Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 20:48
Behavioral task
behavioral1
Sample
0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
General
-
Target
0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe
-
Size
330KB
-
MD5
4d7bb1480922e2d579b7a494f42c8f70
-
SHA1
96525e3df102ff1822e7fe03d26741b0f58295d8
-
SHA256
0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6
-
SHA512
c8792dcf95f107819f75c923e0221a2a7108f0f337634f2b61b950752e2fb13041325de7d8a3999755580776632b14bdb5397644706f3668f6995157230222c4
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tN:94wFHoStJdSjylh2b77BoTMA9gX59sT1
Malware Config
Signatures
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2736-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2792-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2440-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2868-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/776-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-74-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1100-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1264-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2540-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2020-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/112-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1960-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2468-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1032-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1564-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1644-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1524-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1524-226-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1156-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2416-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2792-307-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2616-315-0x0000000001B50000-0x0000000001B77000-memory.dmp family_blackmoon behavioral1/memory/1668-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2632-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/624-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/768-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2944-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/340-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/336-431-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1948-437-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1952-468-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1764-489-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2140-521-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2296-650-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1152-712-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2524-7962-0x00000000778F0000-0x0000000077A0F000-memory.dmp family_blackmoon behavioral1/memory/2524-13213-0x00000000778F0000-0x0000000077A0F000-memory.dmp family_blackmoon behavioral1/memory/2524-17924-0x00000000778F0000-0x0000000077A0F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2792 pjdpv.exe 2440 xxrxf.exe 2868 4802402.exe 2728 2022006.exe 2588 jvpvj.exe 2664 tnntnt.exe 2252 hbhbbb.exe 776 04084.exe 1100 k24444.exe 1264 2688880.exe 2540 42440.exe 2020 vpvdj.exe 2956 8660048.exe 2960 nnhbnh.exe 112 m8460.exe 2820 vjvdd.exe 1960 3bnbhb.exe 3052 htnthn.exe 1268 9rxrrrf.exe 2468 42686.exe 1032 00680.exe 1564 tththn.exe 2124 086240.exe 1644 tbtntt.exe 1676 llffrrf.exe 1096 42840.exe 1524 llxflrx.exe 1600 4480240.exe 948 86442.exe 2668 60620.exe 1084 06622.exe 1256 4446880.exe 1156 hbntbb.exe 2036 208888.exe 2416 0422442.exe 2056 868406.exe 1668 u688880.exe 2840 ffrxflx.exe 2792 0464482.exe 2616 a4808.exe 2628 xfrxrxl.exe 2860 66402.exe 2632 hnhhhn.exe 624 04886.exe 2660 o062840.exe 768 fxllffr.exe 1028 6084062.exe 2944 lrrrrxl.exe 340 086844.exe 2360 8824242.exe 2556 6080280.exe 2540 xrxlxrf.exe 2352 g8224.exe 2928 8688480.exe 2776 2640628.exe 2656 frxrrrx.exe 2900 42224.exe 112 688220.exe 3048 0866228.exe 2648 820688.exe 336 0242882.exe 1948 xrrrlxl.exe 2120 864406.exe 2768 042200.exe -
