Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe
-
Size
454KB
-
MD5
2ee18af53d3d1a78dd64d155ee6be0b4
-
SHA1
cc9a3fb76a74c17830048a3125e6aaf2a1acfd04
-
SHA256
c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49
-
SHA512
0c236db0e50a520347efd95aad45f22f5ad7bcda817f14c1aea431e222de992f057949e655819d5c8ee8dc3ebc47b378287bdf1273a251dea49eee59e548f4d0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1296-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-1341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-1405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-1478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4912 dddvv.exe 3472 nbnhtn.exe 212 ffffxfx.exe 2776 vdddv.exe 5060 6222222.exe 1828 u886444.exe 2428 4448264.exe 4484 240220.exe 2960 fxrfrlx.exe 5080 flfxxrf.exe 3468 682026.exe 3696 0662084.exe 3620 q64826.exe 1988 hhbhtn.exe 1156 028268.exe 3488 1jpjj.exe 1116 026482.exe 4404 666004.exe 2648 u802420.exe 4512 nnhtbt.exe 1544 6442048.exe 4924 06648.exe 4780 60086.exe 976 i664646.exe 2864 vjjdp.exe 2576 hntnbb.exe 1824 jdvpj.exe 2924 s0288.exe 4976 xxfxllf.exe 1588 lfxlllf.exe 2052 rffxrll.exe 2252 0026604.exe 996 6686042.exe 3632 00086.exe 5000 6600420.exe 4020 2848608.exe 4776 pdpdd.exe 4456 86086.exe 4712 7hthtn.exe 4316 6220268.exe 1092 404864.exe 2260 nbnhtn.exe 4340 m0608.exe 2636 tnnbnh.exe 2108 pvvpv.exe 3692 266026.exe 5044 1tthnb.exe 3400 4222666.exe 3552 3btnbn.exe 5084 62846.exe 5060 88862.exe 3516 6604620.exe 1336 9jjvd.exe 2428 04002.exe 4752 26484.exe 3036 6608600.exe 3548 tttnnh.exe 2852 444208.exe 980 frrrxlr.exe 1228 9fxrfxr.exe 664 860428.exe 3476 4420004.exe 1164 86660.exe 1152 20608.exe -
resource yara_rule behavioral2/memory/1296-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-511-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c226482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 404864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w40000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4042264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8008642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8464264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4822604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1296 wrote to memory of 4912 1296 c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe 85 PID 1296 wrote to memory of 4912 1296 c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe 85 PID 1296 wrote to memory of 4912 1296 c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe 85 PID 4912 wrote to memory of 3472 4912 dddvv.exe 86 PID 4912 wrote to memory of 3472 4912 dddvv.exe 86 PID 4912 wrote to memory of 3472 4912 dddvv.exe 86 PID 3472 wrote to memory of 212 3472 nbnhtn.exe 87 PID 3472 wrote to memory of 212 3472 nbnhtn.exe 87 PID 3472 wrote to memory of 212 3472 nbnhtn.exe 87 PID 212 wrote to memory of 2776 212 ffffxfx.exe 88 PID 212 wrote to memory of 2776 212 ffffxfx.exe 88 PID 212 wrote to memory of 2776 212 ffffxfx.exe 88 PID 2776 wrote to memory of 5060 2776 vdddv.exe 89 PID 2776 wrote to memory of 5060 2776 vdddv.exe 89 PID 2776 wrote to memory of 5060 2776 vdddv.exe 89 PID 5060 wrote to memory of 1828 5060 6222222.exe 90 PID 5060 wrote to memory of 1828 