Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 07:24
Behavioral task
behavioral1
Sample
3c0f989edce165dbdb718d5b2a457f224f5fda37ad3be59ecf9a46046421cb07.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3c0f989edce165dbdb718d5b2a457f224f5fda37ad3be59ecf9a46046421cb07.exe
-
Size
309KB
-
MD5
5d0f4b344eb1af7abbd6b998d937b1b8
-
SHA1
abdde22471bc237cf51c88e364cfe3ceec5525f1
-
SHA256
3c0f989edce165dbdb718d5b2a457f224f5fda37ad3be59ecf9a46046421cb07
-
SHA512
848b1fa60f78eb1ad2285004b2e7ff00c566db498a01c04ca8fba232d7bb4ab5f2fe1db993446d78b1087aa41dea1b6c2d4752369db335e542f78ad354076201
-
SSDEEP
6144:kcm4FmowdHoSphraHcpOFltH4t+IDvSXrh5g8hZVa8Lj:y4wFHoS3eFp3IDvSbh5nPVaWj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2412-0-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2396-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2496-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/320-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2480-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2528-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-70-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2812-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/316-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1320-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-111-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1992-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2864-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2812-107-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1720-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2280-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1236-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1044-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/692-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1380-237-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1660-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2052-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2060-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2264-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2696-375-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2696-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/932-409-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2864-414-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2024-428-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2392-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1672-457-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2668-498-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/964-505-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/916-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-579-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2448-618-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2960-639-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1788-704-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2088-728-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/848-737-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1804-744-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/548-788-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2000-795-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2524-826-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1496-839-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2848-913-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2516 20822.exe 2396 tntthn.exe 2496 k24060.exe 2480 ddvdp.exe 320 5lxfxff.exe 2984 8200224.exe 2796 ffxrflx.exe 2880 3nnthh.exe 2528 jvdjv.exe 2688 jjdpd.exe 2812 hnhnhn.exe 2864 httnnn.exe 316 60880.exe 1320 5ppvd.exe 1992 hhthtt.exe 2392 86028.exe 1972 pdpdv.exe 1720 rllrxxr.exe 1236 1htbtt.exe 