resource yara_rule behavioral1/memory/2736-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a000000012283-7.dat upx behavioral1/memory/2736-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2792-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d29-14.dat upx behavioral1/files/0x0007000000016d31-22.dat upx behavioral1/memory/2440-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2868-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d3a-31.dat upx behavioral1/memory/2868-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2728-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d4a-40.dat upx behavioral1/memory/2588-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d5e-49.dat upx behavioral1/memory/2664-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d65-58.dat upx behavioral1/memory/2252-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d69-66.dat upx behavioral1/files/0x0008000000016dcb-76.dat upx behavioral1/memory/776-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018701-83.dat upx behavioral1/memory/1100-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001870f-91.dat upx behavioral1/memory/1264-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018712-100.dat upx behavioral1/memory/2540-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018bc8-108.dat upx behavioral1/memory/2020-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0032000000016cdf-116.dat upx behavioral1/files/0x00050000000191dc-123.dat upx behavioral1/files/0x00050000000191f1-133.dat upx behavioral1/memory/112-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019244-140.dat upx behavioral1/memory/1960-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001924a-148.dat upx behavioral1/files/0x0005000000019259-157.dat upx behavioral1/files/0x000500000001925d-165.dat upx behavioral1/memory/2468-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019266-174.dat upx behavioral1/memory/1032-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001926b-182.dat upx behavioral1/memory/1564-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019315-191.dat upx behavioral1/files/0x000500000001934d-198.dat upx behavioral1/memory/2124-194-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1644-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019361-206.dat upx behavioral1/files/0x000500000001936c-214.dat upx behavioral1/files/0x00050000000193d5-221.dat upx behavioral1/memory/1524-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193ee-230.dat upx behavioral1/files/0x000500000001941f-237.dat upx behavioral1/files/0x000500000001942e-244.dat upx behavioral1/files/0x0005000000019439-251.dat upx behavioral1/memory/1256-259-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019444-258.dat upx behavioral1/memory/1156-272-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2416-280-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2056-286-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2616-308-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2616-315-0x0000000001B50000-0x0000000001B77000-memory.dmp upx