5060 6222222.exe 90 PID 5060 wrote to memory of 1828 5060 6222222.exe 90 PID 1828 wrote to memory of 2428 1828 u886444.exe 91 PID 1828 wrote to memory of 2428 1828 u886444.exe 91 PID 1828 wrote to memory of 2428 1828 u886444.exe 91 PID 2428 wrote to memory of 4484 2428 4448264.exe 92 PID 2428 wrote to memory of 4484 2428 4448264.exe 92 PID 2428 wrote to memory of 4484 2428 4448264.exe 92 PID 4484 wrote to memory of 2960 4484 240220.exe 93 PID 4484 wrote to memory of 2960 4484 240220.exe 93 PID 4484 wrote to memory of 2960 4484 240220.exe 93 PID 2960 wrote to memory of 5080 2960 fxrfrlx.exe 94 PID 2960 wrote to memory of 5080 2960 fxrfrlx.exe 94 PID 2960 wrote to memory of 5080 2960 fxrfrlx.exe 94 PID 5080 wrote to memory of 3468 5080 flfxxrf.exe 95 PID 5080 wrote to memory of 3468 5080 flfxxrf.exe 95 PID 5080 wrote to memory of 3468 5080 flfxxrf.exe 95 PID 3468 wrote to memory of 3696 3468 682026.exe 96 PID 3468 wrote to memory of 3696 3468 682026.exe 96 PID 3468 wrote to memory of 3696 3468 682026.exe 96 PID 3696 wrote to memory of 3620 3696 0662084.exe 97 PID 3696 wrote to memory of 3620 3696 0662084.exe 97 PID 3696 wrote to memory of 3620 3696 0662084.exe 97 PID 3620 wrote to memory of 1988 3620 q64826.exe 98 PID 3620 wrote to memory of 1988 3620 q64826.exe 98 PID 3620 wrote to memory of 1988 3620 q64826.exe 98 PID 1988 wrote to memory of 1156 1988 hhbhtn.exe 99 PID 1988 wrote to memory of 1156 1988 hhbhtn.exe 99 PID 1988 wrote to memory of 1156 1988 hhbhtn.exe 99 PID 1156 wrote to memory of 3488 1156 028268.exe 100 PID 1156 wrote to memory of 3488 1156 028268.exe 100 PID 1156 wrote to memory of 3488 1156 028268.exe 100 PID 3488 wrote to memory of 1116 3488 1jpjj.exe 101 PID 3488 wrote to memory of 1116 3488 1jpjj.exe 101 PID 3488 wrote to memory of 1116 3488 1jpjj.exe 101 PID 1116 wrote to memory of 4404 1116 026482.exe 102 PID 1116 wrote to memory of 4404 1116 026482.exe 102 PID 1116 wrote to memory of 4404 1116 026482.exe 102 PID 4404 wrote to memory of 2648 4404 666004.exe 103 PID 4404 wrote to memory of 2648 4404 666004.exe 103 PID 4404 wrote to memory of 2648 4404 666004.exe 103 PID 2648 wrote to memory of 4512 2648 u802420.exe 104 PID 2648 wrote to memory of 4512 2648 u802420.exe 104 PID 2648 wrote to memory of 4512 2648 u802420.exe 104 PID 4512 wrote to memory of 1544 4512 nnhtbt.exe 105 PID 4512 wrote to memory of 1544 4512 nnhtbt.exe 105 PID 4512 wrote to memory of 1544 4512 nnhtbt.exe 105 PID 1544 wrote to memory of 4924 1544 6442048.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe"C:\Users\Admin\AppData\Local\Temp\c514b26cee9fef658a35da2bc84542444a890601d8fbaf5bdb4186e78ec7cc49.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\dddvv.exec:\dddvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\nbnhtn.exec:\nbnhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\ffffxfx.exec:\ffffxfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\vdddv.exec:\vdddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\6222222.exec:\6222222.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\u886444.exec:\u886444.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\4448264.exec:\4448264.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\240220.exec:\240220.