Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 08:31
Behavioral task
behavioral1
Sample
3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe
-
Size
67KB
-
MD5
e9941016f1ec9341b0292b4fec81b700
-
SHA1
2fc9acb4124955e5ef0c90ce63a83cfb710dbd17
-
SHA256
3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5
-
SHA512
b5c7b2d8b1428dcfc12e21c59cc6c7938feea84af51c784165ef6b7a864ca80fa09f56876e8c32ebcdadff4f7e02d9c832bd31b29dad41b4a8fed41cf986b19a
-
SSDEEP
1536:/vQBeOGtrYS3srx93UBWfwC6Ggnouy8jb5DiLKrb08I:/hOmTsF93UYfwC6GIoutcKb+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 59 IoCs
resource yara_rule behavioral1/memory/2804-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2372-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3016-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-30-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2612-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/276-65-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/716-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2400-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1632-228-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1676-462-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1556-499-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1020-506-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2180-657-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2592-670-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-676-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2696-700-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/704-739-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2968-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2280-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-386-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2684-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2444-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2820-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/892-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2520-263-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2012-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2476-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2500-201-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/3032-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1564-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2996-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1704-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1740-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2928-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2096-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2276-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/816-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-34-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/968-867-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/528-904-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2712-911-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/528-928-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2336-1063-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2452-1095-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1660-1121-0x0000000000260000-0x0000000000287000-memory.dmp family_blackmoon behavioral1/memory/2648-1124-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2648-1129-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2844-1148-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2648-1156-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2724-1164-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1440-1190-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2108-1215-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1984-1234-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/444-1253-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2196-1303-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2228-1384-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2804 ttnthh.exe 3016 bbhbhn.exe 2896 7nttnt.exe 816 480006.exe 2612 btnhbn.exe 276 w68866.exe 2276 ppjvj.exe 716 hbbbnt.exe 968 dvpdj.exe 2704 ffrxfrl.exe 2096 vvjpv.exe 2912 nntnhb.exe 2928 9ppvd.exe 1740 7llxlxr.exe 1704 22026.exe 2996 244468.exe 1564 fxlrxfl.exe 1696 hhttbb.exe 3032 w22408.exe 2200 20228.exe 2500 4806662.exe 2400 28204.exe 1600 bhthht.exe 1632 fxfrffr.exe 2476 006604.exe 2012 468800.exe 2060 dpjdj.exe 2520 2620442.exe 1236 44628.exe 892 046288.exe 2820 lrfxrfl.exe 2744 64286.exe 2644 6400268.exe 1532 1rlflfl.exe 2444 bbnbhn.exe 2632 1tnthn.exe 2872 tnbhtn.exe 2228 fxlxxll.exe 276 jjpdv.exe 1064 s8664.exe 716 482484.exe 1624 0886686.exe 1868 nhthtb.exe 2684 bhnntt.exe 2868 40644.exe 2932 404602.exe 2296 htntbh.exe 2280 a8002.exe 988 828844.exe 2516 q62002.exe 1572 thhttt.exe 1844 jjjdd.exe 1696 5flrrrx.exe 2968 pjvpv.exe 896 e20640.exe 2068 u028662.exe 2500 2640666.exe 1676 s2260.exe 2596 84204.exe 1604 4248400.exe 2076 djpjj.exe 1472 nhhnnn.exe 2416 xrxflrx.exe 1556 3lfrffl.exe -
