Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 11:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe
-
Size
453KB
-
MD5
ac6d2f880b699956bd5c398c01614960
-
SHA1
6aa4e65846bf8748a06ad4ae86c81a8f1f9d1761
-
SHA256
d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8
-
SHA512
1efc20b3daf849abb6ef8591979df8eb402642a35275d334a2f50fa063220edb995019e4bad77db09205e8fc1b8c7eea66071dc927cfca487a84caf27c5ebaa7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2392-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/296-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-74-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2728-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-84-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/928-125-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2448-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1360-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/468-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/644-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1468-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-421-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2016-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-594-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3000-607-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2828-632-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2384-673-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/920-702-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1988-709-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2776-735-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2776-752-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/3024-775-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2344-819-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-884-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2924-893-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2164-989-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2808-1041-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2256-1047-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1376-1079-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1016-1112-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2488-1119-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 296 864866.exe 2788 pdjjv.exe 2356 4240228.exe 2868 2026228.exe 2864 82484.exe 2996 7xrllll.exe 2728 202628.exe 2928 04268.exe 2780 nhbntt.exe 2292 1nbbbb.exe 860 868404.exe 928 o680662.exe 2448 vvppd.exe 1360 808844.exe 1500 42408.exe 468 w48288.exe 3028 046240.exe 1028 4804006.exe 2216 3thnhh.exe 544 6028602.exe 3032 3nbhnn.exe 644 o640680.exe 1968 w64666.exe 1468 048406.exe 1572 dvjpd.exe 1492 pdppv.exe 692 q80626.exe 1444 lrxrfxf.exe 2596 268626.exe 1972 xlrxffr.exe 1976 a4662.exe 2240 bhbbnn.exe 1652 nhtthh.exe 2792 20880.exe 3000 bthhnn.exe 572 hthhnt.exe 2904 s8262.exe 2960 vvpvj.exe 2936 5vddd.exe 2840 jjvdp.exe 2220 pjdvj.exe 2848 408888.exe 2812 o806600.exe 2760 xrflxrf.exe 2928 4406284.exe 2780 4866284.exe 2136 62668.exe 1248 2640224.exe 2376 446240.exe 1996 dvvvv.exe 2448 k82426.exe 1644 fxrrxfr.exe 2016 lxlrxxr.exe 820 3hthbt.exe 3004 lrllfll.exe 1700 ntnthh.exe 2192 8202446.exe 2252 ffrxllx.exe 2492 0484680.exe 3024 3llrxfl.exe 2688 bhbbhn.exe 3032 fxrxffr.exe 788 k64022.exe 1968 nnhtnh.exe -
