Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 19:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c1586964fe5de79aa8c74f25f6eb4d71602c555fb0002cb86ef4ebce361b6bd1N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c1586964fe5de79aa8c74f25f6eb4d71602c555fb0002cb86ef4ebce361b6bd1N.exe
-
Size
453KB
-
MD5
6e059c89ad572569048ba3f21e1f1eb0
-
SHA1
918edc55bd6d5ec9e375d91071156e4b3b5be265
-
SHA256
c1586964fe5de79aa8c74f25f6eb4d71602c555fb0002cb86ef4ebce361b6bd1
-
SHA512
2ba0d70b2571d2b0281ad24678033dd8e4b3f73a7196386b54dd455f0702f0f89d8a3cbac81deb807354018aa9745d7254da55b0fc641d40e113071d1cc5954a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2348-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-38-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1144-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-68-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2764-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-171-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/3028-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-215-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/948-229-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1712-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/984-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-258-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2292-272-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/808-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-585-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2044-593-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2708-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-754-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/484-1102-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2556-1133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-1134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-1159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2348 vdvdv.exe 2524 002200.exe 2252 ddjdj.exe 1144 8426484.exe 2808 dvpvj.exe 2764 86068.exe 2940 08008.exe 2928 ththnh.exe 2112 w64028.exe 2792 htbbnb.exe 2616 nbnhhn.exe 1380 jvpvv.exe 2956 264028.exe 2608 4840662.exe 1504 ppjvv.exe 2288 5jpvp.exe 1424 5vdvp.exe 3012 04268.exe 3028 8206280.exe 2576 lxllrrl.exe 2272 8688046.exe 852 vvjdj.exe 3024 xrrfxfx.exe 948 jdpvj.exe 984 m2488.exe 1712 862844.exe 1572 dvvdp.exe 1048 088406.exe 2292 48282.exe 808 3frfrxl.exe 888 5rfrflf.exe 2216 0488280.exe 1588 nnbhtb.exe 2064 bbhnbb.exe 2520 hhbhnt.exe 2524 lffxfll.exe 2468 rxlxffr.exe 2420 ntnbhn.exe 1848 3bnntb.exe 2752 20828.exe 2892 662086.exe 2896 fxrrffx.exe 2156 7xlllrx.exe 2784 dvdpj.exe 2908 426466.exe 2664 7rlfrrx.exe 2480 i040280.exe 2700 686244.exe 2680 bbnthh.exe 2712 o824668.exe 2868 3rfflll.exe 1176 dddpd.exe 2356 60846.exe 2076 hhbbnb.exe 1912 ddppv.exe 1964 648028.exe 1764 04020.exe 3016 btbbhh.exe 2060 66460.exe 2452 9thhtb.exe 2024 1jjdp.exe 2128 hbttbb.exe 2160 nnhtth.exe 1564 pvvdj.exe -