behavioral1/memory/1668-314-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2628-321-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2860-322-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6644006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k04242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffllxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2792 2736 0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe 30 PID 2736 wrote to memory of 2792 2736 0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe 30 PID 2736 wrote to memory of 2792 2736 0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe 30 PID 2736 wrote to memory of 2792 2736 0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe 30 PID 2792 wrote to memory of 2440 2792 pjdpv.exe 31 PID 2792 wrote to memory of 2440 2792 pjdpv.exe 31 PID 2792 wrote to memory of 2440 2792 pjdpv.exe 31 PID 2792 wrote to memory of 2440 2792 pjdpv.exe 31 PID 2440 wrote to memory of 2868 2440 xxrxf.exe 32 PID 2440 wrote to memory of 2868 2440 xxrxf.exe 32 PID 2440 wrote to memory of 2868 2440 xxrxf.exe 32 PID 2440 wrote to memory of 2868 2440 xxrxf.exe 32 PID 2868 wrote to memory of 2728 2868 4802402.exe 33 PID 2868 wrote to memory of 2728 2868 4802402.exe 33 PID 2868 wrote to memory of 2728 2868 4802402.exe 33 PID 2868 wrote to memory of 2728 2868 4802402.exe 33 PID 2728 wrote to memory of 2588 2728 2022006.exe 34 PID 2728 wrote to memory of 2588 2728 2022006.exe 34 PID 2728 wrote to memory of 2588 2728 2022006.exe 34 PID 2728 wrote to memory of 2588 2728 2022006.exe 34 PID 2588 wrote to memory of 2664 2588 jvpvj.exe 35 PID 2588 wrote to memory of 2664 2588 jvpvj.exe 35 PID 2588 wrote to memory of 2664 2588 jvpvj.exe 35 PID 2588 wrote to memory of 2664 2588 jvpvj.exe 35 PID 2664 wrote to memory of 2252 2664 tnntnt.exe 36 PID 2664 wrote to memory of 2252 2664 tnntnt.exe 36 PID 2664 wrote to memory of 2252 2664 tnntnt.exe 36 PID 2664 wrote to memory of 2252 2664 tnntnt.exe 36 PID 2252 wrote to memory of 776 2252 hbhbbb.exe 37 PID 2252 wrote to memory of 776 2252 hbhbbb.exe 37 PID 2252 wrote to memory of 776 2252 hbhbbb.exe 37 PID 2252 wrote to memory of 776 2252 hbhbbb.exe 37 PID 776 wrote to memory of 1100 776 04084.exe 38 PID 776 wrote to memory of 1100 776 04084.exe 38 PID 776 wrote to memory of 1100 776 04084.exe 38 PID 776 wrote to memory of 1100 776 04084.exe 38 PID 1100 wrote to memory of 1264 1100 k24444.exe 39 PID 1100 wrote to memory of 1264 1100 k24444.exe 39 PID 1100 wrote to memory of 1264 1100 k24444.exe 39 PID 1100 wrote to memory of 1264 1100 k24444.exe 39 PID 1264 wrote to memory of 2540 1264 2688880.exe 40 PID 1264 wrote to memory of 2540 1264 2688880.exe 40 PID 1264 wrote to memory of 2540 1264 2688880.exe 40 PID 1264 wrote to memory of 2540 1264 2688880.exe 40 PID 2540 wrote to memory of 2020 2540 42440.exe 41 PID 2540 wrote to memory of 2020 2540 42440.exe 41 PID 2540 wrote to memory of 2020 2540 42440.exe 41 PID 2540 wrote to memory of 2020 2540 42440.exe 41 PID 2020 wrote to memory of 2956 2020 vpvdj.exe 42 PID 2020 wrote to memory of 2956 2020 vpvdj.exe 42 PID 2020 wrote to memory of 2956 2020 vpvdj.exe 42 PID 2020 wrote to memory of 2956 2020 vpvdj.exe 42 PID 2956 wrote to memory of 2960 2956 8660048.exe 43 PID 2956 wrote to memory of 2960 2956 8660048.exe 43 PID 2956 wrote to memory of 2960 2956 8660048.exe 43 PID 2956 wrote to memory of 2960 2956 8660048.exe 43 PID 2960 wrote to memory of 112 2960 nnhbnh.exe 44 PID 2960 wrote to memory of 112 2960 nnhbnh.exe 44 PID 2960 wrote to memory of 112 2960 nnhbnh.exe 44 PID 2960 wrote to memory of 112 2960 nnhbnh.exe 44 PID 112 wrote to memory of 2820 112 m8460.exe 45 PID 112 wrote to memory of 2820 112 m8460.exe 45 PID 112 wrote to memory of 2820 112 m8460.exe 45 PID 112 wrote to memory of 2820 112 m8460.