Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe
-
Size
454KB
-
MD5
b36ef2aff69ebe19735d0e6d72f14b77
-
SHA1
ca5e56afbf9cbfeb8ec31fb3d4413e5b4c846985
-
SHA256
b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5
-
SHA512
d5bcb4f49a55f0113698670b3851605de5493cd6f263c625a6fa700782d0c80711ea979fa3eafaa8a3fbff419e5b5d708dfe3517c7efe0f8b1336e0327d850c8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2596-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/940-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/688-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1328-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-360-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2800-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/296-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-820-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1072-1010-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2360-1049-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2548-1116-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2920-1183-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1328 vpjvp.exe 1628 2026224.exe 2384 jvvvv.exe 2848 bthhtt.exe 2804 s8668.exe 2916 4240224.exe 2796 084060.exe 2856 0406224.exe 2480 202848.exe 2668 i862448.exe 2784 rfrrrlr.exe 2436 0844488.exe 1340 m6886.exe 2996 pdvjv.exe 108 086882.exe 1424 bbnthh.exe 3016 7bhbhh.exe 1652 xrllxxf.exe 1740 660284.exe 3032 jvddp.exe 2632 jvpdj.exe 532 9htbtt.exe 2096 w04066.exe 1072 nhtbhh.exe 696 o684046.exe 1508 002688.exe 940 2088668.exe 688 ffxfrrf.exe 968 dvjjp.exe 3004 rxxffxx.exe 336 4862424.exe 2308 s6468.exe 2060 ffrxflx.exe 2408 lrlflfl.exe 2392 042462.exe 2384 086248.exe 2756 66064.exe 1576 o806884.exe 2872 o608020.exe 2548 3rrfrlx.exe 2768 42626.exe 2936 hhhtth.exe 2896 9djpp.exe 2800 0466880.exe 2904 vpjjv.exe 2788 420644.exe 2024 a8662.exe 2508 286400.exe 2980 fxllrfr.exe 1432 64662.exe 624 nhhbht.exe 2840 nbntth.exe 2572 0848084.exe 3016 208868.exe 1988 vvvdp.exe 2884 bntnnn.exe 3052 9nbnbb.exe 3028 vpdpj.exe 468 862248.exe 1372 5xrllll.exe 1276 0828062.exe 840 rffffxf.exe 1224 nbhhbb.exe 832 pdpvj.exe -
resource yara_rule behavioral1/memory/2596-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/940-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1328-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/492-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-790-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-915-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-952-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-977-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-984-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-997-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-1023-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-1049-0x00000000001C0000-0x00000000001EA000-memory.dmp upx behavioral1/memory/1704-1050-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-1117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-1176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-1203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-1235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-1266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-1274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-1293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-1325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-1328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-1346-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u462806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6686224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6428602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4284402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnthn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2596 