resource yara_rule behavioral1/memory/2348-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-38-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1144-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-68-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2764-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-117-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2956-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-171-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/3028-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-215-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/984-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/984-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-943-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-986-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-1083-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-1133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-1134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-1159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-1160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-1179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-1332-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0424664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfflrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4408646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4880442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 442806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2348 2324 c1586964fe5de79aa8c74f25f6eb4d71602c555fb0002cb86ef4ebce361b6bd1N.exe 30 PID 2324 wrote to memory of 2348 2324 c1586964fe5de79aa8c74f25f6eb4d71602c555fb0002cb86ef4ebce361b6bd1N.exe 30 PID 2324 wrote to memory of 2348 2324 c1586964fe5de79aa8c74f25f6eb4d71602c555fb0002cb86ef4ebce361b6bd1N.exe 30 PID 2324 wrote to memory of 2348 2324 c1586964fe5de79aa8c74f25f6eb4d71602c555fb0002cb86ef4ebce361b6bd1N.exe 30 PID 2348 wrote to memory of 2524 2348 vdvdv.exe 31 PID 2348 wrote to memory of 2524 2348 vdvdv.exe 31 PID 2348 wrote to memory of 2524 2348 vdvdv.exe 31 PID 2348 wrote to memory of 2524 2348 vdvdv.exe 31 PID 2524 wrote to memory of 2252 2524 002200.exe 32 PID 2524 wrote to memory of 2252 2524 002200.exe 32 PID 2524 wrote to memory of 2252 2524 002200.exe 32 PID 2524 wrote to memory of 2252 2524 002200.exe 32 PID 2252 wrote to memory of 1144 2252 ddjdj.exe 33 PID 2252 wrote to memory of 1144 2252 ddjdj.exe 33 PID 2252 wrote to memory of 1144 2252 ddjdj.exe 33 PID 2252 wrote to memory of 1144 2252 ddjdj.exe 33 PID 1144 wrote to memory of 2808 1144 8426484.exe 34 PID 1144 wrote to memory of 2808 1144 8426484.exe 34 PID 1144 wrote to memory of 2808 1144 8426484.exe 34 PID 1144 wrote to memory of 2808 1144 8426484.exe 34 PID 2808 wrote to memory of 2764 2808 dvpvj.exe 35 PID 2808 wrote to memory of 2764 2808 dvpvj.exe 35 PID 2808 wrote to memory of 2764 2808 dvpvj.exe 35 PID 2808 wrote to memory of 2764 2808 dvpvj.exe 35 PID 2764 wrote to memory of 2940 2764 86068.exe 36 PID 2764 wrote to memory of 2940 2764 86068.exe 36 PID 2764 wrote to memory of 2940 2764 