Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 03:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b37780e51d0f2538f0e513fa7feefbff0f0db3b46d6343f1281f0649c1180166.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b37780e51d0f2538f0e513fa7feefbff0f0db3b46d6343f1281f0649c1180166.exe
-
Size
454KB
-
MD5
940bdcd4eec7faa800d6d72ce27d7124
-
SHA1
0da997a624902134c21bd26594f9012e4b77a86d
-
SHA256
b37780e51d0f2538f0e513fa7feefbff0f0db3b46d6343f1281f0649c1180166
-
SHA512
3c75d17c5971649be09091bf1f9c6001e1d868291502cabee1a1161eab116c042db94a42087896f5be900fca119b0e0719f583a5b29cc5eeb0fb8ee743d24190
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2588-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-193-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2300-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-221-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2864-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/920-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-332-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1712-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-398-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2792-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-406-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/376-455-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1640-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1012-519-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1764-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-549-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2128-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-575-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2588-594-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2596-607-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1708-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-789-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2764-886-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2540-900-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2540-898-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1304-1093-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1544-1106-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2640-1127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2248-1141-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2628 e28226.exe 2380 pjdjv.exe 2988 640620.exe 2540 hbnhnt.exe 2820 dvjpp.exe 2956 2028002.exe 2984 7bnhhn.exe 3060 pjvdd.exe 1780 hnhtbh.exe 2684 hbthnh.exe 2800 60402.exe 2324 ddvvd.exe 1992 88208.exe 2900 7ppdd.exe 1980 dddjp.exe 1656 04224.exe 1644 5lffrff.exe 2348 dvdjp.exe 580 ttnbnt.exe 1944 bbtthh.exe 2300 lflfrlr.exe 2172 c480686.exe 2296 vjpvp.exe 1940 djjpv.exe 2232 pdvvv.exe 2864 7fxxxxl.exe 1340 w62008.exe 920 9nhtbb.exe 1056 2080220.exe 1676 82624.exe 1028 208066.exe 2468 hthhnn.exe 1824 2040284.exe 2416 5vjdd.exe 2608 s0228.exe 2596 60880.exe 2136 7lfrflx.exe 1932 m4666.exe 2760 htnbhh.exe 1712 jppdj.exe 3068 26020.exe 2968 bntttt.exe 2984 dvvvv.exe 3060 2228442.exe 2676 vpvdj.exe 2700 4822446.exe 2752 jdvvd.exe 2796 tnbntn.exe 2792 1pjjp.exe 1280 pvjjv.exe 2740 bnhbhn.exe 2880 42002.exe 2900 468804.exe 1256 ddvdp.exe 1312 086284.exe 1564 u806224.exe 376 fxrlrxl.exe 548 hbbntt.exe 280 w04022.exe 264 0428440.exe 2068 fxxfrlx.exe 1640 486684.exe 112 204840.exe 1848 tnhntb.exe -