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe"C:\Users\Admin\AppData\Local\Temp\0ab00df56520add71b1d63ab1b5adaac88c8281c72a542e19c07a7aaa0928cd6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\pjdpv.exec:\pjdpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\xxrxf.exec:\xxrxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\4802402.exec:\4802402.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\2022006.exec:\2022006.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\jvpvj.exec:\jvpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\tnntnt.exec:\tnntnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\hbhbbb.exec:\hbhbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\04084.exec:\04084.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\k24444.exec:\k24444.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\2688880.exec:\2688880.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\42440.exec:\42440.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\vpvdj.exec:\vpvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\8660048.exec:\8660048.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\nnhbnh.exec:\nnhbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\m8460.exec:\m8460.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\vjvdd.exec:\vjvdd.exe17⤵
- Executes dropped EXE
PID:2820 -
\??\c:\3bnbhb.exec:\3bnbhb.exe18⤵
- Executes dropped EXE
PID:1960 -
\??\c:\htnthn.exec:\htnthn.exe19⤵
- Executes dropped EXE
PID:3052 -
\??\c:\9rxrrrf.exec:\9rxrrrf.exe20⤵
- Executes dropped EXE
PID:1268 -
\??\c:\42686.exec:\42686.exe21⤵
- Executes dropped EXE
PID:2468 -
\??\c:\00680.exec:\00680.exe22⤵
- Executes dropped EXE
PID:1032 -
\??\c:\tththn.exec:\tththn.exe23⤵
- Executes dropped EXE
PID:1564 -
\??\c:\086240.exec:\086240.exe24⤵
- Executes dropped EXE
PID:2124 -
\??\c:\tbtntt.exec:\tbtntt.exe25⤵
- Executes dropped EXE
PID:1644 -
\??\c:\llffrrf.exec:\llffrrf.exe26⤵
- Executes dropped EXE
PID:1676 -
\??\c:\42840.exec:\42840.exe27⤵
- Executes dropped EXE
PID:1096 -
\??\c:\llxflrx.exec:\llxflrx.exe28⤵
- Executes dropped EXE
PID:1524 -
\??\c:\4480240.exec:\4480240.exe29⤵
- Executes dropped EXE
PID:1600 -
\??\c:\86442.exec:\86442.exe30⤵
- Executes dropped EXE
PID:948 -
\??\c:\60620.exec:\60620.exe31⤵
- Executes dropped EXE
PID:2668 -
\??\c:\06622.exec:\06622.exe32⤵
- Executes dropped EXE
PID:1084 -
\??\c:\4446880.exec:\4446880.exe33⤵
- Executes dropped EXE
PID:1256 -
\??\c:\hbntbb.exec:\hbntbb.exe34⤵
- Executes dropped EXE
PID:1156 -
\??\c:\208888.exec:\208888.exe35⤵
- Executes dropped EXE
PID:2036 -
\??\c:\0422442.exec:\0422442.exe36⤵
- Executes dropped EXE
PID:2416 -
\??\c:\868406.exec:\868406.exe37⤵
- Executes dropped EXE
PID:2056 -
\??\c:\u688880.exec:\u688880.exe38⤵
- Executes dropped EXE
PID:1668 -
\??\c:\ffrxflx.exec:\ffrxflx.exe39⤵
- Executes dropped EXE
PID:2840 -
\??\c:\0464482.exec:\0464482.exe40⤵
- Executes dropped EXE
PID:2792 -
\??\c:\a4808.exec:\a4808.exe41⤵
- Executes dropped EXE
PID:2616 -
\??\c:\xfrxrxl.exec:\xfrxrxl.exe42⤵
- Executes dropped EXE
PID:2628 -
\??\c:\66402.exec:\66402.exe43⤵
- Executes dropped EXE
PID:2860 -
\??\c:\hnhhhn.exec:\hnhhhn.exe44⤵
- Executes dropped EXE
PID:2632 -
\??\c:\04886.exec:\04886.exe45⤵
- Executes dropped EXE
PID:624 -
\??\c:\o062840.exec:\o062840.exe46⤵
- Executes dropped EXE
PID:2660 -
\??\c:\fxllffr.exec:\fxllffr.exe47⤵
- Executes dropped EXE
PID:768 -
\??\c:\6084062.exec:\6084062.exe48⤵
- Executes dropped EXE
PID:1028 -
\??\c:\lrrrrxl.exec:\lrrrrxl.exe49⤵
- Executes dropped EXE
PID:2944 -
\??\c:\086844.exec:\086844.exe50⤵