86068.exe 36 PID 2764 wrote to memory of 2940 2764 86068.exe 36 PID 2940 wrote to memory of 2928 2940 08008.exe 37 PID 2940 wrote to memory of 2928 2940 08008.exe 37 PID 2940 wrote to memory of 2928 2940 08008.exe 37 PID 2940 wrote to memory of 2928 2940 08008.exe 37 PID 2928 wrote to memory of 2112 2928 ththnh.exe 38 PID 2928 wrote to memory of 2112 2928 ththnh.exe 38 PID 2928 wrote to memory of 2112 2928 ththnh.exe 38 PID 2928 wrote to memory of 2112 2928 ththnh.exe 38 PID 2112 wrote to memory of 2792 2112 w64028.exe 39 PID 2112 wrote to memory of 2792 2112 w64028.exe 39 PID 2112 wrote to memory of 2792 2112 w64028.exe 39 PID 2112 wrote to memory of 2792 2112 w64028.exe 39 PID 2792 wrote to memory of 2616 2792 htbbnb.exe 40 PID 2792 wrote to memory of 2616 2792 htbbnb.exe 40 PID 2792 wrote to memory of 2616 2792 htbbnb.exe 40 PID 2792 wrote to memory of 2616 2792 htbbnb.exe 40 PID 2616 wrote to memory of 1380 2616 nbnhhn.exe 41 PID 2616 wrote to memory of 1380 2616 nbnhhn.exe 41 PID 2616 wrote to memory of 1380 2616 nbnhhn.exe 41 PID 2616 wrote to memory of 1380 2616 nbnhhn.exe 41 PID 1380 wrote to memory of 2956 1380 jvpvv.exe 42 PID 1380 wrote to memory of 2956 1380 jvpvv.exe 42 PID 1380 wrote to memory of 2956 1380 jvpvv.exe 42 PID 1380 wrote to memory of 2956 1380 jvpvv.exe 42 PID 2956 wrote to memory of 2608 2956 264028.exe 43 PID 2956 wrote to memory of 2608 2956 264028.exe 43 PID 2956 wrote to memory of 2608 2956 264028.exe 43 PID 2956 wrote to memory of 2608 2956 264028.exe 43 PID 2608 wrote to memory of 1504 2608 4840662.exe 44 PID 2608 wrote to memory of 1504 2608 4840662.exe 44 PID 2608 wrote to memory of 1504 2608 4840662.exe 44 PID 2608 wrote to memory of 1504 2608 4840662.exe 44 PID 1504 wrote to memory of 2288 1504 ppjvv.exe 45 PID 1504 wrote to memory of 2288 1504 ppjvv.exe 45 PID 1504 wrote to memory of 2288 1504 ppjvv.exe 45 PID 1504 wrote to memory of 2288 1504 ppjvv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1586964fe5de79aa8c74f25f6eb4d71602c555fb0002cb86ef4ebce361b6bd1N.exe"C:\Users\Admin\AppData\Local\Temp\c1586964fe5de79aa8c74f25f6eb4d71602c555fb0002cb86ef4ebce361b6bd1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\vdvdv.exec:\vdvdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\002200.exec:\002200.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\ddjdj.exec:\ddjdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\8426484.exec:\8426484.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\dvpvj.exec:\dvpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\86068.exec:\86068.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\08008.exec:\08008.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\ththnh.exec:\ththnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\w64028.exec:\w64028.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\htbbnb.exec:\htbbnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\nbnhhn.exec:\nbnhhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\jvpvv.exec:\jvpvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\264028.exec:\264028.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\4840662.exec:\4840662.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\ppjvv.exec:\ppjvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\5jpvp.exec:\5jpvp.exe17⤵