2280 bnbbbn.exe 1044 82662.exe 1136 btnthn.exe 692 86280.exe 1668 2662884.exe 1380 60628.exe 1980 5xrxllx.exe 1660 080628.exe 1780 dvjpd.exe 2896 2082484.exe 2072 lxlffxl.exe 2648 2628402.exe 1512 ffllxrx.exe 2052 86484.exe 2056 lfrxxxf.exe 1620 084022.exe 2396 btbtbn.exe 2060 nbnnhh.exe 2264 rlxlrxl.exe 2828 lxffxfr.exe 2784 8682828.exe 2940 rlxlffr.exe 2796 20802.exe 2696 0882286.exe 2880 frfxxxf.exe 2716 vdpdj.exe 2356 k46622.exe 2868 04246.exe 932 28822.exe 2864 1dpvj.exe 1120 8206446.exe 2024 602846.exe 632 0422880.exe 2392 6480224.exe 1256 9pvjv.exe 1672 4862408.exe 496 664200.exe 1768 c640224.exe 2256 fxfxxfl.exe 2276 7dvdp.exe 3016 4262064.exe 2668 0484024.exe 964 646460.exe 2404 bttbnn.exe 768 pjvdv.exe -
resource yara_rule behavioral1/memory/2412-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2516-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b000000012280-7.dat upx behavioral1/memory/2396-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015d0e-17.dat upx behavioral1/files/0x0008000000015d18-25.dat upx behavioral1/memory/2496-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/320-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015d59-45.dat upx behavioral1/memory/2480-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015d41-36.dat upx behavioral1/files/0x0007000000015d79-54.dat upx behavioral1/files/0x0009000000015d81-61.dat upx behavioral1/memory/2796-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000015d89-72.dat upx behavioral1/memory/2528-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016c88-81.dat upx behavioral1/memory/2880-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016cd7-91.dat upx behavioral1/memory/2688-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2812-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016cf5-100.dat upx behavioral1/memory/2688-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d2a-112.dat upx behavioral1/memory/316-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1320-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d43-130.dat upx behavioral1/files/0x0006000000016d3a-121.dat upx behavioral1/memory/1992-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d54-147.dat upx behavioral1/files/0x0006000000016d4b-139.dat upx behavioral1/files/0x0006000000016d67-155.dat upx behavioral1/memory/2864-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1720-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000015cd1-171.dat upx behavioral1/files/0x0006000000016d6b-165.dat upx behavioral1/memory/1236-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2280-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d6f-184.dat upx behavioral1/memory/1236-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1044-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d77-192.dat upx behavioral1/memory/692-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016de8-210.dat upx behavioral1/files/0x0006000000016d9f-203.dat upx behavioral1/files/0x0006000000016dea-223.dat upx behavioral1/memory/1668-222-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/692-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016df3-231.dat upx behavioral1/memory/1380-237-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0006000000016ecf-240.dat upx behavioral1/files/0x0006000000017049-248.dat upx behavioral1/files/0x0006000000017497-257.dat upx behavioral1/memory/1660-256-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001749c-265.dat upx behavioral1/files/0x0005000000018686-281.dat upx behavioral1/files/0x000600000001755b-274.dat upx behavioral1/files/0x00050000000186e7-292.dat upx