resource yara_rule behavioral1/memory/2392-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-32-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2356-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-74-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2728-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/468-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-594-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2828-632-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1988-709-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/3048-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-857-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2392-884-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2232-1021-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-1028-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-1105-0x00000000001B0000-0x00000000001DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k04022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 842864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o606824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k26200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k82426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u026406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q64028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6400662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2006222.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 296 2392 d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe 31 PID 2392 wrote to memory of 296 2392 d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe 31 PID 2392 wrote to memory of 296 2392 d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe 31 PID 2392 wrote to memory of 296 2392 d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe 31 PID 296 wrote to memory of 2788 296 864866.exe 32 PID 296 wrote to memory of 2788 296 864866.exe 32 PID 296 wrote to memory of 2788 296 864866.exe 32 PID 296 wrote to memory of 2788 296 864866.exe 32 PID 2788 wrote to memory of 2356 2788 pdjjv.exe 33 PID 2788 wrote to memory of 2356 2788 pdjjv.exe 33 PID 2788 wrote to memory of 2356 2788 pdjjv.exe 33 PID 2788 wrote to memory of 2356 2788 pdjjv.exe 33 PID 2356 wrote to memory of 2868 2356 4240228.exe 34 PID 2356 wrote to memory of 2868 2356 4240228.exe 34 PID 2356 wrote to memory of 2868 2356 4240228.exe 34 PID 2356 wrote to memory of 2868 2356 4240228.exe 34 PID 2868 wrote to memory of 2864 2868 2026228.exe 35 PID 2868 wrote to memory of 2864 2868 2026228.exe 35 PID 2868 wrote to memory of 2864 2868 2026228.exe 35 PID 2868 wrote to memory of 2864 2868 2026228.exe 35 PID 2864 wrote to memory of 2996 2864 82484.exe 36 PID 2864 wrote to memory of 2996 2864 82484.exe 36 PID 2864 wrote to memory of 2996 2864 82484.exe 36 PID 2864 wrote to memory of 2996 2864 82484.exe 36 PID 2996 wrote to memory of 2728 2996 7xrllll.exe 37 PID 2996 wrote to memory of 2728 2996 7xrllll.exe 37 PID 2996 wrote to memory of 2728 2996 7xrllll.exe 37 PID 2996 wrote to memory of 2728 2996 7xrllll.exe 37 PID 2728 wrote to memory of 2928 2728 202628.exe 75 PID 2728 wrote to memory of 2928 2728 202628.exe 75 PID 2728 wrote to memory of 2928 2728 202628.exe 75 PID 2728 wrote to memory of 2928 2728 202628.exe 75 PID 2928 wrote to memory of 2780 2928 04268.exe 76 PID 2928 wrote to memory of 2780 2928 04268.exe 76 PID 2928 wrote to memory of 2780 2928 04268.exe 76 PID 2928 wrote to memory of 2780 2928 04268.exe 76 PID 2780 wrote to memory of 2292 2780 nhbntt.exe 40 PID 2780 wrote to memory of 2292 2780 nhbntt.exe 40 PID 2780 wrote to memory of 2292 2780 nhbntt.exe 40 PID 2780 wrote to memory of 2292 2780 nhbntt.exe 40 PID 2292 wrote to memory of 860 2292 1nbbbb.exe 41 PID 2292 wrote to memory of 860 2292 1nbbbb.exe 41 PID 2292 wrote to memory of 860 2292 1nbbbb.exe 41 PID 2292 wrote to memory of 860 2292 1nbbbb.exe 41 PID 860 wrote to memory of 928 860 868404.exe 42 PID 860 wrote to memory of 928 860 868404.exe 42 PID 860 wrote to memory of 928 860 868404.exe 42 PID 860 wrote to memory of 928 860 868404.exe 42 PID 928 wrote to memory of 2448 928 o680662.exe 81 PID 928 wrote to memory of 2448 928 o680662.exe 81 PID 928 wrote to memory of 2448 928 o680662.exe 81 PID 928 wrote to memory of 2448 928 o680662.exe 81 PID 2448 wrote to memory of 1360 2448 vvppd.exe 44 PID 2448 wrote to memory of 1360 2448 vvppd.exe 44 PID 2448 wrote to memory of 1360 2448 vvppd.exe 44 PID 2448 wrote to memory of 1360 2448 vvppd.exe 44 PID 1360 wrote to memory of 1500 1360 808844.exe 45 PID 1360 wrote to memory of 1500 1360 808844.exe 45 PID 1360 wrote to memory of 1500 1360 808844.exe 45 PID 1360 wrote to memory of 1500 1360 808844.exe 45 PID 1500 wrote to memory of 468 1500 42408.exe 46 PID 1500 wrote to memory of 468 1500 42408.exe 46 PID 1500 wrote to memory of 468 1500 42408.exe 46 PID 1500 wrote to memory of 468 1500 42408.