Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11-01-2025 06:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
59541323c8efdb13556f1e6a72e975ff797e15bc65d68f3e923a122da7066978.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
59541323c8efdb13556f1e6a72e975ff797e15bc65d68f3e923a122da7066978.exe
-
Size
454KB
-
MD5
dfd71456e1da3a0359c4d54ddb8f2fd2
-
SHA1
80cb11e46281acac6e1d13c79cf2c27722f84a64
-
SHA256
59541323c8efdb13556f1e6a72e975ff797e15bc65d68f3e923a122da7066978
-
SHA512
4196833c37abe8aa116b9b8e0ec3e284de1615c569bb45dd4db94b63caa041a4566f1effd422ae01d0994160f09352a7339fdc7050b711a8b7602bb1041ef3b0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbets:q7Tc2NYHUrAwfMp3CDts
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2528-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-74-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1788-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-112-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2616-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1392-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1336-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/280-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-551-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1256-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-779-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1864-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-865-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-897-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/824-1018-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/756-1075-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1836-1082-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2188-1089-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1952 4480280.exe 2940 xxxffrf.exe 1848 602844.exe 2824 2662446.exe 2788 666866.exe 2648 7dvdj.exe 2420 i264202.exe 1436 5frrxlr.exe 1788 lfllrxl.exe 2636 284868.exe 2616 w42080.exe 1996 88240.exe 2968 httbtb.exe 2972 w64066.exe 2996 5bbnth.exe 1324 fffrxfr.exe 2588 448046.exe 2508 60864.exe 2196 4424260.exe 1352 bbbhnb.exe 1392 6646408.exe 1628 664684.exe 2012 rffrrfl.exe 2412 jdpdj.exe 1720 60468.exe 2568 bbhntt.exe 2208 s6624.exe 2188 9hhtnn.exe 2604 g4464.exe 880 1hbntb.exe 1636 04802.exe 1952 djddp.exe 2780 xlxfllx.exe 2160 hnhthh.exe 2784 hhhttb.exe 1848 222466.exe 2764 nhnnhh.exe 2680 tnhnbh.exe 2704 264044.exe 1992 9ttnhh.exe 1624 442002.exe 1436 06408.exe 2440 08284.exe 2064 60402.exe 1336 1hbnbh.exe 2860 60846.exe 2976 ppdpv.exe 280 1frfxlx.exe 2720 6002008.exe 3024 djjvp.exe 868 4242462.exe 2112 082466.exe 2344 48208.exe 2588 482844.exe 2000 fxrrrxl.exe 1476 60462.exe 832 djpdv.exe 912 bhbnnh.exe 2296 8268686.exe 1628 nnnbnt.exe 1548 jjjvp.exe 2304 486206.exe 1864 42062.exe 2628 rlfxfrr.exe -
resource yara_rule behavioral1/memory/1952-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1336-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/280-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-857-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-1108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-1115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-1176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-1196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/280-1203-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0422840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w88402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6484688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 1952 2528 