Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 12:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cec11c9b5350c3e62c4716f36a8a5f6a8774ad444e230e8544fee5daf8687b31.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cec11c9b5350c3e62c4716f36a8a5f6a8774ad444e230e8544fee5daf8687b31.exe
-
Size
456KB
-
MD5
669a7fdaa663bd2910b413ebf632dcac
-
SHA1
92a9441d6ee37b2d30be1fde113328ecdce1c1b6
-
SHA256
cec11c9b5350c3e62c4716f36a8a5f6a8774ad444e230e8544fee5daf8687b31
-
SHA512
7a0705aef5ef878cd5f581cff54d1f041686eb944ab075a4922fee166907126ab0d9a499a35a31935b29669fd64d00a9a9583e451c6b8bb93b07443cf7150e9b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRW:q7Tc2NYHUrAwfMp3CDRW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/1308-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/944-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-60-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2712-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1456-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-293-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2852-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-407-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2472-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-429-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/432-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-450-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2248-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-822-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1580-871-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2976-892-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-937-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-1190-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2176-1228-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2996-1231-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2972-1241-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2880 3ntttb.exe 944 3vppp.exe 2860 9pddj.exe 3060 jjjjp.exe 2776 vppjv.exe 3024 djpvj.exe 2712 1htnnn.exe 2708 ppvdp.exe 1688 3htnhh.exe 1324 fxxffxl.exe 832 btbntn.exe 2424 fflffff.exe 772 bthnbh.exe 3020 pjpvv.exe 2972 5hnntt.exe 2184 llxxfll.exe 1080 bnbbnh.exe 1456 vvpdp.exe 1540 5lxrxxf.exe 2484 pppvd.exe 1952 nbhbhb.exe 2536 vvjpv.exe 2208 nntthn.exe 1972 jjppp.exe 1764 1hhnhh.exe 536 pdjjp.exe 1224 tnnnnn.exe 2428 ppvdd.exe 2548 9tnntt.exe 1628 3jdjd.exe 544 tnnnnn.exe 2564 htttbh.exe 2992 9frrrrx.exe 1576 9bttht.exe 2804 djvvj.exe 2964 5flrxrr.exe 2852 ffllllr.exe 2664 3tntbb.exe 2968 vvjjp.exe 2884 fllrrxf.exe 2824 lfxrxfx.exe 2672 hnbbnt.exe 2368 jjpvv.exe 2724 1frflfl.exe 1656 llxxffl.exe 2928 3tttbh.exe 2108 jjpvd.exe 2056 rrxxlrr.exe 1740 bbhbhn.exe 1408 tbttnt.exe 2896 dpddd.exe 2316 flrrrrr.exe 2472 rffflff.exe 2908 ttbhhh.exe 1436 jjvvp.exe 2100 rrxxlrr.exe 432 bhnttt.exe 2300 hhntnn.exe 2444 vvjjv.exe 2284 xfrrrrx.exe 2248 rrxfflx.exe 2180 9hnntt.exe 2460 ddjdj.exe 1620 5flfrrr.exe -