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe"C:\Users\Admin\AppData\Local\Temp\d6eef2f7d2222599d5868ae9c86ea16db65fe5a1e9e628e36f4d71f56ec87ee8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\864866.exec:\864866.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:296 -
\??\c:\pdjjv.exec:\pdjjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\4240228.exec:\4240228.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\2026228.exec:\2026228.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\82484.exec:\82484.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\7xrllll.exec:\7xrllll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\202628.exec:\202628.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\04268.exec:\04268.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\nhbntt.exec:\nhbntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\1nbbbb.exec:\1nbbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\868404.exec:\868404.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\o680662.exec:\o680662.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
\??\c:\vvppd.exec:\vvppd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\808844.exec:\808844.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\42408.exec:\42408.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\w48288.exec:\w48288.exe17⤵
- Executes dropped EXE
PID:468 -
\??\c:\046240.exec:\046240.exe18⤵
- Executes dropped EXE
PID:3028 -
\??\c:\4804006.exec:\4804006.exe19⤵
- Executes dropped EXE
PID:1028 -
\??\c:\3thnhh.exec:\3thnhh.exe20⤵
- Executes dropped EXE
PID:2216 -
\??\c:\6028602.exec:\6028602.exe21⤵
- Executes dropped EXE
PID:544 -
\??\c:\3nbhnn.exec:\3nbhnn.exe22⤵
- Executes dropped EXE
PID:3032 -
\??\c:\o640680.exec:\o640680.exe23⤵
- Executes dropped EXE
PID:644 -
\??\c:\w64666.exec:\w64666.exe24⤵
- Executes dropped EXE
PID:1968 -
\??\c:\048406.exec:\048406.exe25⤵
- Executes dropped EXE
PID:1468 -
\??\c:\dvjpd.exec:\dvjpd.exe26⤵
- Executes dropped EXE
PID:1572 -
\??\c:\pdppv.exec:\pdppv.exe27⤵
- Executes dropped EXE
PID:1492 -
\??\c:\q80626.exec:\q80626.exe28⤵
- Executes dropped EXE
PID:692 -
\??\c:\lrxrfxf.exec:\lrxrfxf.exe29⤵
- Executes dropped EXE
PID:1444 -
\??\c:\268626.exec:\268626.exe30⤵
- Executes dropped EXE
PID:2596 -
\??\c:\xlrxffr.exec:\xlrxffr.exe31⤵
- Executes dropped EXE
PID:1972 -
\??\c:\a4662.exec:\a4662.exe32⤵
- Executes dropped EXE
PID:1976 -
\??\c:\bhbbnn.exec:\bhbbnn.exe33⤵
- Executes dropped EXE
PID:2240 -
\??\c:\nhtthh.exec:\nhtthh.exe34⤵
- Executes dropped EXE
PID:1652 -
\??\c:\20880.exec:\20880.exe35⤵
- Executes dropped EXE
PID:2792 -
\??\c:\bthhnn.exec:\bthhnn.exe36⤵
- Executes dropped EXE
PID:3000 -
\??\c:\hthhnt.exec:\hthhnt.exe37⤵
- Executes dropped EXE
PID:572 -
\??\c:\s8262.exec:\s8262.exe38⤵
- Executes dropped EXE
PID:2904 -
\??\c:\vvpvj.exec:\vvpvj.exe39⤵
- Executes dropped EXE
PID:2960 -
\??\c:\5vddd.exec:\5vddd.exe40⤵
- Executes dropped EXE
PID:2936 -
\??\c:\jjvdp.exec:\jjvdp.exe41⤵
- Executes dropped EXE
PID:2840 -
\??\c:\pjdvj.exec:\pjdvj.exe42⤵
- Executes dropped EXE
PID:2220 -
\??\c:\408888.exec:\408888.exe43⤵
- Executes dropped EXE
PID:2848 -
\??\c:\o806600.exec:\o806600.exe44⤵
- Executes dropped EXE
PID:2812 -
\??\c:\xrflxrf.exec:\xrflxrf.exe45⤵
- Executes dropped EXE
PID:2760 -
\??\c:\4406284.exec:\4406284.exe46⤵
- Executes dropped EXE
PID:2928 -
\??\c:\4866284.exec:\4866284.exe47⤵
- Executes dropped EXE
PID:2780 -
\??\c:\62668.exec:\62668.exe48⤵
- Executes dropped EXE