behavioral1/memory/2052-306-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2056-309-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1620-320-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/memory/2060-334-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2264-341-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2784-349-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0024220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0424002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8224628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2246424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4888024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c420224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2516 2412 3c0f989edce165dbdb718d5b2a457f224f5fda37ad3be59ecf9a46046421cb07.exe 30 PID 2412 wrote to memory of 2516 2412 3c0f989edce165dbdb718d5b2a457f224f5fda37ad3be59ecf9a46046421cb07.exe 30 PID 2412 wrote to memory of 2516 2412 3c0f989edce165dbdb718d5b2a457f224f5fda37ad3be59ecf9a46046421cb07.exe 30 PID 2412 wrote to memory of 2516 2412 3c0f989edce165dbdb718d5b2a457f224f5fda37ad3be59ecf9a46046421cb07.exe 30 PID 2516 wrote to memory of 2396 2516 20822.exe 31 PID 2516 wrote to memory of 2396 2516 20822.exe 31 PID 2516 wrote to memory of 2396 2516 20822.exe 31 PID 2516 wrote to memory of 2396 2516 20822.exe 31 PID 2396 wrote to memory of 2496 2396 tntthn.exe 32 PID 2396 wrote to memory of 2496 2396 tntthn.exe 32 PID 2396 wrote to memory of 2496 2396 tntthn.exe 32 PID 2396 wrote to memory of 2496 2396 tntthn.exe 32 PID 2496 wrote to memory of 2480 2496 k24060.exe 33 PID 2496 wrote to memory of 2480 2496 k24060.exe 33 PID 2496 wrote to memory of 2480 2496 k24060.exe 33 PID 2496 wrote to memory of 2480 2496 k24060.exe 33 PID 2480 wrote to memory of 320 2480 ddvdp.exe 34 PID 2480 wrote to memory of 320 2480 ddvdp.exe 34 PID 2480 wrote to memory of 320 2480 ddvdp.exe 34 PID 2480 wrote to memory of 320 2480 ddvdp.exe 34 PID 320 wrote to memory of 2984 320 5lxfxff.exe 35 PID 320 wrote to memory of 2984 320 5lxfxff.exe 35 PID 320 wrote to memory of 2984 320 5lxfxff.exe 35 PID 320 wrote to memory of 2984 320 5lxfxff.exe 35 PID 2984 wrote to memory of 2796 2984 8200224.exe 36 PID 2984 wrote to memory of 2796 2984 8200224.exe 36 PID 2984 wrote to memory of 2796 2984 8200224.exe 36 PID 2984 wrote to memory of 2796 2984 8200224.exe 36 PID 2796 wrote to memory of 2880 2796 ffxrflx.exe 37 PID 2796 wrote to memory of 2880 2796 ffxrflx.exe 37 PID 2796 wrote to memory of 2880 2796 ffxrflx.exe 37 PID 2796 wrote to memory of 2880 2796 ffxrflx.exe 37 PID 2880 wrote to memory of 2528 2880 3nnthh.exe 38 PID 2880 wrote to memory of 2528 2880 3nnthh.exe 38 PID 2880 wrote to memory of 2528 2880 3nnthh.exe 38 PID 2880 wrote to memory of 2528 2880 3nnthh.exe 38 PID 2528 wrote to memory of 2688 2528 jvdjv.exe 39 PID 2528 wrote to memory of 2688 2528 jvdjv.exe 39 PID 2528 wrote to memory of 2688 2528 jvdjv.exe 39 PID 2528 wrote to memory of 2688 2528 jvdjv.exe 39 PID 2688 wrote to memory of 2812 2688 jjdpd.exe 40 PID 2688 wrote to memory of 2812 2688 jjdpd.exe 40 PID 2688 wrote to memory of 2812 2688 jjdpd.exe 40 PID 2688 wrote to memory of 2812 2688 jjdpd.exe 40 PID 2812 wrote to memory of 2864 2812 hnhnhn.exe 41 PID 2812 wrote to memory of 2864 2812 hnhnhn.exe 41 PID 2812 wrote to memory of 2864 2812 hnhnhn.exe 41 PID 2812 wrote to memory of 2864 2812 hnhnhn.exe 41 PID 2864 wrote to memory of 316 2864 httnnn.exe 42 PID 2864 wrote to memory of 316 2864 httnnn.exe 42 PID 2864 wrote to memory of 316 2864 httnnn.exe 42 PID 2864 wrote to memory of 316 2864 httnnn.exe 42 PID 316 wrote to memory of 1320 316 60880.exe 43 PID 316 wrote to memory of 1320 316 60880.exe 43 PID 316 wrote to memory of 1320 316 60880.exe 43 PID 316 wrote to memory of 1320 316 60880.exe 43 PID 1320 wrote to memory of 1992 1320 5ppvd.exe 44 PID 1320 wrote to memory of 1992 1320 5ppvd.exe 44 PID 1320 wrote to memory of 1992 1320 5ppvd.exe 44 PID 1320 wrote to memory of 1992 1320 5ppvd.exe 44 PID 1992 wrote to memory of 2392 1992 hhthtt.exe 45 PID 1992 wrote to memory of 2392 1992 hhthtt.exe 45 PID 1992 wrote to memory of 2392 1992 hhthtt.exe 45 PID 1992 wrote to memory of 2392 1992 hhthtt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c0f989edce165dbdb718d5b2a457f224f5fda37ad3be59ecf9a46046421cb07.exe"C:\Users\Admin\AppData\Local\Temp\3c0f989edce165dbdb718d5b2a457f224f5fda37ad3be59ecf9a46046421cb07.