resource yara_rule behavioral1/memory/2588-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-278-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1824-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-797-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1340-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/528-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-898-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1792-968-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-1017-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-1043-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-1120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-1134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-1179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-1204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-1261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-1333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-1353-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c262408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o262884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2628 2588 b37780e51d0f2538f0e513fa7feefbff0f0db3b46d6343f1281f0649c1180166.exe 30 PID 2588 wrote to memory of 2628 2588 b37780e51d0f2538f0e513fa7feefbff0f0db3b46d6343f1281f0649c1180166.exe 30 PID 2588 wrote to memory of 2628 2588 b37780e51d0f2538f0e513fa7feefbff0f0db3b46d6343f1281f0649c1180166.exe 30 PID 2588 wrote to memory of 2628 2588 b37780e51d0f2538f0e513fa7feefbff0f0db3b46d6343f1281f0649c1180166.exe 30 PID 2628 wrote to memory of 2380 2628 e28226.exe 31 PID 2628 wrote to memory of 2380 2628 e28226.exe 31 PID 2628 wrote to memory of 2380 2628 e28226.exe 31 PID 2628 wrote to memory of 2380 2628 e28226.exe 31 PID 2380 wrote to memory of 2988 2380 pjdjv.exe 32 PID 2380 wrote to memory of 2988 2380 pjdjv.exe 32 PID 2380 wrote to memory of 2988 2380 pjdjv.exe 32 PID 2380 wrote to memory of 2988 2380 pjdjv.exe 32 PID 2988 wrote to memory of 2540 2988 640620.exe 33 PID 2988 wrote to memory of 2540 2988 640620.exe 33 PID 2988 wrote to memory of 2540 2988 640620.exe 33 PID 2988 wrote to memory of 2540 2988 640620.exe 33 PID 2540 wrote to memory of 2820 2540 hbnhnt.exe 34 PID 2540 wrote to memory of 2820 2540 hbnhnt.exe 34 PID 2540 wrote to memory of 2820 2540 hbnhnt.exe 34 PID 2540 wrote to memory of 2820 2540 hbnhnt.exe 34 PID 2820 wrote to memory of 2956 2820 dvjpp.exe 35 PID 2820 wrote to memory of 2956 2820 dvjpp.exe 35 PID 2820 wrote to memory of 2956 2820 dvjpp.exe 35 PID 2820 wrote to memory of 2956 2820 dvjpp.exe 35 PID 2956 wrote to memory of 2984 2956 2028002.exe 36 PID 2956 wrote to memory of 2984 2956 2028002.exe 36 PID 