PID:2136 -
\??\c:\2640224.exec:\2640224.exe49⤵
- Executes dropped EXE
PID:1248 -
\??\c:\446240.exec:\446240.exe50⤵
- Executes dropped EXE
PID:2376 -
\??\c:\dvvvv.exec:\dvvvv.exe51⤵
- Executes dropped EXE
PID:1996 -
\??\c:\k82426.exec:\k82426.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2448 -
\??\c:\fxrrxfr.exec:\fxrrxfr.exe53⤵
- Executes dropped EXE
PID:1644 -
\??\c:\lxlrxxr.exec:\lxlrxxr.exe54⤵
- Executes dropped EXE
PID:2016 -
\??\c:\3hthbt.exec:\3hthbt.exe55⤵
- Executes dropped EXE
PID:820 -
\??\c:\lrllfll.exec:\lrllfll.exe56⤵
- Executes dropped EXE
PID:3004 -
\??\c:\ntnthh.exec:\ntnthh.exe57⤵
- Executes dropped EXE
PID:1700 -
\??\c:\8202446.exec:\8202446.exe58⤵
- Executes dropped EXE
PID:2192 -
\??\c:\ffrxllx.exec:\ffrxllx.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
\??\c:\0484680.exec:\0484680.exe60⤵
- Executes dropped EXE
PID:2492 -
\??\c:\3llrxfl.exec:\3llrxfl.exe61⤵
- Executes dropped EXE
PID:3024 -
\??\c:\bhbbhn.exec:\bhbbhn.exe62⤵
- Executes dropped EXE
PID:2688 -
\??\c:\fxrxffr.exec:\fxrxffr.exe63⤵
- Executes dropped EXE
PID:3032 -
\??\c:\k64022.exec:\k64022.exe64⤵
- Executes dropped EXE
PID:788 -
\??\c:\nnhtnh.exec:\nnhtnh.exe65⤵
- Executes dropped EXE
PID:1968 -
\??\c:\5xllrlr.exec:\5xllrlr.exe66⤵PID:1948
-
\??\c:\5lffrrf.exec:\5lffrrf.exe67⤵PID:1728
-
\??\c:\fxrxlfr.exec:\fxrxlfr.exe68⤵PID:284
-
\??\c:\9jvvv.exec:\9jvvv.exe69⤵PID:1492
-
\??\c:\pddvj.exec:\pddvj.exe70⤵PID:336
-
\??\c:\htnhnt.exec:\htnhnt.exe71⤵PID:1016
-
\??\c:\jdvjp.exec:\jdvjp.exe72⤵PID:2488
-
\??\c:\6080224.exec:\6080224.exe73⤵PID:1736
-
\??\c:\hbnntt.exec:\hbnntt.exe74⤵PID:1436
-
\??\c:\08680.exec:\08680.exe75⤵PID:780
-
\??\c:\frrrxfr.exec:\frrrxfr.exe76⤵PID:2656
-
\??\c:\u662020.exec:\u662020.exe77⤵PID:1532
-
\??\c:\1bhhnt.exec:\1bhhnt.exe78⤵PID:2336
-
\??\c:\804840.exec:\804840.exe79⤵PID:2296
-
\??\c:\7lflrfl.exec:\7lflrfl.exe80⤵PID:3000
-
\??\c:\vddjd.exec:\vddjd.exe81⤵PID:2800
-
\??\c:\3jvvd.exec:\3jvvd.exe82⤵PID:2912
-
\??\c:\rrlrffl.exec:\rrlrffl.exe83⤵PID:2844
-
\??\c:\tnhhtb.exec:\tnhhtb.exe84⤵
- System Location Discovery: System Language Discovery
PID:2828 -
\??\c:\824024.exec:\824024.exe85⤵PID:568
-
\??\c:\8224224.exec:\8224224.exe86⤵PID:2400
-
\??\c:\pjvjv.exec:\pjvjv.exe87⤵PID:3016
-
\??\c:\6040284.exec:\6040284.exe88⤵PID:2384
-
\??\c:\k04022.exec:\k04022.exe89⤵
- System Location Discovery: System Language Discovery
PID:2832 -
\??\c:\2028002.exec:\2028002.exe90⤵PID:1688
-
\??\c:\ddpjd.exec:\ddpjd.exe91⤵PID:1048
-
\??\c:\dvppj.exec:\dvppj.exe92⤵PID:920
-
\??\c:\jdpvv.exec:\jdpvv.exe93⤵PID:2068
-
\??\c:\dppvp.exec:\dppvp.exe94⤵PID:2444
-
\??\c:\o606824.exec:\o606824.exe95⤵
- System Location Discovery: System Language Discovery
PID:2032 -
\??\c:\bthttb.exec:\bthttb.exe96⤵PID:1988
-
\??\c:\0480224.exec:\0480224.exe97⤵PID:1844
-
\??\c:\088466.exec:\088466.exe98⤵PID:1744
-
\??\c:\82624.exec:\82624.exe99⤵PID:1260
-
\??\c:\48280.exec:\48280.exe100⤵PID:2776
-
\??\c:\7btthh.exec:\7btthh.exe101⤵PID:2744
-
\??\c:\286684.exec:\286684.exe102⤵PID:3048
-
\??\c:\04840.exec:\04840.exe103⤵PID:328
-
\??\c:\6488064.exec:\6488064.exe104⤵PID:2160
-
\??\c:\868466.exec:\868466.exe105⤵PID:2168
-
\??\c:\48662.exec:\48662.exe106⤵PID:3024
-
\??\c:\jjvvv.exec:\jjvvv.exe107⤵PID:960
-
\??\c:\820062.exec:\820062.exe108⤵PID:1528
-
\??\c:\880622.exec:\880622.exe109⤵PID:1152
-
\??\c:\ddpvj.exec:\ddpvj.exe110⤵PID:1968
-
\??\c:\ffxfrfx.exec:\ffxfrfx.exe111⤵PID:968
-
\??\c:\6664860.exec:\6664860.exe112⤵PID:1728
-
\??\c:\000606.exec:\000606.exe113⤵PID:2344
-
\??\c:\0420624.exec:\0420624.exe114⤵PID:2124
-
\??\c:\ppdpv.exec:\ppdpv.exe115⤵PID:620
-
\??\c:\82884.exec:\82884.exe116⤵PID:2608
-
\??\c:\8264686.exec:\8264686.exe117⤵PID:1088
-
\??\c:\8600662.exec:\8600662.exe118⤵PID:1052
-
\??\c:\fxflrfr.exec:\fxflrfr.exe119⤵PID:2248
-
\??\c:\tnbbnt.exec:\tnbbnt.exe120⤵PID:2676
-
\??\c:\2086446.exec:\2086446.exe121⤵PID:2172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-