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\20822.exec:\20822.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\tntthn.exec:\tntthn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\k24060.exec:\k24060.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\ddvdp.exec:\ddvdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\5lxfxff.exec:\5lxfxff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\8200224.exec:\8200224.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\ffxrflx.exec:\ffxrflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\3nnthh.exec:\3nnthh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\jvdjv.exec:\jvdjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\jjdpd.exec:\jjdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\hnhnhn.exec:\hnhnhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\httnnn.exec:\httnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\60880.exec:\60880.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\5ppvd.exec:\5ppvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\hhthtt.exec:\hhthtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\86028.exec:\86028.exe17⤵
- Executes dropped EXE
PID:2392 -
\??\c:\pdpdv.exec:\pdpdv.exe18⤵
- Executes dropped EXE
PID:1972 -
\??\c:\rllrxxr.exec:\rllrxxr.exe19⤵
- Executes dropped EXE
PID:1720 -
\??\c:\1htbtt.exec:\1htbtt.exe20⤵
- Executes dropped EXE
PID:1236 -
\??\c:\bnbbbn.exec:\bnbbbn.exe21⤵
- Executes dropped EXE
PID:2280 -
\??\c:\82662.exec:\82662.exe22⤵
- Executes dropped EXE
PID:1044 -
\??\c:\btnthn.exec:\btnthn.exe23⤵
- Executes dropped EXE
PID:1136 -
\??\c:\86280.exec:\86280.exe24⤵
- Executes dropped EXE
PID:692 -
\??\c:\2662884.exec:\2662884.exe25⤵
- Executes dropped EXE
PID:1668 -
\??\c:\60628.exec:\60628.exe26⤵
- Executes dropped EXE
PID:1380 -
\??\c:\5xrxllx.exec:\5xrxllx.exe27⤵
- Executes dropped EXE
PID:1980 -
\??\c:\080628.exec:\080628.exe28⤵
- Executes dropped EXE
PID:1660 -
\??\c:\dvjpd.exec:\dvjpd.exe29⤵
- Executes dropped EXE
PID:1780 -
\??\c:\2082484.exec:\2082484.exe30⤵
- Executes dropped EXE
PID:2896 -
\??\c:\lxlffxl.exec:\lxlffxl.exe31⤵
- Executes dropped EXE
PID:2072 -
\??\c:\2628402.exec:\2628402.exe32⤵
- Executes dropped EXE
PID:2648 -
\??\c:\ffllxrx.exec:\ffllxrx.exe33⤵
- Executes dropped EXE
PID:1512 -
\??\c:\86484.exec:\86484.exe34⤵
- Executes dropped EXE
PID:2052 -
\??\c:\lfrxxxf.exec:\lfrxxxf.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056 -
\??\c:\084022.exec:\084022.exe36⤵
- Executes dropped EXE
PID:1620 -
\??\c:\btbtbn.exec:\btbtbn.exe37⤵
- Executes dropped EXE
PID:2396 -
\??\c:\nbnnhh.exec:\nbnnhh.exe38⤵
- Executes dropped EXE
PID:2060 -
\??\c:\rlxlrxl.exec:\rlxlrxl.exe39⤵
- Executes dropped EXE
PID:2264 -
\??\c:\lxffxfr.exec:\lxffxfr.exe40⤵
- Executes dropped EXE
PID:2828 -
\??\c:\8682828.exec:\8682828.exe41⤵
- Executes dropped EXE
PID:2784 -
\??\c:\rlxlffr.exec:\rlxlffr.exe42⤵
- Executes dropped EXE
PID:2940 -
\??\c:\20802.exec:\20802.exe43⤵
- Executes dropped EXE
PID:2796 -
\??\c:\0882286.exec:\0882286.exe44⤵
- Executes dropped EXE
PID:2696 -
\??\c:\frfxxxf.exec:\frfxxxf.exe45⤵
- Executes dropped EXE
PID:2880 -
\??\c:\vdpdj.exec:\vdpdj.exe46⤵
- Executes dropped EXE
PID:2716 -
\??\c:\k46622.exec:\k46622.exe47⤵