wrote to memory of 1328 2596 b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe 30 PID 2596 wrote to memory of 1328 2596 b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe 30 PID 2596 wrote to memory of 1328 2596 b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe 30 PID 2596 wrote to memory of 1328 2596 b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe 30 PID 1328 wrote to memory of 1628 1328 vpjvp.exe 31 PID 1328 wrote to memory of 1628 1328 vpjvp.exe 31 PID 1328 wrote to memory of 1628 1328 vpjvp.exe 31 PID 1328 wrote to memory of 1628 1328 vpjvp.exe 31 PID 1628 wrote to memory of 2384 1628 2026224.exe 32 PID 1628 wrote to memory of 2384 1628 2026224.exe 32 PID 1628 wrote to memory of 2384 1628 2026224.exe 32 PID 1628 wrote to memory of 2384 1628 2026224.exe 32 PID 2384 wrote to memory of 2848 2384 jvvvv.exe 33 PID 2384 wrote to memory of 2848 2384 jvvvv.exe 33 PID 2384 wrote to memory of 2848 2384 jvvvv.exe 33 PID 2384 wrote to memory of 2848 2384 jvvvv.exe 33 PID 2848 wrote to memory of 2804 2848 bthhtt.exe 34 PID 2848 wrote to memory of 2804 2848 bthhtt.exe 34 PID 2848 wrote to memory of 2804 2848 bthhtt.exe 34 PID 2848 wrote to memory of 2804 2848 bthhtt.exe 34 PID 2804 wrote to memory of 2916 2804 s8668.exe 35 PID 2804 wrote to memory of 2916 2804 s8668.exe 35 PID 2804 wrote to memory of 2916 2804 s8668.exe 35 PID 2804 wrote to memory of 2916 2804 s8668.exe 35 PID 2916 wrote to memory of 2796 2916 4240224.exe 36 PID 2916 wrote to memory of 2796 2916 4240224.exe 36 PID 2916 wrote to memory of 2796 2916 4240224.exe 36 PID 2916 wrote to memory of 2796 2916 4240224.exe 36 PID 2796 wrote to memory of 2856 2796 084060.exe 37 PID 2796 wrote to memory of 2856 2796 084060.exe 37 PID 2796 wrote to memory of 2856 2796 084060.exe 37 PID 2796 wrote to memory of 2856 2796 084060.exe 37 PID 2856 wrote to memory of 2480 2856 0406224.exe 38 PID 2856 wrote to memory of 2480 2856 0406224.exe 38 PID 2856 wrote to memory of 2480 2856 0406224.exe 38 PID 2856 wrote to memory of 2480 2856 0406224.exe 38 PID 2480 wrote to memory of 2668 2480 202848.exe 39 PID 2480 wrote to memory of 2668 2480 202848.exe 39 PID 2480 wrote to memory of 2668 2480 202848.exe 39 PID 2480 wrote to memory of 2668 2480 202848.exe 39 PID 2668 wrote to memory of 2784 2668 i862448.exe 40 PID 2668 wrote to memory of 2784 2668 i862448.exe 40 PID 2668 wrote to memory of 2784 2668 i862448.exe 40 PID 2668 wrote to memory of 2784 2668 i862448.exe 40 PID 2784 wrote to memory of 2436 2784 rfrrrlr.exe 41 PID 2784 wrote to memory of 2436 2784 rfrrrlr.exe 41 PID 2784 wrote to memory of 2436 2784 rfrrrlr.exe 41 PID 2784 wrote to memory of 2436 2784 rfrrrlr.exe 41 PID 2436 wrote to memory of 1340 2436 0844488.exe 42 PID 2436 wrote to memory of 1340 2436 0844488.exe 42 PID 2436 wrote to memory of 1340 2436 0844488.exe 42 PID 2436 wrote to memory of 1340 2436 0844488.exe 42 PID 1340 wrote to memory of 2996 1340 m6886.exe 43 PID 1340 wrote to memory of 2996 1340 m6886.exe 43 PID 1340 wrote to memory of 2996 1340 m6886.exe 43 PID 1340 wrote to memory of 2996 1340 m6886.exe 43 PID 2996 wrote to memory of 108 2996 pdvjv.exe 44 PID 2996 wrote to memory of 108 2996 pdvjv.exe 44 PID 2996 wrote to memory of 108 2996 pdvjv.exe 44 PID 2996 wrote to memory of 108 2996 pdvjv.exe 44 PID 108 wrote to memory of 1424 108 086882.exe 45 PID 108 wrote to memory of 1424 108 086882.exe 45 PID 108 wrote to memory of 1424 108 086882.exe 45 PID 108 wrote to memory of 1424 108 086882.