resource yara_rule behavioral1/memory/1308-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-407-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2472-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/432-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-763-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2448-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-1151-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/2996-1231-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrfxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5htthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1308 wrote to memory of 2880 1308 cec11c9b5350c3e62c4716f36a8a5f6a8774ad444e230e8544fee5daf8687b31.exe 29 PID 1308 wrote to memory of 2880 1308 cec11c9b5350c3e62c4716f36a8a5f6a8774ad444e230e8544fee5daf8687b31.exe 29 PID 1308 wrote to memory of 2880 1308 cec11c9b5350c3e62c4716f36a8a5f6a8774ad444e230e8544fee5daf8687b31.exe 29 PID 1308 wrote to memory of 2880 1308 cec11c9b5350c3e62c4716f36a8a5f6a8774ad444e230e8544fee5daf8687b31.exe 29 PID 2880 wrote to memory of 944 2880 3ntttb.exe 30 PID 2880 wrote to memory of 944 2880 3ntttb.exe 30 PID 2880 wrote to memory of 944 2880 3ntttb.exe 30 PID 2880 wrote to memory of 944 2880 3ntttb.exe 30 PID 944 wrote to memory of 2860 944 3vppp.exe 31 PID 944 wrote to memory of 2860 944 3vppp.exe 31 PID 944 wrote to memory of 2860 944 3vppp.exe 31 PID 944 wrote to memory of 2860 944 3vppp.exe 31 PID 2860 wrote to memory of 3060 2860 9pddj.exe 32 PID 2860 wrote to memory of 3060 2860 9pddj.exe 32 PID 2860 wrote to memory of 3060 2860 9pddj.exe 32 PID 2860 wrote to memory of 3060 2860 9pddj.exe 32 PID 3060 wrote to memory of 2776 3060 jjjjp.exe 33 PID 3060 wrote to memory of 2776 3060 jjjjp.exe 33 PID 3060 wrote to memory of 2776 3060 jjjjp.exe 33 PID 3060 wrote to memory of 2776 3060 jjjjp.exe 33 PID 2776 wrote to memory of 3024 2776 vppjv.exe 34 PID 2776 wrote to memory of 3024 2776 vppjv.exe 34 PID 2776 wrote to memory of 3024 2776 vppjv.exe 34 PID 2776 wrote to memory of 3024 2776 vppjv.exe 34 PID 3024 wrote to memory of 2712 3024 djpvj.exe 35 PID 3024 wrote to memory of 2712 3024 djpvj.exe 35 PID 3024 wrote to memory of 2712 3024 djpvj.exe 35 PID 3024 wrote to memory of 2712 3024 djpvj.exe 35 PID 2712 wrote to memory of 2708 2712 1htnnn.exe 36 PID 2712 wrote to memory of 2708 2712 1htnnn.exe 36 PID 2712 wrote to memory of 2708 2712 1htnnn.exe 36 PID 2712 wrote to memory of 2708 2712 1htnnn.exe 36 PID 2708 wrote to memory of 1688 2708 ppvdp.exe 37 PID 2708 wrote to memory of 1688 2708 ppvdp.exe 37 PID 2708 wrote to memory of 1688 2708 ppvdp.exe 37 PID 2708 wrote to memory of 1688 2708 ppvdp.exe 37 PID 1688 wrote to memory of 1324 1688 3htnhh.exe 38 PID 1688 