Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91bde3be8ab2b3014191ea5095f79e306739cfe5b953eb0e3bced36d75256663.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
91bde3be8ab2b3014191ea5095f79e306739cfe5b953eb0e3bced36d75256663.exe
-
Size
456KB
-
MD5
e01d204123035678471348998c5733e5
-
SHA1
f11e6158e6621bb4bdfc232ac564cbf64153b5f9
-
SHA256
91bde3be8ab2b3014191ea5095f79e306739cfe5b953eb0e3bced36d75256663
-
SHA512
75659ef95524bc261d66b2473e4654bfda6c6bfdeb6c67fff98394d3c86ce17c8d4f448d3cd760046e4127fd4e30c31276bcb3ba36d64e341eab56d908d0debd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRC:q7Tc2NYHUrAwfMp3CDRC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2444-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-23-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1948-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-132-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2332-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-137-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2992-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-171-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-190-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2084-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/700-209-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/700-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-231-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2164-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/716-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/608-384-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/608-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/608-390-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/884-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-573-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2140-612-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1908-624-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2192-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-910-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-982-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1296-995-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2292-1080-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2488-1152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2584 1jpvv.exe 1948 60840.exe 2140 7tnbhh.exe 2808 c684444.exe 2952 djpdd.exe 2820 9pddj.exe 2732 nbnnhh.exe 2816 5vjpv.exe 2720 dvdvd.exe 1924 nnbbbh.exe 1824 9vpvp.exe 1508 c806228.exe 2332 08044.exe 2992 nbnhhh.exe 3016 2022446.exe 1296 3nbntt.exe 2932 pjpjp.exe 2804 20606.exe 2596 lfxxfll.exe 2084 640666.exe 1800 vvjvd.exe 700 2064488.exe 2152 c084624.exe 2224 1tbttt.exe 2164 vpjvj.exe 1968 fxllrrx.exe 2284 482422.exe 2092 vvjpv.exe 716 86840.exe 1036 q68226.exe 892 26064.exe 1076 e64062.exe 2592 o828664.exe 320 m2826.exe 2468 3hhhhb.exe 2512 dvvpv.exe 2844 bhnntn.exe 2968 hbnntt.exe 2852 5lrlrll.exe 2564 xlflxfr.exe 2116 dppvv.exe 2356 202222.exe 2392 rxfxfxf.exe 2748 q20686.exe 2704 3jddd.exe 608 42428.exe 1924 5vjvv.exe 884 084664.exe 1532 4888202.exe 568 824462.exe 3000 s2422.exe 1748 pdppv.exe 3024 rrxlrlr.exe 796 bthnbh.exe 1500 5jjvv.exe 2932 frfxxrx.exe 2188 868882.exe 2556 o444628.exe 2596 nnttbt.exe 2084 628866.exe 1168 42840.exe 2252 c006284.exe 1976 42020.exe 2532 48006.exe -