- Executes dropped EXE
PID:2288 -
\??\c:\5vdvp.exec:\5vdvp.exe18⤵
- Executes dropped EXE
PID:1424 -
\??\c:\04268.exec:\04268.exe19⤵
- Executes dropped EXE
PID:3012 -
\??\c:\8206280.exec:\8206280.exe20⤵
- Executes dropped EXE
PID:3028 -
\??\c:\lxllrrl.exec:\lxllrrl.exe21⤵
- Executes dropped EXE
PID:2576 -
\??\c:\8688046.exec:\8688046.exe22⤵
- Executes dropped EXE
PID:2272 -
\??\c:\vvjdj.exec:\vvjdj.exe23⤵
- Executes dropped EXE
PID:852 -
\??\c:\xrrfxfx.exec:\xrrfxfx.exe24⤵
- Executes dropped EXE
PID:3024 -
\??\c:\jdpvj.exec:\jdpvj.exe25⤵
- Executes dropped EXE
PID:948 -
\??\c:\m2488.exec:\m2488.exe26⤵
- Executes dropped EXE
PID:984 -
\??\c:\862844.exec:\862844.exe27⤵
- Executes dropped EXE
PID:1712 -
\??\c:\dvvdp.exec:\dvvdp.exe28⤵
- Executes dropped EXE
PID:1572 -
\??\c:\088406.exec:\088406.exe29⤵
- Executes dropped EXE
PID:1048 -
\??\c:\48282.exec:\48282.exe30⤵
- Executes dropped EXE
PID:2292 -
\??\c:\3frfrxl.exec:\3frfrxl.exe31⤵
- Executes dropped EXE
PID:808 -
\??\c:\5rfrflf.exec:\5rfrflf.exe32⤵
- Executes dropped EXE
PID:888 -
\??\c:\0488280.exec:\0488280.exe33⤵
- Executes dropped EXE
PID:2216 -
\??\c:\nnbhtb.exec:\nnbhtb.exe34⤵
- Executes dropped EXE
PID:1588 -
\??\c:\bbhnbb.exec:\bbhnbb.exe35⤵
- Executes dropped EXE
PID:2064 -
\??\c:\hhbhnt.exec:\hhbhnt.exe36⤵
- Executes dropped EXE
PID:2520 -
\??\c:\lffxfll.exec:\lffxfll.exe37⤵
- Executes dropped EXE
PID:2524 -
\??\c:\rxlxffr.exec:\rxlxffr.exe38⤵
- Executes dropped EXE
PID:2468 -
\??\c:\ntnbhn.exec:\ntnbhn.exe39⤵
- Executes dropped EXE
PID:2420 -
\??\c:\3bnntb.exec:\3bnntb.exe40⤵
- Executes dropped EXE
PID:1848 -
\??\c:\20828.exec:\20828.exe41⤵
- Executes dropped EXE
PID:2752 -
\??\c:\662086.exec:\662086.exe42⤵
- Executes dropped EXE
PID:2892 -
\??\c:\fxrrffx.exec:\fxrrffx.exe43⤵
- Executes dropped EXE
PID:2896 -
\??\c:\7xlllrx.exec:\7xlllrx.exe44⤵
- Executes dropped EXE
PID:2156 -
\??\c:\dvdpj.exec:\dvdpj.exe45⤵
- Executes dropped EXE
PID:2784 -
\??\c:\426466.exec:\426466.exe46⤵
- Executes dropped EXE
PID:2908 -
\??\c:\7rlfrrx.exec:\7rlfrrx.exe47⤵
- Executes dropped EXE
PID:2664 -
\??\c:\i040280.exec:\i040280.exe48⤵
- Executes dropped EXE
PID:2480 -
\??\c:\686244.exec:\686244.exe49⤵
- Executes dropped EXE
PID:2700 -
\??\c:\bbnthh.exec:\bbnthh.exe50⤵
- Executes dropped EXE
PID:2680 -
\??\c:\o824668.exec:\o824668.exe51⤵
- Executes dropped EXE
PID:2712 -
\??\c:\3rfflll.exec:\3rfflll.exe52⤵
- Executes dropped EXE
PID:2868 -
\??\c:\dddpd.exec:\dddpd.exe53⤵
- Executes dropped EXE
PID:1176 -
\??\c:\60846.exec:\60846.exe54⤵
- Executes dropped EXE
PID:2356 -
\??\c:\hhbbnb.exec:\hhbbnb.exe55⤵
- Executes dropped EXE
PID:2076 -
\??\c:\ddppv.exec:\ddppv.exe56⤵
- Executes dropped EXE
PID:1912 -
\??\c:\648028.exec:\648028.exe57⤵
- Executes dropped EXE
PID:1964 -
\??\c:\04020.exec:\04020.exe58⤵
- Executes dropped EXE
PID:1764 -