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe"C:\Users\Admin\AppData\Local\Temp\b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\vpjvp.exec:\vpjvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\2026224.exec:\2026224.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\jvvvv.exec:\jvvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\bthhtt.exec:\bthhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\s8668.exec:\s8668.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\4240224.exec:\4240224.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\084060.exec:\084060.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\0406224.exec:\0406224.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\202848.exec:\202848.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\i862448.exec:\i862448.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\rfrrrlr.exec:\rfrrrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\0844488.exec:\0844488.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\m6886.exec:\m6886.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\pdvjv.exec:\pdvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\086882.exec:\086882.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:108 -
\??\c:\bbnthh.exec:\bbnthh.exe17⤵
- Executes dropped EXE
PID:1424 -
\??\c:\7bhbhh.exec:\7bhbhh.exe18⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xrllxxf.exec:\xrllxxf.exe19⤵
- Executes dropped EXE
PID:1652 -
\??\c:\660284.exec:\660284.exe20⤵
- Executes dropped EXE
PID:1740 -
\??\c:\jvddp.exec:\jvddp.exe21⤵
- Executes dropped EXE
PID:3032 -
\??\c:\jvpdj.exec:\jvpdj.exe22⤵
- Executes dropped EXE
PID:2632 -
\??\c:\9htbtt.exec:\9htbtt.exe23⤵
- Executes dropped EXE
PID:532 -
\??\c:\w04066.exec:\w04066.exe24⤵
- Executes dropped EXE
PID:2096 -
\??\c:\nhtbhh.exec:\nhtbhh.exe25⤵
- Executes dropped EXE
PID:1072 -
\??\c:\o684046.exec:\o684046.exe26⤵
- Executes dropped EXE
PID:696 -
\??\c:\002688.exec:\002688.exe27⤵
- Executes dropped EXE
PID:1508 -
\??\c:\2088668.exec:\2088668.exe28⤵
- Executes dropped EXE
PID:940 -
\??\c:\ffxfrrf.exec:\ffxfrrf.exe29⤵
- Executes dropped EXE
PID:688 -
\??\c:\dvjjp.exec:\dvjjp.exe30⤵
- Executes dropped EXE
PID:968 -
\??\c:\rxxffxx.exec:\rxxffxx.exe31⤵
- Executes dropped EXE
PID:3004 -
\??\c:\4862424.exec:\4862424.exe32⤵
- Executes dropped EXE
PID:336 -
\??\c:\s6468.exec:\s6468.exe33⤵
- Executes dropped EXE
PID:2308 -
\??\c:\ffrxflx.exec:\ffrxflx.exe34⤵
- Executes dropped EXE
PID:2060 -
\??\c:\lrlflfl.exec:\lrlflfl.exe35⤵
- Executes dropped EXE
PID:2408 -
\??\c:\042462.exec:\042462.exe36⤵
- Executes dropped EXE
PID:2392 -
\??\c:\086248.exec:\086248.exe37⤵
- Executes dropped EXE
PID:2384 -
\??\c:\66064.exec:\66064.exe38⤵
- Executes dropped EXE
PID:2756 -
\??\c:\o806884.exec:\o806884.exe39⤵
- Executes dropped EXE
PID:1576 -
\??\c:\o608020.exec:\o608020.exe40⤵
- Executes dropped EXE
PID:2872 -
\??\c:\3rrfrlx.exec:\3rrfrlx.exe41⤵
- Executes dropped EXE
PID:2548 -
\??\c:\42626.exec:\42626.exe42⤵
- Executes dropped EXE
PID:2768 -
\??\c:\hhhtth.exec:\hhhtth.exe43⤵
- Executes dropped EXE
PID:2936 -
\??\c:\9djpp.exec:\9djpp.exe44⤵
- Executes dropped EXE
PID:2896 -
\??\c:\0466880.exec:\0466880.exe45⤵
- Executes dropped EXE
PID:2800 -
\??\c:\vpjjv.exec:\vpjjv.exe46⤵
- Executes dropped EXE
PID:2904 -
\??\c:\420644.exec:\420644.exe47⤵
- Executes dropped EXE
PID:2788 -
\??\c:\a8662.exec:\a8662.exe48⤵
- Executes dropped EXE
PID:2024 -
\??\c:\286400.exec:\286400.exe49⤵
- Executes dropped EXE
PID:2508 -
\??\c:\fxllrfr.exec:\fxllrfr.exe50⤵
- Executes dropped EXE
PID:2980 -
\??\c:\64662.exec:\64662.exe51⤵