resource yara_rule behavioral1/memory/2444-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-43-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2808-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/716-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/608-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-573-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/484-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/716-848-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/3048-903-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-910-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-950-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-1002-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-1015-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-1053-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-1115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-1152-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w08226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0488002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4266262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w20000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2584 2444 91bde3be8ab2b3014191ea5095f79e306739cfe5b953eb0e3bced36d75256663.exe 30 PID 2444 wrote to memory of 2584 2444 91bde3be8ab2b3014191ea5095f79e306739cfe5b953eb0e3bced36d75256663.exe 30 PID 2444 wrote to memory of 2584 2444 91bde3be8ab2b3014191ea5095f79e306739cfe5b953eb0e3bced36d75256663.exe 30 PID 2444 wrote to memory of 2584 2444 91bde3be8ab2b3014191ea5095f79e306739cfe5b953eb0e3bced36d75256663.exe 30 PID 2584 wrote to memory of 1948 2584 1jpvv.exe 31 PID 2584 wrote to memory of 1948 2584 1jpvv.exe 31 PID 2584 wrote to memory of 1948 2584 1jpvv.exe 31 PID 2584 wrote to memory of 1948 2584 1jpvv.exe 31 PID 1948 wrote to memory of 2140 1948 60840.exe 32 PID 1948 wrote to memory of 2140 1948 60840.exe 32 PID 1948 wrote to memory of 2140 1948 60840.exe 32 PID 1948 wrote to memory of 2140 1948 60840.exe 32 PID 2140 wrote to memory of 2808 2140 7tnbhh.exe 33 PID 2140 wrote to memory of 2808 2140 7tnbhh.exe 33 PID 2140 wrote to memory of 2808 2140 7tnbhh.exe 33 PID 2140 wrote to memory of 2808 2140 7tnbhh.exe 33 PID 2808 wrote to memory of 2952 2808 c684444.exe 34 PID 2808 wrote to memory of 2952 2808 c684444.exe 34 PID 2808 wrote to memory of 2952 2808 c684444.exe 34 PID 2808 wrote to memory of 2952 2808 c684444.exe 34 PID 2952 wrote to memory of 2820 2952 djpdd.exe 35 PID 2952 wrote to memory of 2820 2952 djpdd.exe 35 PID 2952 wrote to memory of 2820 2952 djpdd.exe 35 PID 2952 wrote to memory of 2820 2952 djpdd.exe 35 PID 2820 wrote to memory of 2732 2820 9pddj.exe 36 PID 2820 wrote to memory of 2732 2820 9pddj.exe 36 PID 2820 wrote to memory of 2732 2820 