\??\c:\btbbhh.exec:\btbbhh.exe59⤵
- Executes dropped EXE
PID:3016 -
\??\c:\66460.exec:\66460.exe60⤵
- Executes dropped EXE
PID:2060 -
\??\c:\9thhtb.exec:\9thhtb.exe61⤵
- Executes dropped EXE
PID:2452 -
\??\c:\1jjdp.exec:\1jjdp.exe62⤵
- Executes dropped EXE
PID:2024 -
\??\c:\hbttbb.exec:\hbttbb.exe63⤵
- Executes dropped EXE
PID:2128 -
\??\c:\nnhtth.exec:\nnhtth.exe64⤵
- Executes dropped EXE
PID:2160 -
\??\c:\pvvdj.exec:\pvvdj.exe65⤵
- Executes dropped EXE
PID:1564 -
\??\c:\0086846.exec:\0086846.exe66⤵PID:1104
-
\??\c:\ddvdp.exec:\ddvdp.exe67⤵PID:1680
-
\??\c:\hnhtbt.exec:\hnhtbt.exe68⤵PID:2400
-
\??\c:\jjpjp.exec:\jjpjp.exe69⤵PID:1724
-
\??\c:\pdddj.exec:\pdddj.exe70⤵PID:1756
-
\??\c:\dpjpd.exec:\dpjpd.exe71⤵PID:1676
-
\??\c:\66062.exec:\66062.exe72⤵PID:2568
-
\??\c:\1htbtb.exec:\1htbtb.exe73⤵PID:2208
-
\??\c:\jddjp.exec:\jddjp.exe74⤵PID:696
-
\??\c:\ddpdp.exec:\ddpdp.exe75⤵PID:1740
-
\??\c:\lfxlxfl.exec:\lfxlxfl.exe76⤵PID:2372
-
\??\c:\826684.exec:\826684.exe77⤵PID:2336
-
\??\c:\26244.exec:\26244.exe78⤵PID:2344
-
\??\c:\rllflrr.exec:\rllflrr.exe79⤵PID:2044
-
\??\c:\q82240.exec:\q82240.exe80⤵PID:296
-
\??\c:\5pvdp.exec:\5pvdp.exe81⤵PID:1520
-
\??\c:\w80620.exec:\w80620.exe82⤵PID:2548
-
\??\c:\bnbhnb.exec:\bnbhnb.exe83⤵PID:2708
-
\??\c:\6028668.exec:\6028668.exe84⤵PID:1316
-
\??\c:\xrrrxxf.exec:\xrrrxxf.exe85⤵PID:2944
-
\??\c:\xrllrrx.exec:\xrllrrx.exe86⤵PID:2780
-
\??\c:\ffxflrf.exec:\ffxflrf.exe87⤵PID:2936
-
\??\c:\486240.exec:\486240.exe88⤵PID:3064
-
\??\c:\684806.exec:\684806.exe89⤵PID:536
-
\??\c:\btnntb.exec:\btnntb.exe90⤵PID:2784
-
\??\c:\rrfrxfl.exec:\rrfrxfl.exe91⤵PID:2908
-
\??\c:\602862.exec:\602862.exe92⤵PID:2664
-
\??\c:\640622.exec:\640622.exe93⤵PID:2792
-
\??\c:\8262002.exec:\8262002.exe94⤵PID:2700
-
\??\c:\dvpvd.exec:\dvpvd.exe95⤵PID:2680
-
\??\c:\rrfxfff.exec:\rrfxfff.exe96⤵PID:2516
-
\??\c:\86046.exec:\86046.exe97⤵PID:2868
-
\??\c:\64280.exec:\64280.exe98⤵PID:1488
-
\??\c:\0802284.exec:\0802284.exe99⤵PID:2356
-
\??\c:\lfxrxlx.exec:\lfxrxlx.exe100⤵PID:1236
-
\??\c:\xrfxfxl.exec:\xrfxfxl.exe101⤵PID:2836
-
\??\c:\nhbnbh.exec:\nhbnbh.exe102⤵PID:1796
-
\??\c:\pjppv.exec:\pjppv.exe103⤵
- System Location Discovery: System Language Discovery
PID:2720 -
\??\c:\bthtbh.exec:\bthtbh.exe104⤵PID:2132
-
\??\c:\pjdvj.exec:\pjdvj.exe105⤵PID:3052
-
\??\c:\08028.exec:\08028.exe106⤵PID:2188
-
\??\c:\2040280.exec:\2040280.exe107⤵PID:1464
-
\??\c:\9rllrxl.exec:\9rllrxl.exe108⤵PID:740
-
\??\c:\20068.exec:\20068.exe109⤵PID:928
-
\??\c:\4828046.exec:\4828046.exe110⤵PID:1844
-
\??\c:\20844.exec:\20844.exe111⤵PID:1148
-
\??\c:\640622.exec:\640622.exe112⤵PID:908
-
\??\c:\i800222.exec:\i800222.exe113⤵PID:1712
-
\??\c:\djvdj.exec:\djvdj.exe114⤵PID:2724
-
\??\c:\bhtbnn.exec:\bhtbnn.exe115⤵PID:320
-
\??\c:\nbnntt.exec:\nbnntt.exe116⤵PID:300
-
\??\c:\pvjvj.exec:\pvjvj.exe117⤵PID:980
-
\??\c:\6428622.exec:\6428622.exe118⤵PID:620
-
\??\c:\jjvjj.exec:\jjvjj.exe119⤵PID:1492
-
\??\c:\u684662.exec:\u684662.exe120⤵PID:2116
-
\??\c:\2200284.exec:\2200284.exe121⤵PID:2320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-