wrote to memory of 1324 1688 3htnhh.exe 38 PID 1688 wrote to memory of 1324 1688 3htnhh.exe 38 PID 1688 wrote to memory of 1324 1688 3htnhh.exe 38 PID 1324 wrote to memory of 832 1324 fxxffxl.exe 39 PID 1324 wrote to memory of 832 1324 fxxffxl.exe 39 PID 1324 wrote to memory of 832 1324 fxxffxl.exe 39 PID 1324 wrote to memory of 832 1324 fxxffxl.exe 39 PID 832 wrote to memory of 2424 832 btbntn.exe 40 PID 832 wrote to memory of 2424 832 btbntn.exe 40 PID 832 wrote to memory of 2424 832 btbntn.exe 40 PID 832 wrote to memory of 2424 832 btbntn.exe 40 PID 2424 wrote to memory of 772 2424 fflffff.exe 41 PID 2424 wrote to memory of 772 2424 fflffff.exe 41 PID 2424 wrote to memory of 772 2424 fflffff.exe 41 PID 2424 wrote to memory of 772 2424 fflffff.exe 41 PID 772 wrote to memory of 3020 772 bthnbh.exe 42 PID 772 wrote to memory of 3020 772 bthnbh.exe 42 PID 772 wrote to memory of 3020 772 bthnbh.exe 42 PID 772 wrote to memory of 3020 772 bthnbh.exe 42 PID 3020 wrote to memory of 2972 3020 pjpvv.exe 43 PID 3020 wrote to memory of 2972 3020 pjpvv.exe 43 PID 3020 wrote to memory of 2972 3020 pjpvv.exe 43 PID 3020 wrote to memory of 2972 3020 pjpvv.exe 43 PID 2972 wrote to memory of 2184 2972 5hnntt.exe 44 PID 2972 wrote to memory of 2184 2972 5hnntt.exe 44 PID 2972 wrote to memory of 2184 2972 5hnntt.exe 44 PID 2972 wrote to memory of 2184 2972 5hnntt.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\cec11c9b5350c3e62c4716f36a8a5f6a8774ad444e230e8544fee5daf8687b31.exe"C:\Users\Admin\AppData\Local\Temp\cec11c9b5350c3e62c4716f36a8a5f6a8774ad444e230e8544fee5daf8687b31.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\3ntttb.exec:\3ntttb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\3vppp.exec:\3vppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\9pddj.exec:\9pddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\jjjjp.exec:\jjjjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\vppjv.exec:\vppjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\djpvj.exec:\djpvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\1htnnn.exec:\1htnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\ppvdp.exec:\ppvdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\3htnhh.exec:\3htnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\fxxffxl.exec:\fxxffxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\btbntn.exec:\btbntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\fflffff.exec:\fflffff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\bthnbh.exec:\bthnbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\pjpvv.exec:\pjpvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\5hnntt.exec:\5hnntt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\llxxfll.exec:\llxxfll.exe17⤵
- Executes dropped EXE
PID:2184 -
\??\c:\bnbbnh.exec:\bnbbnh.exe18⤵
- Executes dropped EXE
PID:1080 -
\??\c:\vvpdp.exec:\vvpdp.exe19⤵