59541323c8efdb13556f1e6a72e975ff797e15bc65d68f3e923a122da7066978.exe 30 PID 2528 wrote to memory of 1952 2528 59541323c8efdb13556f1e6a72e975ff797e15bc65d68f3e923a122da7066978.exe 30 PID 2528 wrote to memory of 1952 2528 59541323c8efdb13556f1e6a72e975ff797e15bc65d68f3e923a122da7066978.exe 30 PID 2528 wrote to memory of 1952 2528 59541323c8efdb13556f1e6a72e975ff797e15bc65d68f3e923a122da7066978.exe 30 PID 1952 wrote to memory of 2940 1952 4480280.exe 31 PID 1952 wrote to memory of 2940 1952 4480280.exe 31 PID 1952 wrote to memory of 2940 1952 4480280.exe 31 PID 1952 wrote to memory of 2940 1952 4480280.exe 31 PID 2940 wrote to memory of 1848 2940 xxxffrf.exe 32 PID 2940 wrote to memory of 1848 2940 xxxffrf.exe 32 PID 2940 wrote to memory of 1848 2940 xxxffrf.exe 32 PID 2940 wrote to memory of 1848 2940 xxxffrf.exe 32 PID 1848 wrote to memory of 2824 1848 602844.exe 33 PID 1848 wrote to memory of 2824 1848 602844.exe 33 PID 1848 wrote to memory of 2824 1848 602844.exe 33 PID 1848 wrote to memory of 2824 1848 602844.exe 33 PID 2824 wrote to memory of 2788 2824 2662446.exe 34 PID 2824 wrote to memory of 2788 2824 2662446.exe 34 PID 2824 wrote to memory of 2788 2824 2662446.exe 34 PID 2824 wrote to memory of 2788 2824 2662446.exe 34 PID 2788 wrote to memory of 2648 2788 666866.exe 35 PID 2788 wrote to memory of 2648 2788 666866.exe 35 PID 2788 wrote to memory of 2648 2788 666866.exe 35 PID 2788 wrote to memory of 2648 2788 666866.exe 35 PID 2648 wrote to memory of 2420 2648 7dvdj.exe 36 PID 2648 wrote to memory of 2420 2648 7dvdj.exe 36 PID 2648 wrote to memory of 2420 2648 7dvdj.exe 36 PID 2648 wrote to memory of 2420 2648 7dvdj.exe 36 PID 2420 wrote to memory of 1436 2420 i264202.exe 37 PID 2420 wrote to memory of 1436 2420 i264202.exe 37 PID 2420 wrote to memory of 1436 2420 i264202.exe 37 PID 2420 wrote to memory of 1436 2420 i264202.exe 37 PID 1436 wrote to memory of 1788 1436 5frrxlr.exe 38 PID 1436 wrote to memory of 1788 1436 5frrxlr.exe 38 PID 1436 wrote to memory of 1788 1436 5frrxlr.exe 38 PID 1436 wrote to memory of 1788 1436 5frrxlr.exe 38 PID 1788 wrote to memory of 2636 1788 lfllrxl.exe 39 PID 1788 wrote to memory of 2636 1788 lfllrxl.exe 39 PID 1788 wrote to memory of 2636 1788 lfllrxl.exe 39 PID 1788 wrote to memory of 2636 1788 lfllrxl.exe 39 PID 2636 wrote to memory of 2616 2636 284868.exe 40 PID 2636 wrote to memory of 2616 2636 284868.exe 40 PID 2636 wrote to memory of 2616 2636 284868.exe 40 PID 2636 wrote to memory of 2616 2636 284868.exe 40 PID 2616 wrote to memory of 1996 2616 w42080.exe 41 PID 2616 wrote to memory of 1996 2616 w42080.exe 41 PID 2616 wrote to memory of 1996 2616 w42080.exe 41 PID 2616 wrote to memory of 1996 2616 w42080.exe 41 PID 1996 wrote to memory of 2968 1996 88240.exe 42 PID 1996 wrote to memory of 2968 1996 88240.exe 42 PID 1996 wrote to memory of 2968 1996 88240.exe 42 PID 1996 wrote to memory of 2968 1996 88240.exe 42 PID 2968 wrote to memory of 2972 2968 httbtb.exe 43 PID 2968 wrote to memory of 2972 2968 httbtb.exe 43 PID 2968 wrote to memory of 2972 2968 httbtb.exe 43 PID 2968 wrote to memory of 2972 2968 httbtb.exe 43 PID 2972 wrote to memory of 2996 2972 w64066.exe 44 PID 2972 wrote to memory of 2996 2972 w64066.exe 44 PID 2972 wrote to memory of 2996 2972 w64066.exe 44 PID 2972 wrote to memory of 2996 2972 w64066.exe 44 PID 2996 wrote to memory of 1324 2996 5bbnth.exe 45 PID 2996 wrote to memory of 1324 2996 5bbnth.exe 45 PID 2996 wrote to memory of 1324 2996 5bbnth.exe 45 PID 2996 wrote to memory of 1324 2996 5bbnth.