2956 wrote to memory of 2984 2956 2028002.exe 36 PID 2956 wrote to memory of 2984 2956 2028002.exe 36 PID 2984 wrote to memory of 3060 2984 7bnhhn.exe 37 PID 2984 wrote to memory of 3060 2984 7bnhhn.exe 37 PID 2984 wrote to memory of 3060 2984 7bnhhn.exe 37 PID 2984 wrote to memory of 3060 2984 7bnhhn.exe 37 PID 3060 wrote to memory of 1780 3060 pjvdd.exe 38 PID 3060 wrote to memory of 1780 3060 pjvdd.exe 38 PID 3060 wrote to memory of 1780 3060 pjvdd.exe 38 PID 3060 wrote to memory of 1780 3060 pjvdd.exe 38 PID 1780 wrote to memory of 2684 1780 hnhtbh.exe 39 PID 1780 wrote to memory of 2684 1780 hnhtbh.exe 39 PID 1780 wrote to memory of 2684 1780 hnhtbh.exe 39 PID 1780 wrote to memory of 2684 1780 hnhtbh.exe 39 PID 2684 wrote to memory of 2800 2684 hbthnh.exe 40 PID 2684 wrote to memory of 2800 2684 hbthnh.exe 40 PID 2684 wrote to memory of 2800 2684 hbthnh.exe 40 PID 2684 wrote to memory of 2800 2684 hbthnh.exe 40 PID 2800 wrote to memory of 2324 2800 60402.exe 41 PID 2800 wrote to memory of 2324 2800 60402.exe 41 PID 2800 wrote to memory of 2324 2800 60402.exe 41 PID 2800 wrote to memory of 2324 2800 60402.exe 41 PID 2324 wrote to memory of 1992 2324 ddvvd.exe 42 PID 2324 wrote to memory of 1992 2324 ddvvd.exe 42 PID 2324 wrote to memory of 1992 2324 ddvvd.exe 42 PID 2324 wrote to memory of 1992 2324 ddvvd.exe 42 PID 1992 wrote to memory of 2900 1992 88208.exe 43 PID 1992 wrote to memory of 2900 1992 88208.exe 43 PID 1992 wrote to memory of 2900 1992 88208.exe 43 PID 1992 wrote to memory of 2900 1992 88208.exe 43 PID 2900 wrote to memory of 1980 2900 7ppdd.exe 44 PID 2900 wrote to memory of 1980 2900 7ppdd.exe 44 PID 2900 wrote to memory of 1980 2900 7ppdd.exe 44 PID 2900 wrote to memory of 1980 2900 7ppdd.exe 44 PID 1980 wrote to memory of 1656 1980 dddjp.exe 45 PID 1980 wrote to memory of 1656 1980 dddjp.exe 45 PID 1980 wrote to memory of 1656 1980 dddjp.exe 45 PID 1980 wrote to memory of 1656 1980 dddjp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b37780e51d0f2538f0e513fa7feefbff0f0db3b46d6343f1281f0649c1180166.exe"C:\Users\Admin\AppData\Local\Temp\b37780e51d0f2538f0e513fa7feefbff0f0db3b46d6343f1281f0649c1180166.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\e28226.exec:\e28226.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\pjdjv.exec:\pjdjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\640620.exec:\640620.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\hbnhnt.exec:\hbnhnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\dvjpp.exec:\dvjpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\2028002.exec:\2028002.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\7bnhhn.exec:\7bnhhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\pjvdd.exec:\pjvdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\hnhtbh.exec:\hnhtbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\hbthnh.exec:\hbthnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\60402.exec:\60402.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\ddvvd.exec:\ddvvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\88208.exec:\88208.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\7ppdd.exec:\7ppdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\dddjp.exec:\dddjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\04224.exec:\04224.exe17⤵