- Executes dropped EXE
PID:1456 -
\??\c:\5lxrxxf.exec:\5lxrxxf.exe20⤵
- Executes dropped EXE
PID:1540 -
\??\c:\pppvd.exec:\pppvd.exe21⤵
- Executes dropped EXE
PID:2484 -
\??\c:\nbhbhb.exec:\nbhbhb.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1952 -
\??\c:\vvjpv.exec:\vvjpv.exe23⤵
- Executes dropped EXE
PID:2536 -
\??\c:\nntthn.exec:\nntthn.exe24⤵
- Executes dropped EXE
PID:2208 -
\??\c:\jjppp.exec:\jjppp.exe25⤵
- Executes dropped EXE
PID:1972 -
\??\c:\1hhnhh.exec:\1hhnhh.exe26⤵
- Executes dropped EXE
PID:1764 -
\??\c:\pdjjp.exec:\pdjjp.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536 -
\??\c:\tnnnnn.exec:\tnnnnn.exe28⤵
- Executes dropped EXE
PID:1224 -
\??\c:\ppvdd.exec:\ppvdd.exe29⤵
- Executes dropped EXE
PID:2428 -
\??\c:\9tnntt.exec:\9tnntt.exe30⤵
- Executes dropped EXE
PID:2548 -
\??\c:\3jdjd.exec:\3jdjd.exe31⤵
- Executes dropped EXE
PID:1628 -
\??\c:\tnnnnn.exec:\tnnnnn.exe32⤵
- Executes dropped EXE
PID:544 -
\??\c:\htttbh.exec:\htttbh.exe33⤵
- Executes dropped EXE
PID:2564 -
\??\c:\9frrrrx.exec:\9frrrrx.exe34⤵
- Executes dropped EXE
PID:2992 -
\??\c:\9bttht.exec:\9bttht.exe35⤵
- Executes dropped EXE
PID:1576 -
\??\c:\djvvj.exec:\djvvj.exe36⤵
- Executes dropped EXE
PID:2804 -
\??\c:\5flrxrr.exec:\5flrxrr.exe37⤵
- Executes dropped EXE
PID:2964 -
\??\c:\ffllllr.exec:\ffllllr.exe38⤵
- Executes dropped EXE
PID:2852 -
\??\c:\3tntbb.exec:\3tntbb.exe39⤵
- Executes dropped EXE
PID:2664 -
\??\c:\vvjjp.exec:\vvjjp.exe40⤵
- Executes dropped EXE
PID:2968 -
\??\c:\fllrrxf.exec:\fllrrxf.exe41⤵
- Executes dropped EXE
PID:2884 -
\??\c:\lfxrxfx.exec:\lfxrxfx.exe42⤵
- Executes dropped EXE
PID:2824 -
\??\c:\hnbbnt.exec:\hnbbnt.exe43⤵
- Executes dropped EXE
PID:2672 -
\??\c:\jjpvv.exec:\jjpvv.exe44⤵
- Executes dropped EXE
PID:2368 -
\??\c:\1frflfl.exec:\1frflfl.exe45⤵
- Executes dropped EXE
PID:2724 -
\??\c:\llxxffl.exec:\llxxffl.exe46⤵
- Executes dropped EXE
PID:1656 -
\??\c:\3tttbh.exec:\3tttbh.exe47⤵
- Executes dropped EXE
PID:2928 -
\??\c:\jjpvd.exec:\jjpvd.exe48⤵
- Executes dropped EXE
PID:2108 -
\??\c:\rrxxlrr.exec:\rrxxlrr.exe49⤵
- Executes dropped EXE
PID:2056 -
\??\c:\bbhbhn.exec:\bbhbhn.exe50⤵
- Executes dropped EXE
PID:1740 -
\??\c:\tbttnt.exec:\tbttnt.exe51⤵
- Executes dropped EXE
PID:1408 -
\??\c:\dpddd.exec:\dpddd.exe52⤵
- Executes dropped EXE
PID:2896 -
\??\c:\flrrrrr.exec:\flrrrrr.exe53⤵
- Executes dropped EXE
PID:2316 -
\??\c:\rffflff.exec:\rffflff.exe54⤵
- Executes dropped EXE
PID:2472 -
\??\c:\ttbhhh.exec:\ttbhhh.exe55⤵
- Executes dropped EXE
PID:2908 -
\??\c:\jjvvp.exec:\jjvvp.exe56⤵
- Executes dropped EXE
PID:1436 -
\??\c:\rrxxlrr.exec:\rrxxlrr.exe57⤵
- Executes dropped EXE
PID:2100 -
\??\c:\bhnttt.exec:\bhnttt.exe58⤵
- Executes dropped EXE
PID:432 -
\??\c:\hhntnn.exec:\hhntnn.exe59⤵
- Executes dropped EXE
PID:2300 -
\??\c:\vvjjv.exec:\vvjjv.exe60⤵
- Executes dropped EXE
PID:2444 -