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\59541323c8efdb13556f1e6a72e975ff797e15bc65d68f3e923a122da7066978.exe"C:\Users\Admin\AppData\Local\Temp\59541323c8efdb13556f1e6a72e975ff797e15bc65d68f3e923a122da7066978.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\4480280.exec:\4480280.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\xxxffrf.exec:\xxxffrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\602844.exec:\602844.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\2662446.exec:\2662446.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\666866.exec:\666866.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\7dvdj.exec:\7dvdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\i264202.exec:\i264202.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\5frrxlr.exec:\5frrxlr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\lfllrxl.exec:\lfllrxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\284868.exec:\284868.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\w42080.exec:\w42080.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\88240.exec:\88240.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\httbtb.exec:\httbtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\w64066.exec:\w64066.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\5bbnth.exec:\5bbnth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\fffrxfr.exec:\fffrxfr.exe17⤵
- Executes dropped EXE
PID:1324 -
\??\c:\448046.exec:\448046.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2588 -
\??\c:\60864.exec:\60864.exe19⤵
- Executes dropped EXE
PID:2508 -
\??\c:\4424260.exec:\4424260.exe20⤵
- Executes dropped EXE
PID:2196 -
\??\c:\bbbhnb.exec:\bbbhnb.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1352 -
\??\c:\6646408.exec:\6646408.exe22⤵
- Executes dropped EXE
PID:1392 -
\??\c:\664684.exec:\664684.exe23⤵
- Executes dropped EXE
PID:1628 -
\??\c:\rffrrfl.exec:\rffrrfl.exe24⤵
- Executes dropped EXE
PID:2012 -
\??\c:\jdpdj.exec:\jdpdj.exe25⤵
- Executes dropped EXE
PID:2412 -
\??\c:\60468.exec:\60468.exe26⤵
- Executes dropped EXE
PID:1720 -
\??\c:\bbhntt.exec:\bbhntt.exe27⤵
- Executes dropped EXE
PID:2568 -
\??\c:\s6624.exec:\s6624.exe28⤵
- Executes dropped EXE
PID:2208 -
\??\c:\9hhtnn.exec:\9hhtnn.exe29⤵
- Executes dropped EXE
PID:2188 -
\??\c:\g4464.exec:\g4464.exe30⤵
- Executes dropped EXE
PID:2604 -
\??\c:\1hbntb.exec:\1hbntb.exe31⤵
- Executes dropped EXE
PID:880 -
\??\c:\04802.exec:\04802.exe32⤵
- Executes dropped EXE
PID:1636 -
\??\c:\djddp.exec:\djddp.exe33⤵
- Executes dropped EXE
PID:1952 -
\??\c:\xlxfllx.exec:\xlxfllx.exe34⤵
- Executes dropped EXE
PID:2780 -
\??\c:\hnhthh.exec:\hnhthh.exe35⤵
- Executes dropped EXE
PID:2160 -
\??\c:\hhhttb.exec:\hhhttb.exe36⤵
- Executes dropped EXE
PID:2784 -
\??\c:\222466.exec:\222466.exe37⤵
- Executes dropped EXE
PID:1848 -
\??\c:\nhnnhh.exec:\nhnnhh.exe38⤵
- Executes dropped EXE
PID:2764 -
\??\c:\tnhnbh.exec:\tnhnbh.exe39⤵
- Executes dropped EXE
PID:2680 -
\??\c:\264044.exec:\264044.exe40⤵
- Executes dropped EXE
PID:2704 -
\??\c:\9ttnhh.exec:\9ttnhh.exe41⤵
- Executes dropped EXE
PID:1992 -
\??\c:\442002.exec:\442002.exe42⤵
- Executes dropped EXE
PID:1624 -
\??\c:\06408.exec:\06408.exe43⤵
- Executes dropped EXE
PID:1436 -
\??\c:\08284.exec:\08284.exe44⤵
- Executes dropped EXE
PID:2440 -
\??\c:\60402.exec:\60402.exe45⤵
- Executes dropped EXE
PID:2064 -
\??\c:\1hbnbh.exec:\1hbnbh.exe46⤵
- Executes dropped EXE
PID:1336 -
\??\c:\60846.exec:\60846.exe47⤵
- Executes dropped EXE
PID:2860 -
\??\c:\ppdpv.exec:\ppdpv.exe48⤵
- Executes dropped EXE
PID:2976 -
\??\c:\1frfxlx.exec:\1frfxlx.exe49⤵
- Executes dropped EXE
PID:280 -