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\flfxxrf.exec:\flfxxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\682026.exec:\682026.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\0662084.exec:\0662084.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\q64826.exec:\q64826.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\hhbhtn.exec:\hhbhtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\028268.exec:\028268.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\1jpjj.exec:\1jpjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\026482.exec:\026482.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\666004.exec:\666004.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\u802420.exec:\u802420.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\nnhtbt.exec:\nnhtbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\6442048.exec:\6442048.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\06648.exec:\06648.exe23⤵
- Executes dropped EXE
PID:4924 -
\??\c:\60086.exec:\60086.exe24⤵
- Executes dropped EXE
PID:4780 -
\??\c:\i664646.exec:\i664646.exe25⤵
- Executes dropped EXE
PID:976 -
\??\c:\vjjdp.exec:\vjjdp.exe26⤵
- Executes dropped EXE
PID:2864 -
\??\c:\hntnbb.exec:\hntnbb.exe27⤵
- Executes dropped EXE
PID:2576 -
\??\c:\jdvpj.exec:\jdvpj.exe28⤵
- Executes dropped EXE
PID:1824 -
\??\c:\s0288.exec:\s0288.exe29⤵
- Executes dropped EXE
PID:2924 -
\??\c:\xxfxllf.exec:\xxfxllf.exe30⤵
- Executes dropped EXE
PID:4976 -
\??\c:\lfxlllf.exec:\lfxlllf.exe31⤵
- Executes dropped EXE
PID:1588 -
\??\c:\rffxrll.exec:\rffxrll.exe32⤵
- Executes dropped EXE
PID:2052 -
\??\c:\0026604.exec:\0026604.exe33⤵
- Executes dropped EXE
PID:2252 -
\??\c:\6686042.exec:\6686042.exe34⤵
- Executes dropped EXE
PID:996 -
\??\c:\00086.exec:\00086.exe35⤵
- Executes dropped EXE
PID:3632 -
\??\c:\6600420.exec:\6600420.exe36⤵
- Executes dropped EXE
PID:5000 -
\??\c:\2848608.exec:\2848608.exe37⤵
- Executes dropped EXE
PID:4020 -
\??\c:\pdpdd.exec:\pdpdd.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4776 -
\??\c:\86086.exec:\86086.exe39⤵
- Executes dropped EXE
PID:4456 -
\??\c:\7hthtn.exec:\7hthtn.exe40⤵
- Executes dropped EXE
PID:4712 -
\??\c:\6220268.exec:\6220268.exe41⤵
- Executes dropped EXE
PID:4316 -
\??\c:\404864.exec:\404864.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1092 -
\??\c:\nbnhtn.exec:\nbnhtn.exe43⤵
- Executes dropped EXE
PID:2260 -
\??\c:\m0608.exec:\m0608.exe44⤵
- Executes dropped EXE
PID:4340 -
\??\c:\tnnbnh.exec:\tnnbnh.exe45⤵
- Executes dropped EXE
PID:2636 -
\??\c:\pvvpv.exec:\pvvpv.exe46⤵
- Executes dropped EXE
PID:2108 -
\??\c:\266026.exec:\266026.exe47⤵
- Executes dropped EXE
PID:3692 -
\??\c:\1tthnb.exec:\1tthnb.exe48⤵
- Executes dropped EXE
PID:5044 -
\??\c:\4222666.exec:\4222666.exe49⤵
- Executes dropped EXE
PID:3400 -
\??\c:\3btnbn.exec:\3btnbn.exe50⤵
- Executes dropped EXE
PID:3552 -
\??\c:\62846.exec:\62846.exe51⤵
- Executes dropped EXE
PID:5084 -
\??\c:\88862.exec:\88862.exe52⤵
- Executes dropped EXE
PID:5060 -
\??\c:\6604620.exec:\6604620.exe53⤵
- Executes dropped EXE
PID:3516 -
\??\c:\9jjvd.exec:\9jjvd.exe54⤵
- Executes dropped EXE
PID:1336 -
\??\c:\04002.exec:\04002.exe55⤵
- Executes dropped EXE
PID:2428 -
\??\c:\26484.exec:\26484.exe56⤵
