\c:\206666.exec:\206666.exe33⤵
- Executes dropped EXE
PID:2152 -
\??\c:\pjvdp.exec:\pjvdp.exe34⤵
- Executes dropped EXE
PID:1592 -
\??\c:\6464482.exec:\6464482.exe35⤵
- Executes dropped EXE
PID:2488 -
\??\c:\6806606.exec:\6806606.exe36⤵
- Executes dropped EXE
PID:3036 -
\??\c:\m6484.exec:\m6484.exe37⤵
- Executes dropped EXE
PID:2252 -
\??\c:\frlrxrx.exec:\frlrxrx.exe38⤵
- Executes dropped EXE
PID:2776 -
\??\c:\hbtbnn.exec:\hbtbnn.exe39⤵
- Executes dropped EXE
PID:2816 -
\??\c:\frrflfl.exec:\frrflfl.exe40⤵
- Executes dropped EXE
PID:2824 -
\??\c:\c080220.exec:\c080220.exe41⤵
- Executes dropped EXE
PID:2784 -
\??\c:\20846.exec:\20846.exe42⤵
- Executes dropped EXE
PID:3012 -
\??\c:\g0888.exec:\g0888.exe43⤵
- Executes dropped EXE
PID:2932 -
\??\c:\864406.exec:\864406.exe44⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xlxxxrr.exec:\xlxxxrr.exe45⤵
- Executes dropped EXE
PID:3056 -
\??\c:\4864660.exec:\4864660.exe46⤵
- Executes dropped EXE
PID:2180 -
\??\c:\lxllfrr.exec:\lxllfrr.exe47⤵
- Executes dropped EXE
PID:2072 -
\??\c:\ttnnhh.exec:\ttnnhh.exe48⤵
- Executes dropped EXE
PID:2364 -
\??\c:\rlxlxfr.exec:\rlxlxfr.exe49⤵
- Executes dropped EXE
PID:3040 -
\??\c:\6602686.exec:\6602686.exe50⤵
- Executes dropped EXE
PID:2376 -
\??\c:\0428446.exec:\0428446.exe51⤵
- Executes dropped EXE
PID:2248 -
\??\c:\42668.exec:\42668.exe52⤵
- Executes dropped EXE
PID:1880 -
\??\c:\4846842.exec:\4846842.exe53⤵
- Executes dropped EXE
PID:1184 -
\??\c:\42068.exec:\42068.exe54⤵
- Executes dropped EXE
PID:844 -
\??\c:\5rrfrxx.exec:\5rrfrxx.exe55⤵
- Executes dropped EXE
PID:2336 -
\??\c:\llxxlll.exec:\llxxlll.exe56⤵
- Executes dropped EXE
PID:1456 -
\??\c:\g2046.exec:\g2046.exe57⤵
- Executes dropped EXE
PID:1684 -
\??\c:\tnbntt.exec:\tnbntt.exe58⤵
- Executes dropped EXE
PID:1828 -
\??\c:\tnbbht.exec:\tnbbht.exe59⤵
- Executes dropped EXE
PID:1800 -
\??\c:\4806442.exec:\4806442.exe60⤵
- Executes dropped EXE
PID:2112 -
\??\c:\hnhtht.exec:\hnhtht.exe61⤵
- Executes dropped EXE
PID:2408 -
\??\c:\c640880.exec:\c640880.exe62⤵
- Executes dropped EXE
PID:2008 -
\??\c:\lllfxfx.exec:\lllfxfx.exe63⤵
- Executes dropped EXE
PID:880 -
\??\c:\0824064.exec:\0824064.exe64⤵
- Executes dropped EXE
PID:952 -
\??\c:\k20466.exec:\k20466.exe65⤵
- Executes dropped EXE
PID:1976 -
\??\c:\ppppp.exec:\ppppp.exe66⤵
- System Location Discovery: System Language Discovery
PID:2884 -
\??\c:\btnbhh.exec:\btnbhh.exe67⤵PID:908
-
\??\c:\62644.exec:\62644.exe68⤵PID:700