\??\c:\6002008.exec:\6002008.exe50⤵
- Executes dropped EXE
PID:2720 -
\??\c:\djjvp.exec:\djjvp.exe51⤵
- Executes dropped EXE
PID:3024 -
\??\c:\4242462.exec:\4242462.exe52⤵
- Executes dropped EXE
PID:868 -
\??\c:\082466.exec:\082466.exe53⤵
- Executes dropped EXE
PID:2112 -
\??\c:\48208.exec:\48208.exe54⤵
- Executes dropped EXE
PID:2344 -
\??\c:\482844.exec:\482844.exe55⤵
- Executes dropped EXE
PID:2588 -
\??\c:\fxrrrxl.exec:\fxrrrxl.exe56⤵
- Executes dropped EXE
PID:2000 -
\??\c:\60462.exec:\60462.exe57⤵
- Executes dropped EXE
PID:1476 -
\??\c:\djpdv.exec:\djpdv.exe58⤵
- Executes dropped EXE
PID:832 -
\??\c:\bhbnnh.exec:\bhbnnh.exe59⤵
- Executes dropped EXE
PID:912 -
\??\c:\8268686.exec:\8268686.exe60⤵
- Executes dropped EXE
PID:2296 -
\??\c:\nnnbnt.exec:\nnnbnt.exe61⤵
- Executes dropped EXE
PID:1628 -
\??\c:\jjjvp.exec:\jjjvp.exe62⤵
- Executes dropped EXE
PID:1548 -
\??\c:\486206.exec:\486206.exe63⤵
- Executes dropped EXE
PID:2304 -
\??\c:\42062.exec:\42062.exe64⤵
- Executes dropped EXE
PID:1864 -
\??\c:\rlfxfrr.exec:\rlfxfrr.exe65⤵
- Executes dropped EXE
PID:2628 -
\??\c:\ffxxxxr.exec:\ffxxxxr.exe66⤵PID:756
-
\??\c:\022848.exec:\022848.exe67⤵PID:2552
-
\??\c:\88846.exec:\88846.exe68⤵PID:2736
-
\??\c:\bhbtnt.exec:\bhbtnt.exe69⤵PID:1244
-
\??\c:\xflffrr.exec:\xflffrr.exe70⤵PID:1836
-
\??\c:\nhnhhh.exec:\nhnhhh.exe71⤵PID:1256
-
\??\c:\w64628.exec:\w64628.exe72⤵PID:2212
-
\??\c:\48684.exec:\48684.exe73⤵PID:1636
-
\??\c:\1bbhnb.exec:\1bbhnb.exe74⤵PID:2892
-
\??\c:\266226.exec:\266226.exe75⤵PID:2780
-
\??\c:\66402.exec:\66402.exe76⤵PID:2896
-
\??\c:\2226006.exec:\2226006.exe77⤵PID:2884
-
\??\c:\1ppjv.exec:\1ppjv.exe78⤵PID:3040
-
\??\c:\xrfflrf.exec:\xrfflrf.exe79⤵PID:2988
-
\??\c:\dpvpp.exec:\dpvpp.exe80⤵PID:2788
-
\??\c:\824622.exec:\824622.exe81⤵PID:2696
-
\??\c:\hhnnbb.exec:\hhnnbb.exe82⤵PID:2728
-
\??\c:\jdjpp.exec:\jdjpp.exe83⤵PID:548
-
\??\c:\ppjjj.exec:\ppjjj.exe84⤵PID:1624
-
\??\c:\dvpdp.exec:\dvpdp.exe85⤵PID:556
-
\??\c:\pjvjd.exec:\pjvjd.exe86⤵PID:2440
-
\??\c:\26062.exec:\26062.exe87⤵PID:2064
-
\??\c:\i602402.exec:\i602402.exe88⤵PID:588
-
\??\c:\3dvdv.exec:\3dvdv.exe89⤵PID:2860
-
\??\c:\260246.exec:\260246.exe90⤵PID:2640
-
\??\c:\4046240.exec:\4046240.exe91⤵PID:2072
-
\??\c:\lxrlxxf.exec:\lxrlxxf.exe92⤵PID:1132
-
\??\c:\nhbhtb.exec:\nhbhtb.exe93⤵PID:2016
-
\??\c:\4824846.exec:\4824846.exe94⤵PID:1920
-
\??\c:\64248.exec:\64248.exe95⤵PID:1324
-
\??\c:\thhtnh.exec:\thhtnh.exe96⤵PID:1588
-
\??\c:\jvdvd.exec:\jvdvd.exe97⤵PID:2128
-
\??\c:\ttttht.exec:\ttttht.exe98⤵PID:2456
-
\??\c:\7nbtnn.exec:\7nbtnn.exe99⤵PID:2000
-
\??\c:\w86622.exec:\w86622.exe100⤵PID:1360
-
\??\c:\hhtthn.exec:\hhtthn.exe101⤵PID:2092
-
\??\c:\4262402.exec:\4262402.exe102⤵PID:904
-
\??\c:\24228.exec:\24228.exe103⤵PID:2296
-
\??\c:\0046446.exec:\0046446.exe104⤵PID:1628
-
\??\c:\648028.exec:\648028.exe105⤵PID:1560
-
\??\c:\c484002.exec:\c484002.exe106⤵PID:2304
-
\??\c:\vpjjv.exec:\vpjjv.exe107⤵PID:1864
-
\??\c:\5hbhhh.exec:\5hbhhh.exe108⤵PID:2584
-
\??\c:\m4684.exec:\m4684.exe109⤵PID:1300
-
\??\c:\k80066.exec:\k80066.exe110⤵PID:1252
-
\??\c:\86406.exec:\86406.exe111⤵PID:1756
-
\??\c:\lxlrxxf.exec:\lxlrxxf.exe112⤵PID:2604
-
\??\c:\008802.exec:\008802.exe113⤵PID:2300
-
\??\c:\640420.exec:\640420.exe114⤵PID:1716
-
\??\c:\82006.exec:\82006.exe115⤵PID:1604
-
\??\c:\rrfrfxx.exec:\rrfrfxx.exe116⤵PID:2908
-
\??\c:\hhbhtn.exec:\hhbhtn.exe117⤵PID:1712
-
\??\c:\frlrrfl.exec:\frlrrfl.exe118⤵PID:2160
-
\??\c:\llxfrxl.exec:\llxfrxl.exe119⤵PID:1332
-
\??\c:\4488088.exec:\4488088.exe120⤵PID:2916
-
\??\c:\486806.exec:\486806.exe121⤵PID:1848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-