- Executes dropped EXE
PID:1656 -
\??\c:\5lffrff.exec:\5lffrff.exe18⤵
- Executes dropped EXE
PID:1644 -
\??\c:\dvdjp.exec:\dvdjp.exe19⤵
- Executes dropped EXE
PID:2348 -
\??\c:\ttnbnt.exec:\ttnbnt.exe20⤵
- Executes dropped EXE
PID:580 -
\??\c:\bbtthh.exec:\bbtthh.exe21⤵
- Executes dropped EXE
PID:1944 -
\??\c:\lflfrlr.exec:\lflfrlr.exe22⤵
- Executes dropped EXE
PID:2300 -
\??\c:\c480686.exec:\c480686.exe23⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vjpvp.exec:\vjpvp.exe24⤵
- Executes dropped EXE
PID:2296 -
\??\c:\djjpv.exec:\djjpv.exe25⤵
- Executes dropped EXE
PID:1940 -
\??\c:\pdvvv.exec:\pdvvv.exe26⤵
- Executes dropped EXE
PID:2232 -
\??\c:\7fxxxxl.exec:\7fxxxxl.exe27⤵
- Executes dropped EXE
PID:2864 -
\??\c:\w62008.exec:\w62008.exe28⤵
- Executes dropped EXE
PID:1340 -
\??\c:\9nhtbb.exec:\9nhtbb.exe29⤵
- Executes dropped EXE
PID:920 -
\??\c:\2080220.exec:\2080220.exe30⤵
- Executes dropped EXE
PID:1056 -
\??\c:\82624.exec:\82624.exe31⤵
- Executes dropped EXE
PID:1676 -
\??\c:\208066.exec:\208066.exe32⤵
- Executes dropped EXE
PID:1028 -
\??\c:\hthhnn.exec:\hthhnn.exe33⤵
- Executes dropped EXE
PID:2468 -
\??\c:\2040284.exec:\2040284.exe34⤵
- Executes dropped EXE
PID:1824 -
\??\c:\5vjdd.exec:\5vjdd.exe35⤵
- Executes dropped EXE
PID:2416 -
\??\c:\s0228.exec:\s0228.exe36⤵
- Executes dropped EXE
PID:2608 -
\??\c:\60880.exec:\60880.exe37⤵
- Executes dropped EXE
PID:2596 -
\??\c:\7lfrflx.exec:\7lfrflx.exe38⤵
- Executes dropped EXE
PID:2136 -
\??\c:\m4666.exec:\m4666.exe39⤵
- Executes dropped EXE
PID:1932 -
\??\c:\htnbhh.exec:\htnbhh.exe40⤵
- Executes dropped EXE
PID:2760 -
\??\c:\jppdj.exec:\jppdj.exe41⤵
- Executes dropped EXE
PID:1712 -
\??\c:\26020.exec:\26020.exe42⤵
- Executes dropped EXE
PID:3068 -
\??\c:\bntttt.exec:\bntttt.exe43⤵
- Executes dropped EXE
PID:2968 -
\??\c:\dvvvv.exec:\dvvvv.exe44⤵
- Executes dropped EXE
PID:2984 -
\??\c:\2228442.exec:\2228442.exe45⤵
- Executes dropped EXE
PID:3060 -
\??\c:\vpvdj.exec:\vpvdj.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
\??\c:\4822446.exec:\4822446.exe47⤵
- Executes dropped EXE
PID:2700 -
\??\c:\jdvvd.exec:\jdvvd.exe48⤵
- Executes dropped EXE
PID:2752 -
\??\c:\tnbntn.exec:\tnbntn.exe49⤵
- Executes dropped EXE
PID:2796 -
\??\c:\1pjjp.exec:\1pjjp.exe50⤵
- Executes dropped EXE
PID:2792 -
\??\c:\pvjjv.exec:\pvjjv.exe51⤵
- Executes dropped EXE
PID:1280 -
\??\c:\bnhbhn.exec:\bnhbhn.exe52⤵
- Executes dropped EXE
PID:2740 -
\??\c:\42002.exec:\42002.exe53⤵
- Executes dropped EXE
PID:2880 -
\??\c:\468804.exec:\468804.exe54⤵
- Executes dropped EXE
PID:2900 -
\??\c:\ddvdp.exec:\ddvdp.exe55⤵
- Executes dropped EXE
PID:1256 -
\??\c:\086284.exec:\086284.exe56⤵
- Executes dropped EXE
PID:1312 -
\??\c:\u806224.exec:\u806224.exe57⤵
- Executes dropped EXE
PID:1564 -
\??\c:\fxrlrxl.exec:\fxrlrxl.exe58⤵