\??\c:\xfrrrrx.exec:\xfrrrrx.exe61⤵
- Executes dropped EXE
PID:2284 -
\??\c:\rrxfflx.exec:\rrxfflx.exe62⤵
- Executes dropped EXE
PID:2248 -
\??\c:\9hnntt.exec:\9hnntt.exe63⤵
- Executes dropped EXE
PID:2180 -
\??\c:\ddjdj.exec:\ddjdj.exe64⤵
- Executes dropped EXE
PID:2460 -
\??\c:\5flfrrr.exec:\5flfrrr.exe65⤵
- Executes dropped EXE
PID:1620 -
\??\c:\9xffrrr.exec:\9xffrrr.exe66⤵PID:1972
-
\??\c:\nbnnth.exec:\nbnnth.exe67⤵PID:648
-
\??\c:\7nbbtb.exec:\7nbbtb.exe68⤵PID:1292
-
\??\c:\1vpjv.exec:\1vpjv.exe69⤵PID:1668
-
\??\c:\fxxrfxx.exec:\fxxrfxx.exe70⤵PID:1988
-
\??\c:\llxxrxx.exec:\llxxrxx.exe71⤵PID:1980
-
\??\c:\tbtbbb.exec:\tbtbbb.exe72⤵PID:1816
-
\??\c:\vvddj.exec:\vvddj.exe73⤵PID:1628
-
\??\c:\jvvpv.exec:\jvvpv.exe74⤵PID:2568
-
\??\c:\lrxffll.exec:\lrxffll.exe75⤵PID:1308
-
\??\c:\bnbhnt.exec:\bnbhnt.exe76⤵PID:3036
-
\??\c:\7ttbnh.exec:\7ttbnh.exe77⤵PID:2212
-
\??\c:\pdvvj.exec:\pdvvj.exe78⤵PID:2848
-
\??\c:\9lxrxll.exec:\9lxrxll.exe79⤵PID:2204
-
\??\c:\1frrrrx.exec:\1frrrrx.exe80⤵PID:2964
-
\??\c:\tbnbhh.exec:\tbnbhh.exe81⤵PID:2852
-
\??\c:\pdpvd.exec:\pdpvd.exe82⤵PID:2064
-
\??\c:\ffffflr.exec:\ffffflr.exe83⤵PID:2796
-
\??\c:\xffflrr.exec:\xffflrr.exe84⤵PID:2884
-
\??\c:\tbnbnt.exec:\tbnbnt.exe85⤵PID:2700
-
\??\c:\vppvj.exec:\vppvj.exe86⤵PID:2672
-
\??\c:\1jvpd.exec:\1jvpd.exe87⤵PID:2396
-
\??\c:\xrrrrxf.exec:\xrrrrxf.exe88⤵PID:2720
-
\??\c:\llffrlr.exec:\llffrlr.exe89⤵PID:752
-
\??\c:\5bbbhb.exec:\5bbbhb.exe90⤵PID:2332
-
\??\c:\5pjvj.exec:\5pjvj.exe91⤵PID:1044
-
\??\c:\jdddj.exec:\jdddj.exe92⤵PID:2024
-
\??\c:\xllllll.exec:\xllllll.exe93⤵PID:2176
-
\??\c:\bbhhhn.exec:\bbhhhn.exe94⤵PID:2912
-
\??\c:\bbnthh.exec:\bbnthh.exe95⤵PID:2888
-
\??\c:\pjjvv.exec:\pjjvv.exe96⤵PID:3020
-
\??\c:\rxfflrx.exec:\rxfflrx.exe97⤵PID:276
-
\??\c:\llrrxxx.exec:\llrrxxx.exe98⤵PID:2060
-
\??\c:\bbhnbb.exec:\bbhnbb.exe99⤵PID:1048
-
\??\c:\1vdvv.exec:\1vdvv.exe100⤵PID:1104
-
\??\c:\fxxllll.exec:\fxxllll.exe101⤵PID:624
-
\??\c:\1xlllll.exec:\1xlllll.exe102⤵PID:2228
-
\??\c:\hntntt.exec:\hntntt.exe103⤵PID:2300
-
\??\c:\3nthht.exec:\3nthht.exe104⤵PID:2444
-
\??\c:\vddjv.exec:\vddjv.exe105⤵PID:2192
-
\??\c:\llxxffl.exec:\llxxffl.exe106⤵PID:2536
-
\??\c:\bhnnnn.exec:\bhnnnn.exe107⤵PID:1376
-
\??\c:\jjjpv.exec:\jjjpv.exe108⤵PID:2448
-
\??\c:\3dpjj.exec:\3dpjj.exe109⤵PID:1652
-
\??\c:\flrrxff.exec:\flrrxff.exe110⤵PID:2600
-
\??\c:\9nhhbh.exec:\9nhhbh.exe111⤵PID:880
-
\??\c:\nhtntb.exec:\nhtntb.exe112⤵PID:2416
-
\??\c:\jjvpd.exec:\jjvpd.exe113⤵PID:2988
-
\??\c:\fxfffxx.exec:\fxfffxx.exe114⤵PID:1988
-
\??\c:\rfxxflr.exec:\rfxxflr.exe115⤵PID:1980
-
\??\c:\3httbh.exec:\3httbh.exe116⤵PID:1816
-
\??\c:\djjjv.exec:\djjjv.exe117⤵PID:2380
-
\??\c:\5xlflll.exec:\5xlflll.exe118⤵PID:2568
-
\??\c:\1lffrfl.exec:\1lffrfl.exe119⤵PID:3032
-
\??\c:\hbhtbb.exec:\hbhtbb.exe120⤵PID:1580
-
\??\c:\vjpdp.exec:\vjpdp.exe121⤵PID:2072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-