- Executes dropped EXE
PID:340 -
\??\c:\8824242.exec:\8824242.exe51⤵
- Executes dropped EXE
PID:2360 -
\??\c:\6080280.exec:\6080280.exe52⤵
- Executes dropped EXE
PID:2556 -
\??\c:\xrxlxrf.exec:\xrxlxrf.exe53⤵
- Executes dropped EXE
PID:2540 -
\??\c:\g8224.exec:\g8224.exe54⤵
- Executes dropped EXE
PID:2352 -
\??\c:\8688480.exec:\8688480.exe55⤵
- Executes dropped EXE
PID:2928 -
\??\c:\2640628.exec:\2640628.exe56⤵
- Executes dropped EXE
PID:2776 -
\??\c:\frxrrrx.exec:\frxrrrx.exe57⤵
- Executes dropped EXE
PID:2656 -
\??\c:\42224.exec:\42224.exe58⤵
- Executes dropped EXE
PID:2900 -
\??\c:\688220.exec:\688220.exe59⤵
- Executes dropped EXE
PID:112 -
\??\c:\0866228.exec:\0866228.exe60⤵
- Executes dropped EXE
PID:3048 -
\??\c:\820688.exec:\820688.exe61⤵
- Executes dropped EXE
PID:2648 -
\??\c:\0242882.exec:\0242882.exe62⤵
- Executes dropped EXE
PID:336 -
\??\c:\xrrrlxl.exec:\xrrrlxl.exe63⤵
- Executes dropped EXE
PID:1948 -
\??\c:\864406.exec:\864406.exe64⤵
- Executes dropped EXE
PID:2120 -
\??\c:\042200.exec:\042200.exe65⤵
- Executes dropped EXE
PID:2768 -
\??\c:\60840.exec:\60840.exe66⤵PID:304
-
\??\c:\82668.exec:\82668.exe67⤵PID:2460
-
\??\c:\tnhntb.exec:\tnhntb.exe68⤵PID:2052
-
\??\c:\jjjdp.exec:\jjjdp.exe69⤵PID:1952
-
\??\c:\k04242.exec:\k04242.exe70⤵
- System Location Discovery: System Language Discovery
PID:1188 -
\??\c:\fxxlrrx.exec:\fxxlrrx.exe71⤵PID:2144
-
\??\c:\42422.exec:\42422.exe72⤵PID:1356
-
\??\c:\5pjpd.exec:\5pjpd.exe73⤵PID:1764
-
\??\c:\1bnbbb.exec:\1bnbbb.exe74⤵PID:1372
-
\??\c:\vpddj.exec:\vpddj.exe75⤵PID:2008
-
\??\c:\00846.exec:\00846.exe76⤵PID:904
-
\??\c:\8684002.exec:\8684002.exe77⤵PID:2332
-
\??\c:\6086228.exec:\6086228.exe78⤵PID:860
-
\??\c:\60808.exec:\60808.exe79⤵PID:2140
-
\??\c:\080066.exec:\080066.exe80⤵PID:2420
-
\??\c:\o460628.exec:\o460628.exe81⤵PID:1280
-
\??\c:\hbntth.exec:\hbntth.exe82⤵PID:1720
-
\??\c:\3jddp.exec:\3jddp.exe83⤵PID:828
-
\??\c:\86068.exec:\86068.exe84⤵PID:2476
-
\??\c:\htnbnn.exec:\htnbnn.exe85⤵PID:1304
-
\??\c:\260022.exec:\260022.exe86⤵PID:2788
-
\??\c:\xxlrfrx.exec:\xxlrfrx.exe87⤵PID:3044
-
\??\c:\rrlrlxr.exec:\rrlrlxr.exe88⤵PID:2800
-
\??\c:\hhthnn.exec:\hhthnn.exe89⤵PID:2884
-
\??\c:\5thntt.exec:\5thntt.exe90⤵PID:3028
-
\??\c:\llflxfr.exec:\llflxfr.exe91⤵PID:2704
-
\??\c:\xxllrrr.exec:\xxllrrr.exe92⤵PID:2728
-
\??\c:\26068.exec:\26068.exe93⤵PID:2588
-
\??\c:\o462240.exec:\o462240.exe94⤵PID:2632
-
\??\c:\3vjdd.exec:\3vjdd.exe95⤵PID:1192
-
\??\c:\djvvj.exec:\djvvj.exe96⤵PID:544
-
\??\c:\04802.exec:\04802.exe97⤵PID:580
-
\??\c:\s8624.exec:\s8624.exe98⤵PID:984
-
\??\c:\fxlxlrf.exec:\fxlxlrf.exe99⤵PID:2944
-
\??\c:\o608464.exec:\o608464.exe100⤵PID:2076
-
\??\c:\vpvdd.exec:\vpvdd.exe101⤵PID:856
-
\??\c:\rrflxxf.exec:\rrflxxf.exe102⤵PID:2296
-
\??\c:\5jvvd.exec:\5jvvd.exe103⤵PID:2540
-
\??\c:\hhbbnh.exec:\hhbbnh.exe104⤵PID:2352
-
\??\c:\7tnbht.exec:\7tnbht.exe105⤵PID:3004
-
\??\c:\64266.exec:\64266.exe106⤵PID:2960
-
\??\c:\4800668.exec:\4800668.exe107⤵PID:2904
-
\??\c:\a6806.exec:\a6806.exe108⤵PID:1972
-
\??\c:\dpvvv.exec:\dpvvv.exe109⤵PID:876
-
\??\c:\xflfxrf.exec:\xflfxrf.exe110⤵PID:1896
-
\??\c:\6044668.exec:\6044668.exe111⤵PID:1152
-
\??\c:\460422.exec:\460422.exe112⤵PID:2484
-
\??\c:\xrllxfl.exec:\xrllxfl.exe113⤵PID:1268
-
\??\c:\g6820.exec:\g6820.exe114⤵PID:2468
-
\??\c:\xxlxfxl.exec:\xxlxfxl.exe115⤵PID:2496
-
\??\c:\20044.exec:\20044.exe116⤵PID:840
-
\??\c:\i466846.exec:\i466846.exe117⤵PID:1956
-
\??\c:\m0868.exec:\m0868.exe118⤵PID:2124
-
\??\c:\lllrxlx.exec:\lllrxlx.exe119⤵PID:988
-
\??\c:\hhbhbn.exec:\hhbhbn.exe120⤵PID:1336
-
\??\c:\lxxrrff.exec:\lxxrrff.exe121⤵PID:1676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-