- Executes dropped EXE
PID:376 -
\??\c:\hbbntt.exec:\hbbntt.exe59⤵
- Executes dropped EXE
PID:548 -
\??\c:\w04022.exec:\w04022.exe60⤵
- Executes dropped EXE
PID:280 -
\??\c:\0428440.exec:\0428440.exe61⤵
- Executes dropped EXE
PID:264 -
\??\c:\fxxfrlx.exec:\fxxfrlx.exe62⤵
- Executes dropped EXE
PID:2068 -
\??\c:\486684.exec:\486684.exe63⤵
- Executes dropped EXE
PID:1640 -
\??\c:\204840.exec:\204840.exe64⤵
- Executes dropped EXE
PID:112 -
\??\c:\tnhntb.exec:\tnhntb.exe65⤵
- Executes dropped EXE
PID:1848 -
\??\c:\8628468.exec:\8628468.exe66⤵PID:640
-
\??\c:\rrlrfxl.exec:\rrlrfxl.exe67⤵PID:1940
-
\??\c:\q64066.exec:\q64066.exe68⤵PID:1012
-
\??\c:\1dpjv.exec:\1dpjv.exe69⤵PID:1764
-
\??\c:\2688020.exec:\2688020.exe70⤵PID:540
-
\??\c:\24400.exec:\24400.exe71⤵PID:2872
-
\??\c:\htntbb.exec:\htntbb.exe72⤵PID:1032
-
\??\c:\pvppp.exec:\pvppp.exe73⤵PID:2516
-
\??\c:\jdvvj.exec:\jdvvj.exe74⤵PID:2528
-
\??\c:\jdvjj.exec:\jdvjj.exe75⤵PID:2128
-
\??\c:\jdvvj.exec:\jdvvj.exe76⤵PID:1028
-
\??\c:\jjvpv.exec:\jjvpv.exe77⤵PID:1040
-
\??\c:\rfxffrf.exec:\rfxffrf.exe78⤵PID:1508
-
\??\c:\rlxxfff.exec:\rlxxfff.exe79⤵PID:2588
-
\??\c:\2646280.exec:\2646280.exe80⤵PID:2392
-
\??\c:\26004.exec:\26004.exe81⤵PID:2596
-
\??\c:\hthntn.exec:\hthntn.exe82⤵PID:2500
-
\??\c:\jdvdj.exec:\jdvdj.exe83⤵PID:2464
-
\??\c:\64228.exec:\64228.exe84⤵PID:1708
-
\??\c:\rfrxllr.exec:\rfrxllr.exe85⤵PID:2828
-
\??\c:\hbnhbn.exec:\hbnhbn.exe86⤵PID:2824
-
\??\c:\jdppd.exec:\jdppd.exe87⤵PID:2812
-
\??\c:\3nbbnn.exec:\3nbbnn.exe88⤵PID:2780
-
\??\c:\rlllrfl.exec:\rlllrfl.exe89⤵PID:2984
-
\??\c:\9lffxfr.exec:\9lffxfr.exe90⤵PID:3060
-
\??\c:\thtthn.exec:\thtthn.exe91⤵PID:2676
-
\??\c:\2600284.exec:\2600284.exe92⤵PID:2336
-
\??\c:\pdppp.exec:\pdppp.exe93⤵PID:1904
-
\??\c:\pjjjp.exec:\pjjjp.exe94⤵PID:2972
-
\??\c:\g0884.exec:\g0884.exe95⤵PID:2736
-
\??\c:\648406.exec:\648406.exe96⤵PID:2768
-
\??\c:\xxrfrxl.exec:\xxrfrxl.exe97⤵PID:1692
-
\??\c:\rfrffff.exec:\rfrffff.exe98⤵PID:1964
-
\??\c:\fxrxxrx.exec:\fxrxxrx.exe99⤵PID:2420
-
\??\c:\hbhhtt.exec:\hbhhtt.exe100⤵PID:2424
-
\??\c:\20266.exec:\20266.exe101⤵PID:1160
-
\??\c:\u824662.exec:\u824662.exe102⤵PID:1660
-
\??\c:\260084.exec:\260084.exe103⤵PID:1756
-
\??\c:\c240062.exec:\c240062.exe104⤵PID:2288
-
\??\c:\42062.exec:\42062.exe105⤵PID:584
-
\??\c:\k24840.exec:\k24840.exe106⤵PID:1080
-
\??\c:\vdppv.exec:\vdppv.exe107⤵PID:2124
-
\??\c:\6046280.exec:\6046280.exe108⤵PID:1640
-
\??\c:\c884280.exec:\c884280.exe109⤵PID:112
-
\??\c:\0864446.exec:\0864446.exe110⤵PID:1848
-
\??\c:\5pvjp.exec:\5pvjp.exe111⤵PID:2296
-
\??\c:\7vvdj.exec:\7vvdj.exe112⤵PID:1940
-
\??\c:\rrrrflf.exec:\rrrrflf.exe113⤵PID:1012
-
\??\c:\ntnbtb.exec:\ntnbtb.exe114⤵PID:1328
-
\??\c:\jdjdp.exec:\jdjdp.exe115⤵PID:956
-
\??\c:\xrxlrrr.exec:\xrxlrrr.exe116⤵PID:1340
-
\??\c:\k68246.exec:\k68246.exe117⤵PID:528
-
\??\c:\7xrrxxl.exec:\7xrrxxl.exe118⤵PID:1056
-
\??\c:\dvpdj.exec:\dvpdj.exe119⤵PID:1128
-
\??\c:\thnntt.exec:\thnntt.exe120⤵PID:2148
-
\??\c:\s8064.exec:\s8064.exe121⤵PID:1652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-