- Executes dropped EXE
PID:2356 -
\??\c:\04246.exec:\04246.exe48⤵
- Executes dropped EXE
PID:2868 -
\??\c:\28822.exec:\28822.exe49⤵
- Executes dropped EXE
PID:932 -
\??\c:\1dpvj.exec:\1dpvj.exe50⤵
- Executes dropped EXE
PID:2864 -
\??\c:\8206446.exec:\8206446.exe51⤵
- Executes dropped EXE
PID:1120 -
\??\c:\602846.exec:\602846.exe52⤵
- Executes dropped EXE
PID:2024 -
\??\c:\0422880.exec:\0422880.exe53⤵
- Executes dropped EXE
PID:632 -
\??\c:\6480224.exec:\6480224.exe54⤵
- Executes dropped EXE
PID:2392 -
\??\c:\9pvjv.exec:\9pvjv.exe55⤵
- Executes dropped EXE
PID:1256 -
\??\c:\4862408.exec:\4862408.exe56⤵
- Executes dropped EXE
PID:1672 -
\??\c:\664200.exec:\664200.exe57⤵
- Executes dropped EXE
PID:496 -
\??\c:\c640224.exec:\c640224.exe58⤵
- Executes dropped EXE
PID:1768 -
\??\c:\fxfxxfl.exec:\fxfxxfl.exe59⤵
- Executes dropped EXE
PID:2256 -
\??\c:\7dvdp.exec:\7dvdp.exe60⤵
- Executes dropped EXE
PID:2276 -
\??\c:\4262064.exec:\4262064.exe61⤵
- Executes dropped EXE
PID:3016 -
\??\c:\0484024.exec:\0484024.exe62⤵
- Executes dropped EXE
PID:2668 -
\??\c:\646460.exec:\646460.exe63⤵
- Executes dropped EXE
PID:964 -
\??\c:\bttbnn.exec:\bttbnn.exe64⤵
- Executes dropped EXE
PID:2404 -
\??\c:\pjvdv.exec:\pjvdv.exe65⤵
- Executes dropped EXE
PID:768 -
\??\c:\q26206.exec:\q26206.exe66⤵PID:1052
-
\??\c:\hbnntb.exec:\hbnntb.exe67⤵PID:884
-
\??\c:\hbtbtt.exec:\hbtbtt.exe68⤵PID:1776
-
\??\c:\a6002.exec:\a6002.exe69⤵PID:1552
-
\??\c:\9vpdp.exec:\9vpdp.exe70⤵PID:2524
-
\??\c:\o488042.exec:\o488042.exe71⤵PID:2452
-
\??\c:\3httbh.exec:\3httbh.exe72⤵PID:2188
-
\??\c:\604280.exec:\604280.exe73⤵PID:2620
-
\??\c:\5pdpj.exec:\5pdpj.exe74⤵PID:916
-
\??\c:\4682228.exec:\4682228.exe75⤵PID:2628
-
\??\c:\vvdpv.exec:\vvdpv.exe76⤵PID:2228
-
\??\c:\820240.exec:\820240.exe77⤵PID:2052
-
\??\c:\42080.exec:\42080.exe78⤵PID:2156
-
\??\c:\btnnbh.exec:\btnnbh.exe79⤵PID:1620
-
\??\c:\264028.exec:\264028.exe80⤵PID:2448
-
\??\c:\3nnttb.exec:\3nnttb.exe81⤵PID:580
-
\??\c:\7dvdp.exec:\7dvdp.exe82⤵PID:2980
-
\??\c:\llxlrfr.exec:\llxlrfr.exe83⤵PID:2960
-
\??\c:\26028.exec:\26028.exe84⤵PID:2308
-
\??\c:\64846.exec:\64846.exe85⤵PID:2956
-
\??\c:\42066.exec:\42066.exe86⤵PID:2696
-
\??\c:\bthhnt.exec:\bthhnt.exe87⤵PID:2880
-
\??\c:\5bnbtn.exec:\5bnbtn.exe88⤵PID:2704
-
\??\c:\4806840.exec:\4806840.exe89⤵PID:2748
-
\??\c:\a2068.exec:\a2068.exe90⤵PID:1788
-
\??\c:\g4628.exec:\g4628.exe91⤵PID:2440
-
\??\c:\2224668.exec:\2224668.exe92⤵PID:1736
-
\??\c:\tnttbh.exec:\tnttbh.exe93⤵PID:1664
-
\??\c:\m2066.exec:\m2066.exe94⤵PID:2020
-
\??\c:\ffxfrfl.exec:\ffxfrfl.exe95⤵PID:2080
-
\??\c:\04624.exec:\04624.exe96⤵PID:2384
-
\??\c:\48640.exec:\48640.exe97⤵PID:2088
-
\??\c:\5xrxrrr.exec:\5xrxrrr.exe98⤵PID:848
-
\??\c:\044022.exec:\044022.exe99⤵PID:1804
-
\??\c:\ppjjv.exec:\ppjjv.exe100⤵PID:1568
-
\??\c:\u606824.exec:\u606824.exe101⤵PID:3020
-
\??\c:\ddpvj.exec:\ddpvj.exe102⤵PID:2924
-
\??\c:\9pdjj.exec:\9pdjj.exe103⤵PID:1192
-
\??\c:\lxxfllr.exec:\lxxfllr.exe104⤵PID:2248
-
\??\c:\rxfffxf.exec:\rxfffxf.exe105⤵PID:1628
-
\??\c:\m4628.exec:\m4628.exe106⤵PID:548
-
\??\c:\nnbtht.exec:\nnbtht.exe107⤵PID:2000
-
\??\c:\lxfflrf.exec:\lxfflrf.exe108⤵PID:344
-
\??\c:\jjdjv.exec:\jjdjv.exe109⤵PID:1652
-
\??\c:\hbntnn.exec:\hbntnn.exe110⤵PID:612
-
\??\c:\0422842.exec:\0422842.exe111⤵PID:1776
-
\??\c:\w84682.exec:\w84682.exe112⤵PID:1552
-
\??\c:\lfxrrlf.exec:\lfxrrlf.exe113⤵PID:2524
-
\??\c:\6046846.exec:\6046846.exe114⤵PID:1496
-
\??\c:\hbtbtb.exec:\hbtbtb.exe115⤵PID:352
-
\??\c:\3tbhnh.exec:\3tbhnh.exe116⤵PID:2648
-
\??\c:\btnbtn.exec:\btnbtn.exe117⤵PID:1268
-
\??\c:\k42022.exec:\k42022.exe118⤵PID:2628
-
\??\c:\7hbhhn.exec:\7hbhhn.exe119⤵PID:1536
-
\??\c:\824628.exec:\824628.exe120⤵PID:1488
-
\??\c:\8202080.exec:\8202080.exe121⤵PID:2092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-