- Executes dropped EXE
PID:4752 -
\??\c:\6608600.exec:\6608600.exe57⤵
- Executes dropped EXE
PID:3036 -
\??\c:\tttnnh.exec:\tttnnh.exe58⤵
- Executes dropped EXE
PID:3548 -
\??\c:\444208.exec:\444208.exe59⤵
- Executes dropped EXE
PID:2852 -
\??\c:\frrrxlr.exec:\frrrxlr.exe60⤵
- Executes dropped EXE
PID:980 -
\??\c:\9fxrfxr.exec:\9fxrfxr.exe61⤵
- Executes dropped EXE
PID:1228 -
\??\c:\860428.exec:\860428.exe62⤵
- Executes dropped EXE
PID:664 -
\??\c:\4420004.exec:\4420004.exe63⤵
- Executes dropped EXE
PID:3476 -
\??\c:\86660.exec:\86660.exe64⤵
- Executes dropped EXE
PID:1164 -
\??\c:\20608.exec:\20608.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152 -
\??\c:\426608.exec:\426608.exe66⤵PID:3272
-
\??\c:\o286482.exec:\o286482.exe67⤵PID:2540
-
\??\c:\tnbnht.exec:\tnbnht.exe68⤵PID:740
-
\??\c:\9rrrlll.exec:\9rrrlll.exe69⤵PID:1664
-
\??\c:\46420.exec:\46420.exe70⤵PID:1936
-
\??\c:\e00420.exec:\e00420.exe71⤵PID:1920
-
\??\c:\nnnhhh.exec:\nnnhhh.exe72⤵PID:3568
-
\??\c:\s6260.exec:\s6260.exe73⤵PID:3080
-
\??\c:\606026.exec:\606026.exe74⤵PID:896
-
\??\c:\8026448.exec:\8026448.exe75⤵PID:3584
-
\??\c:\u248828.exec:\u248828.exe76⤵PID:4216
-
\??\c:\882644.exec:\882644.exe77⤵PID:4924
-
\??\c:\8060044.exec:\8060044.exe78⤵PID:2472
-
\??\c:\pjvvp.exec:\pjvvp.exe79⤵PID:4496
-
\??\c:\60046.exec:\60046.exe80⤵PID:3928
-
\??\c:\m8000.exec:\m8000.exe81⤵PID:1940
-
\??\c:\6220864.exec:\6220864.exe82⤵PID:2880
-
\??\c:\4664206.exec:\4664206.exe83⤵PID:5056
-
\??\c:\9htnbt.exec:\9htnbt.exe84⤵PID:3388
-
\??\c:\lrxlrlx.exec:\lrxlrlx.exe85⤵PID:2924
-
\??\c:\i448664.exec:\i448664.exe86⤵PID:1944
-
\??\c:\djjdj.exec:\djjdj.exe87⤵PID:1004
-
\??\c:\42220.exec:\42220.exe88⤵PID:220
-
\??\c:\826020.exec:\826020.exe89⤵PID:4716
-
\??\c:\bttnhn.exec:\bttnhn.exe90⤵PID:4624
-
\??\c:\0864604.exec:\0864604.exe91⤵PID:1392
-
\??\c:\u682660.exec:\u682660.exe92⤵PID:2396
-
\??\c:\lxrfrfr.exec:\lxrfrfr.exe93⤵PID:1600
-
\??\c:\66660.exec:\66660.exe94⤵PID:4012
-
\??\c:\tnhhbb.exec:\tnhhbb.exe95⤵PID:4044
-
\??\c:\9rrfllx.exec:\9rrfllx.exe96⤵PID:316
-
\??\c:\hnnbnh.exec:\hnnbnh.exe97⤵PID:4864
-
\??\c:\i266820.exec:\i266820.exe98⤵PID:4452
-
\??\c:\thbbnb.exec:\thbbnb.exe99⤵PID:4336
-
\??\c:\08084.exec:\08084.exe100⤵PID:4312
-
\??\c:\240044.exec:\240044.exe101⤵PID:2788
-
\??\c:\btbbtt.exec:\btbbtt.exe102⤵PID:1016
-
\??\c:\9vjpd.exec:\9vjpd.exe103⤵PID:5068
-
\??\c:\xxfflrl.exec:\xxfflrl.exe104⤵PID:4004
-
\??\c:\6060660.exec:\6060660.exe105⤵PID:1836
-
\??\c:\7nhbbt.exec:\7nhbbt.exe106⤵PID:4436
-
\??\c:\6000288.exec:\6000288.exe107⤵PID:4704
-
\??\c:\60044.exec:\60044.exe108⤵PID:2160
-
\??\c:\jjjvj.exec:\jjjvj.exe109⤵PID:4388
-
\??\c:\s2602.exec:\s2602.exe110⤵PID:2876
-
\??\c:\6886820.exec:\6886820.exe111⤵PID:4448
-
\??\c:\o820262.exec:\o820262.exe112⤵PID:3280
-
\??\c:\m0604.exec:\m0604.exe113⤵PID:2932
-
\??\c:\9rlrffr.exec:\9rlrffr.exe114⤵PID:1300
-
\??\c:\e84822.exec:\e84822.exe115⤵PID:1644
-
\??\c:\lxlllfl.exec:\lxlllfl.exe116⤵PID:2736
-
\??\c:\frrrllf.exec:\frrrllf.exe117⤵PID:1840
-
\??\c:\bhbbtt.exec:\bhbbtt.exe118⤵PID:1596
-
\??\c:\jvppd.exec:\jvppd.exe119⤵PID:4836
-
\??\c:\pvvjp.exec:\pvvjp.exe120⤵PID:3932
-
\??\c:\3fxrllf.exec:\3fxrllf.exe121⤵PID:1228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-