-
\??\c:\04020.exec:\04020.exe69⤵PID:2860
-
\??\c:\60462.exec:\60462.exe70⤵PID:2996
-
\??\c:\1htbbh.exec:\1htbbh.exe71⤵PID:2508
-
\??\c:\hnbnhn.exec:\hnbnhn.exe72⤵PID:1616
-
\??\c:\tnbhnt.exec:\tnbhnt.exe73⤵PID:2988
-
\??\c:\424400.exec:\424400.exe74⤵PID:1628
-
\??\c:\6084002.exec:\6084002.exe75⤵PID:2948
-
\??\c:\jpjdj.exec:\jpjdj.exe76⤵PID:3036
-
\??\c:\64880.exec:\64880.exe77⤵
- System Location Discovery: System Language Discovery
PID:2924 -
\??\c:\s2028.exec:\s2028.exe78⤵PID:2776
-
\??\c:\ppppd.exec:\ppppd.exe79⤵PID:2908
-
\??\c:\7bthnb.exec:\7bthnb.exe80⤵PID:648
-
\??\c:\g0846.exec:\g0846.exe81⤵PID:2784
-
\??\c:\1pddp.exec:\1pddp.exe82⤵PID:2780
-
\??\c:\s0842.exec:\s0842.exe83⤵PID:2832
-
\??\c:\3rlrxff.exec:\3rlrxff.exe84⤵PID:2740
-
\??\c:\7rfrlrr.exec:\7rfrlrr.exe85⤵PID:2328
-
\??\c:\0462820.exec:\0462820.exe86⤵PID:2692
-
\??\c:\lxxxrxf.exec:\lxxxrxf.exe87⤵PID:2180
-
\??\c:\9lllflr.exec:\9lllflr.exe88⤵PID:2072
-
\??\c:\u084046.exec:\u084046.exe89⤵PID:2364
-
\??\c:\xrlxllf.exec:\xrlxllf.exe90⤵PID:2104
-
\??\c:\ttthtn.exec:\ttthtn.exe91⤵PID:1632
-
\??\c:\s2000.exec:\s2000.exe92⤵PID:2248
-
\??\c:\rfxllfl.exec:\rfxllfl.exe93⤵PID:1880
-
\??\c:\0084406.exec:\0084406.exe94⤵PID:1184
-
\??\c:\bhttbt.exec:\bhttbt.exe95⤵PID:2452
-
\??\c:\086228.exec:\086228.exe96⤵PID:1156
-
\??\c:\08406.exec:\08406.exe97⤵PID:2424
-
\??\c:\5frlrll.exec:\5frlrll.exe98⤵PID:1256
-
\??\c:\s4628.exec:\s4628.exe99⤵PID:2056
-
\??\c:\k02288.exec:\k02288.exe100⤵PID:1800
-
\??\c:\dpddv.exec:\dpddv.exe101⤵PID:2068
-
\??\c:\fllrrrr.exec:\fllrrrr.exe102⤵PID:2408
-
\??\c:\w26848.exec:\w26848.exe103⤵PID:1120
-
\??\c:\e08284.exec:\e08284.exe104⤵PID:1716
-
\??\c:\08066.exec:\08066.exe105⤵PID:848
-
\??\c:\204084.exec:\204084.exe106⤵PID:2560
-
\??\c:\jpdvv.exec:\jpdvv.exe107⤵PID:1888
-
\??\c:\hbtbbt.exec:\hbtbbt.exe108⤵PID:2736
-
\??\c:\486666.exec:\486666.exe109⤵PID:2980
-
\??\c:\2084001.exec:\2084001.exe110⤵PID:2540
-
\??\c:\jdppv.exec:\jdppv.exe111⤵PID:2616
-
\??\c:\08620.exec:\08620.exe112⤵PID:2504
-
\??\c:\nhtttn.exec:\nhtttn.exe113⤵PID:3064
-
\??\c:\24420.exec:\24420.exe114⤵PID:1740
-
\??\c:\a0846.exec:\a0846.exe115⤵PID:1624
-
\??\c:\w08488.exec:\w08488.exe116⤵PID:2768
-
\??\c:\i446442.exec:\i446442.exe117⤵PID:1048
-
\??\c:\btbhnt.exec:\btbhnt.exe118⤵PID:2948
-
\??\c:\7tntbh.exec:\7tntbh.exe119⤵PID:3036
-
\??\c:\3jdpp.exec:\3jdpp.exe120⤵PID:2928
-
\??\c:\bbbbnn.exec:\bbbbnn.exe121⤵PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-