9pddj.exe 36 PID 2820 wrote to memory of 2732 2820 9pddj.exe 36 PID 2732 wrote to memory of 2816 2732 nbnnhh.exe 37 PID 2732 wrote to memory of 2816 2732 nbnnhh.exe 37 PID 2732 wrote to memory of 2816 2732 nbnnhh.exe 37 PID 2732 wrote to memory of 2816 2732 nbnnhh.exe 37 PID 2816 wrote to memory of 2720 2816 5vjpv.exe 38 PID 2816 wrote to memory of 2720 2816 5vjpv.exe 38 PID 2816 wrote to memory of 2720 2816 5vjpv.exe 38 PID 2816 wrote to memory of 2720 2816 5vjpv.exe 38 PID 2720 wrote to memory of 1924 2720 dvdvd.exe 39 PID 2720 wrote to memory of 1924 2720 dvdvd.exe 39 PID 2720 wrote to memory of 1924 2720 dvdvd.exe 39 PID 2720 wrote to memory of 1924 2720 dvdvd.exe 39 PID 1924 wrote to memory of 1824 1924 nnbbbh.exe 40 PID 1924 wrote to memory of 1824 1924 nnbbbh.exe 40 PID 1924 wrote to memory of 1824 1924 nnbbbh.exe 40 PID 1924 wrote to memory of 1824 1924 nnbbbh.exe 40 PID 1824 wrote to memory of 1508 1824 9vpvp.exe 41 PID 1824 wrote to memory of 1508 1824 9vpvp.exe 41 PID 1824 wrote to memory of 1508 1824 9vpvp.exe 41 PID 1824 wrote to memory of 1508 1824 9vpvp.exe 41 PID 1508 wrote to memory of 2332 1508 c806228.exe 42 PID 1508 wrote to memory of 2332 1508 c806228.exe 42 PID 1508 wrote to memory of 2332 1508 c806228.exe 42 PID 1508 wrote to memory of 2332 1508 c806228.exe 42 PID 2332 wrote to memory of 2992 2332 08044.exe 43 PID 2332 wrote to memory of 2992 2332 08044.exe 43 PID 2332 wrote to memory of 2992 2332 08044.exe 43 PID 2332 wrote to memory of 2992 2332 08044.exe 43 PID 2992 wrote to memory of 3016 2992 nbnhhh.exe 44 PID 2992 wrote to memory of 3016 2992 nbnhhh.exe 44 PID 2992 wrote to memory of 3016 2992 nbnhhh.exe 44 PID 2992 wrote to memory of 3016 2992 nbnhhh.exe 44 PID 3016 wrote to memory of 1296 3016 2022446.exe 45 PID 3016 wrote to memory of 1296 3016 2022446.exe 45 PID 3016 wrote to memory of 1296 3016 2022446.exe 45 PID 3016 wrote to memory of 1296 3016 2022446.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\91bde3be8ab2b3014191ea5095f79e306739cfe5b953eb0e3bced36d75256663.exe"C:\Users\Admin\AppData\Local\Temp\91bde3be8ab2b3014191ea5095f79e306739cfe5b953eb0e3bced36d75256663.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\1jpvv.exec:\1jpvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\60840.exec:\60840.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\7tnbhh.exec:\7tnbhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\c684444.exec:\c684444.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\djpdd.exec:\djpdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\9pddj.exec:\9pddj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\nbnnhh.exec:\nbnnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\5vjpv.exec:\5vjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\dvdvd.exec:\dvdvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\nnbbbh.exec:\nnbbbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\9vpvp.exec:\9vpvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\c806228.exec:\c806228.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\08044.exec:\08044.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\nbnhhh.exec:\nbnhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\2022446.exec:\2022446.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\3nbntt.exec:\3nbntt.exe17⤵