- Executes dropped EXE
PID:1432 -
\??\c:\nhhbht.exec:\nhhbht.exe52⤵
- Executes dropped EXE
PID:624 -
\??\c:\nbntth.exec:\nbntth.exe53⤵
- Executes dropped EXE
PID:2840 -
\??\c:\0848084.exec:\0848084.exe54⤵
- Executes dropped EXE
PID:2572 -
\??\c:\208868.exec:\208868.exe55⤵
- Executes dropped EXE
PID:3016 -
\??\c:\vvvdp.exec:\vvvdp.exe56⤵
- Executes dropped EXE
PID:1988 -
\??\c:\bntnnn.exec:\bntnnn.exe57⤵
- Executes dropped EXE
PID:2884 -
\??\c:\9nbnbb.exec:\9nbnbb.exe58⤵
- Executes dropped EXE
PID:3052 -
\??\c:\vpdpj.exec:\vpdpj.exe59⤵
- Executes dropped EXE
PID:3028 -
\??\c:\862248.exec:\862248.exe60⤵
- Executes dropped EXE
PID:468 -
\??\c:\5xrllll.exec:\5xrllll.exe61⤵
- Executes dropped EXE
PID:1372 -
\??\c:\0828062.exec:\0828062.exe62⤵
- Executes dropped EXE
PID:1276 -
\??\c:\rffffxf.exec:\rffffxf.exe63⤵
- Executes dropped EXE
PID:840 -
\??\c:\nbhhbb.exec:\nbhhbb.exe64⤵
- Executes dropped EXE
PID:1224 -
\??\c:\pdpvj.exec:\pdpvj.exe65⤵
- Executes dropped EXE
PID:832 -
\??\c:\4284488.exec:\4284488.exe66⤵PID:2016
-
\??\c:\o082840.exec:\o082840.exe67⤵PID:2064
-
\??\c:\9btthn.exec:\9btthn.exe68⤵PID:688
-
\??\c:\fxrrxrf.exec:\fxrrxrf.exe69⤵PID:1036
-
\??\c:\86408.exec:\86408.exe70⤵PID:2256
-
\??\c:\vjddj.exec:\vjddj.exe71⤵PID:296
-
\??\c:\rlxxlxf.exec:\rlxxlxf.exe72⤵PID:1296
-
\??\c:\6460004.exec:\6460004.exe73⤵PID:1176
-
\??\c:\26064.exec:\26064.exe74⤵PID:1924
-
\??\c:\208840.exec:\208840.exe75⤵PID:2012
-
\??\c:\nbbhhn.exec:\nbbhhn.exe76⤵PID:492
-
\??\c:\646284.exec:\646284.exe77⤵PID:2384
-
\??\c:\jdjjp.exec:\jdjjp.exe78⤵PID:2052
-
\??\c:\pjddp.exec:\pjddp.exe79⤵PID:2252
-
\??\c:\dvdvv.exec:\dvdvv.exe80⤵PID:1568
-
\??\c:\dvjvp.exec:\dvjvp.exe81⤵PID:2380
-
\??\c:\nnbnbb.exec:\nnbnbb.exe82⤵PID:2456
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe83⤵PID:2808
-
\??\c:\5nhntn.exec:\5nhntn.exe84⤵PID:2560
-
\??\c:\vvppv.exec:\vvppv.exe85⤵PID:2672
-
\??\c:\9rlxfxl.exec:\9rlxfxl.exe86⤵PID:2752
-
\??\c:\tnnbth.exec:\tnnbth.exe87⤵PID:2120
-
\??\c:\xxfxlll.exec:\xxfxlll.exe88⤵PID:1936
-
\??\c:\602866.exec:\602866.exe89⤵PID:2684
-
\??\c:\80040.exec:\80040.exe90⤵PID:2688
-
\??\c:\g6442.exec:\g6442.exe91⤵PID:2512
-
\??\c:\q48468.exec:\q48468.exe92⤵PID:2232
-
\??\c:\m8664.exec:\m8664.exe93⤵PID:2988
-
\??\c:\ffxxllx.exec:\ffxxllx.exe94⤵PID:2972
-
\??\c:\604006.exec:\604006.exe95⤵PID:2880
-
\??\c:\9rxxflx.exec:\9rxxflx.exe96⤵PID:624
-
\??\c:\6084024.exec:\6084024.exe97⤵PID:1912
-
\??\c:\4200246.exec:\4200246.exe98⤵PID:1656
-
\??\c:\60208.exec:\60208.exe99⤵PID:1680
-
\??\c:\666442.exec:\666442.exe100⤵PID:3060
-
\??\c:\646288.exec:\646288.exe101⤵PID:2884
-
\??\c:\jjdjp.exec:\jjdjp.exe102⤵PID:2208
-
\??\c:\rrlrffr.exec:\rrlrffr.exe103⤵
- System Location Discovery: System Language Discovery
PID:2260 -
\??\c:\vpdjd.exec:\vpdjd.exe104⤵PID:2248
-
\??\c:\pvvdv.exec:\pvvdv.exe105⤵PID:532
-
\??\c:\264028.exec:\264028.exe106⤵PID:580
-
\??\c:\pppvj.exec:\pppvj.exe107⤵PID:2040
-
\??\c:\04620.exec:\04620.exe108⤵PID:1124
-
\??\c:\dddpj.exec:\dddpj.exe109⤵PID:2244
-
\??\c:\jvjjv.exec:\jvjjv.exe110⤵PID:1288
-
\??\c:\08668.exec:\08668.exe111⤵PID:2648
-
\??\c:\jjjpd.exec:\jjjpd.exe112⤵PID:2236
-
\??\c:\thbbbb.exec:\thbbbb.exe113⤵PID:1036
-
\??\c:\rlxxllx.exec:\rlxxllx.exe114⤵PID:2472
-
\??\c:\frfrffr.exec:\frfrffr.exe115⤵PID:296
-
\??\c:\82664.exec:\82664.exe116⤵PID:2600
-
\??\c:\llflrxf.exec:\llflrxf.exe117⤵PID:2060
-
\??\c:\042240.exec:\042240.exe118⤵PID:2344
-
\??\c:\htnnbt.exec:\htnnbt.exe119⤵PID:1872
-
\??\c:\7xlrxfl.exec:\7xlrxfl.exe120⤵PID:1644
-
\??\c:\662088.exec:\662088.exe121⤵PID:1792
-
\??\c:\htnttb.exec:\htnttb.exe122⤵PID:2900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-