- Executes dropped EXE
PID:1296 -
\??\c:\pjpjp.exec:\pjpjp.exe18⤵
- Executes dropped EXE
PID:2932 -
\??\c:\20606.exec:\20606.exe19⤵
- Executes dropped EXE
PID:2804 -
\??\c:\lfxxfll.exec:\lfxxfll.exe20⤵
- Executes dropped EXE
PID:2596 -
\??\c:\640666.exec:\640666.exe21⤵
- Executes dropped EXE
PID:2084 -
\??\c:\vvjvd.exec:\vvjvd.exe22⤵
- Executes dropped EXE
PID:1800 -
\??\c:\2064488.exec:\2064488.exe23⤵
- Executes dropped EXE
PID:700 -
\??\c:\c084624.exec:\c084624.exe24⤵
- Executes dropped EXE
PID:2152 -
\??\c:\1tbttt.exec:\1tbttt.exe25⤵
- Executes dropped EXE
PID:2224 -
\??\c:\vpjvj.exec:\vpjvj.exe26⤵
- Executes dropped EXE
PID:2164 -
\??\c:\fxllrrx.exec:\fxllrrx.exe27⤵
- Executes dropped EXE
PID:1968 -
\??\c:\482422.exec:\482422.exe28⤵
- Executes dropped EXE
PID:2284 -
\??\c:\vvjpv.exec:\vvjpv.exe29⤵
- Executes dropped EXE
PID:2092 -
\??\c:\86840.exec:\86840.exe30⤵
- Executes dropped EXE
PID:716 -
\??\c:\q68226.exec:\q68226.exe31⤵
- Executes dropped EXE
PID:1036 -
\??\c:\26064.exec:\26064.exe32⤵
- Executes dropped EXE
PID:892 -
\??\c:\e64062.exec:\e64062.exe33⤵
- Executes dropped EXE
PID:1076 -
\??\c:\o828664.exec:\o828664.exe34⤵
- Executes dropped EXE
PID:2592 -
\??\c:\m2826.exec:\m2826.exe35⤵
- Executes dropped EXE
PID:320 -
\??\c:\3hhhhb.exec:\3hhhhb.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468 -
\??\c:\dvvpv.exec:\dvvpv.exe37⤵
- Executes dropped EXE
PID:2512 -
\??\c:\bhnntn.exec:\bhnntn.exe38⤵
- Executes dropped EXE
PID:2844 -
\??\c:\hbnntt.exec:\hbnntt.exe39⤵
- Executes dropped EXE
PID:2968 -
\??\c:\5lrlrll.exec:\5lrlrll.exe40⤵
- Executes dropped EXE
PID:2852 -
\??\c:\xlflxfr.exec:\xlflxfr.exe41⤵
- Executes dropped EXE
PID:2564 -
\??\c:\dppvv.exec:\dppvv.exe42⤵
- Executes dropped EXE
PID:2116 -
\??\c:\202222.exec:\202222.exe43⤵
- Executes dropped EXE
PID:2356 -
\??\c:\rxfxfxf.exec:\rxfxfxf.exe44⤵
- Executes dropped EXE
PID:2392 -
\??\c:\q20686.exec:\q20686.exe45⤵
- Executes dropped EXE
PID:2748 -
\??\c:\3jddd.exec:\3jddd.exe46⤵
- Executes dropped EXE
PID:2704 -
\??\c:\42428.exec:\42428.exe47⤵
- Executes dropped EXE
PID:608 -
\??\c:\5vjvv.exec:\5vjvv.exe48⤵
- Executes dropped EXE
PID:1924 -
\??\c:\084664.exec:\084664.exe49⤵
- Executes dropped EXE
PID:884 -
\??\c:\4888202.exec:\4888202.exe50⤵
- Executes dropped EXE
PID:1532 -
\??\c:\824462.exec:\824462.exe51⤵
- Executes dropped EXE
PID:568 -
\??\c:\s2422.exec:\s2422.exe52⤵
- Executes dropped EXE
PID:3000 -
\??\c:\pdppv.exec:\pdppv.exe53⤵
- Executes dropped EXE
PID:1748 -
\??\c:\rrxlrlr.exec:\rrxlrlr.exe54⤵
- Executes dropped EXE
PID:3024 -
\??\c:\bthnbh.exec:\bthnbh.exe55⤵
- Executes dropped EXE
PID:796 -
\??\c:\5jjvv.exec:\5jjvv.exe56⤵
- Executes dropped EXE
PID:1500 -
\??\c:\frfxxrx.exec:\frfxxrx.exe57⤵
- Executes dropped EXE
PID:2932 -
\??\c:\868882.exec:\868882.exe58⤵
- Executes dropped EXE
PID:2188 -
\??\c:\o444628.exec:\o444628.exe59⤵
- Executes dropped EXE
PID:2556 -
\??\c:\nnttbt.exec:\nnttbt.exe60⤵
- Executes dropped EXE
PID:2596 -
\??\c:\628866.exec:\628866.exe61⤵
- Executes dropped EXE
PID:2084 -
\??\c:\42840.exec:\42840.exe62⤵
- Executes dropped EXE
PID:1168 -
\??\c:\c006284.exec:\c006284.exe63⤵
- Executes dropped EXE
PID:2252 -
\??\c:\42020.exec:\42020.exe64⤵
- Executes dropped EXE
PID:1976 -
\??\c:\48006.exec:\48006.exe65⤵
- Executes dropped EXE
PID:2532 -
\??\c:\680666.exec:\680666.exe66⤵PID:1524
-
\??\c:\vpjjv.exec:\vpjjv.exe67⤵PID:1060
-
\??\c:\hthnnn.exec:\hthnnn.exe68⤵PID:772
-
\??\c:\5nhhtb.exec:\5nhhtb.exe69⤵PID:960
-
\??\c:\g2822.exec:\g2822.exe70⤵PID:2460
-
\??\c:\ddppv.exec:\ddppv.exe71⤵PID:2196
-
\??\c:\fxfrxxf.exec:\fxfrxxf.exe72⤵PID:2420
-
\??\c:\48646.exec:\48646.exe73⤵PID:1348
-
\??\c:\thnhhb.exec:\thnhhb.exe74⤵PID:2200
-
\??\c:\8266228.exec:\8266228.exe75⤵PID:892
-
\??\c:\824466.exec:\824466.exe76⤵PID:2024
-
\??\c:\4266262.exec:\4266262.exe77⤵
- System Location Discovery: System Language Discovery
PID:484 -
\??\c:\20040.exec:\20040.exe78⤵PID:1592
-
\??\c:\8644628.exec:\8644628.exe79⤵PID:2540
-
\??\c:\btnhnn.exec:\btnhnn.exe80⤵PID:2248
-
\??\c:\486624.exec:\486624.exe81⤵PID:2140
-
\??\c:\frxxfxf.exec:\frxxfxf.exe82⤵PID:2860
-
\??\c:\824028.exec:\824028.exe83⤵PID:1908
-
\??\c:\08062.exec:\08062.exe84⤵PID:2296
-
\??\c:\tnbhth.exec:\tnbhth.exe85⤵
- System Location Discovery: System Language Discovery
PID:2740 -
\??\c:\frxrrrf.exec:\frxrrrf.exe86⤵PID:2760
-
\??\c:\04686.exec:\04686.exe87⤵PID:2392
-
\??\c:\42888.exec:\42888.exe88⤵PID:1936
-
\??\c:\hbbbnn.exec:\hbbbnn.exe89⤵PID:2704
-
\??\c:\424688.exec:\424688.exe90⤵PID:608
-
\??\c:\bththh.exec:\bththh.exe91⤵PID:2412
-
\??\c:\vjvvd.exec:\vjvvd.exe92⤵PID:2352
-
\??\c:\k64466.exec:\k64466.exe93⤵PID:2324
-
\??\c:\3dpvd.exec:\3dpvd.exe94⤵PID:2928
-
\??\c:\8648440.exec:\8648440.exe95⤵PID:2992
-
\??\c:\llxffrf.exec:\llxffrf.exe96⤵PID:2884
-
\??\c:\dvvvj.exec:\dvvvj.exe97⤵PID:2112
-
\??\c:\04880.exec:\04880.exe98⤵PID:1884
-
\??\c:\ppjjp.exec:\ppjjp.exe99⤵PID:2192
-
\??\c:\7ntnnn.exec:\7ntnnn.exe100⤵PID:1028
-
\??\c:\448848.exec:\448848.exe101⤵PID:2080
-
\??\c:\422840.exec:\422840.exe102⤵PID:2464
-
\??\c:\82400.exec:\82400.exe103⤵PID:2640
-
\??\c:\646288.exec:\646288.exe104⤵PID:1840
-
\??\c:\82622.exec:\82622.exe105⤵PID:1800
-
\??\c:\w46040.exec:\w46040.exe106⤵PID:1764
-
\??\c:\04224.exec:\04224.exe107⤵PID:992
-
\??\c:\7dvvp.exec:\7dvvp.exe108⤵PID:2892
-
\??\c:\rrllxlx.exec:\rrllxlx.exe109⤵PID:292
-
\??\c:\lfffxfx.exec:\lfffxfx.exe110⤵PID:916
-
\??\c:\0446408.exec:\0446408.exe111⤵PID:1716
-
\??\c:\864282.exec:\864282.exe112⤵PID:772
-
\??\c:\xfxxflx.exec:\xfxxflx.exe113⤵PID:1776
-
\??\c:\rlfrflx.exec:\rlfrflx.exe114⤵PID:2092
-
\??\c:\o668068.exec:\o668068.exe115⤵PID:716
-
\??\c:\btnbhn.exec:\btnbhn.exe116⤵PID:1068
-
\??\c:\48002.exec:\48002.exe117⤵PID:1584
-
\??\c:\424024.exec:\424024.exe118⤵PID:788
-
\??\c:\vddjv.exec:\vddjv.exe119⤵PID:2528
-
\??\c:\04846.exec:\04846.exe120⤵PID:2052
-
\??\c:\480686.exec:\480686.exe121⤵PID:1588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-