resource yara_rule behavioral1/files/0x000a00000001202c-7.dat upx behavioral1/memory/2804-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2372-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015e8f-17.dat upx behavioral1/memory/2896-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015ef6-25.dat upx behavioral1/memory/3016-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015f4f-39.dat upx behavioral1/memory/2612-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015fdb-48.dat upx behavioral1/files/0x0007000000016239-66.dat upx behavioral1/memory/716-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019242-94.dat upx behavioral1/files/0x000500000001925b-104.dat upx behavioral1/files/0x000500000001930d-121.dat upx behavioral1/files/0x0005000000019377-142.dat upx behavioral1/files/0x000500000001938e-159.dat upx behavioral1/memory/2400-212-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2516-406-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1676-462-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2888-546-0x0000000000430000-0x0000000000457000-memory.dmp upx behavioral1/memory/2180-657-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2592-670-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/704-739-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1760-757-0x00000000002C0000-0x00000000002E7000-memory.dmp upx behavioral1/memory/2968-437-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2280-399-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2684-373-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/716-348-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2444-317-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019581-291.dat upx behavioral1/memory/2820-289-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001955c-282.dat upx behavioral1/memory/892-280-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019551-273.dat upx behavioral1/files/0x00050000000194e6-265.dat upx behavioral1/files/0x00050000000194e4-256.dat upx behavioral1/files/0x00050000000194da-248.dat upx behavioral1/memory/2012-246-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194d0-239.dat upx behavioral1/memory/2476-238-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194c6-230.dat upx behavioral1/files/0x000500000001949d-221.dat upx behavioral1/files/0x0005000000019490-213.dat upx behavioral1/files/0x0005000000019481-203.dat upx behavioral1/files/0x000500000001946b-194.dat upx behavioral1/files/0x0005000000019429-186.dat upx behavioral1/memory/3032-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001941b-177.dat upx behavioral1/files/0x000500000001939c-169.dat upx behavioral1/memory/1564-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2996-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001938a-151.dat upx behavioral1/memory/1704-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1740-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001932a-133.dat upx behavioral1/memory/1740-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2928-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2912-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001925d-113.dat upx behavioral1/memory/2096-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2096-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2704-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/968-92-0x00000000002C0000-0x00000000002E7000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4028208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2804 2372 3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe 30 PID 2372 wrote to memory of 2804 2372 3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe 30 PID 2372 wrote to memory of 2804 2372 3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe 30 PID 2372 wrote to memory of 2804 2372 3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe 30 PID 2804 wrote to memory of 3016 2804 ttnthh.exe 31 PID 2804 wrote to memory of 3016 2804 ttnthh.exe 31 PID 2804 wrote to memory of 3016 2804 ttnthh.exe 31 PID 2804 wrote to memory of 3016 2804 ttnthh.exe 31 PID 3016 wrote to memory of 2896 3016 bbhbhn.exe 32 PID 3016 wrote to memory of 2896 3016 bbhbhn.exe 32 PID 3016 wrote to memory of 2896 3016 bbhbhn.exe 32 PID 3016 wrote to memory of 2896 3016 bbhbhn.exe 32 PID 2896 wrote to memory of 816 2896 7nttnt.exe 33 PID 2896 wrote to memory of 816 2896 7nttnt.exe 33 PID 2896 wrote to memory of 816 2896 7nttnt.exe 33 PID 2896 wrote to memory of 816 2896 7nttnt.exe 33 PID 816 wrote to memory of 2612 816 480006.exe 34 PID 816 wrote to memory of 2612 816 480006.exe 34 PID 816 wrote to memory of 2612 816 480006.exe 34 PID 816 wrote to memory of 2612 816 480006.exe 34 PID 2612 wrote to memory of 276 2612 btnhbn.exe 35 PID 2612 wrote to memory of 276 2612 btnhbn.exe 35 PID 2612 wrote to memory of 276 2612 btnhbn.exe 35 PID 2612 wrote to memory of 276 2612 btnhbn.exe 35 PID 276 wrote to memory of 2276 276 w68866.exe 36 PID 276 wrote to memory of 2276 276 w68866.exe 36 PID 276 wrote to memory of 2276 276 w68866.exe 36 PID 276 wrote to memory of 2276 276 w68866.exe 36 PID 2276 wrote to memory of 716 2276 ppjvj.exe 37 PID 2276 wrote to memory of 716 2276 ppjvj.exe 37 PID 2276 wrote to memory of 716 2276 ppjvj.exe 37 PID 2276 wrote to memory of 716 2276 ppjvj.exe 37 PID 716 wrote to memory of 968 716 hbbbnt.exe 153 PID 716 wrote to memory of 968 716 hbbbnt.exe 153 PID 716 wrote to memory of 968 716 hbbbnt.exe 153 PID 716 wrote to memory of 968 716 hbbbnt.exe 153 PID 968 wrote to memory of 2704 968 dvpdj.exe 39 PID 968 wrote to memory of 2704 968 dvpdj.exe 39 PID 968 wrote to memory of 2704 968 dvpdj.exe 39 PID 968 wrote to memory of 2704 968 dvpdj.exe 39 PID 2704 wrote to memory of 2096 2704 ffrxfrl.exe 40 PID 2704 wrote to memory of 2096 2704 ffrxfrl.exe 40 PID 2704 wrote to memory of 2096 2704 ffrxfrl.exe 40 PID 2704 wrote to memory of 2096 2704 ffrxfrl.exe 40 PID 2096 wrote to memory of 2912 2096 vvjpv.exe 41 PID 2096 wrote to memory of 2912 2096 vvjpv.exe 41 PID 2096 wrote to memory of 2912 2096 vvjpv.exe 41 PID 2096 wrote to memory of 2912 2096 vvjpv.exe 41 PID 2912 wrote to memory of 2928 2912 nntnhb.exe 42 PID 2912 wrote to memory of 2928 2912 nntnhb.exe 42 PID 2912 wrote to memory of 2928 2912 nntnhb.exe 42 PID 2912 wrote to memory of 2928 2912 nntnhb.exe 42 PID 2928 wrote to memory of 1740 2928 9ppvd.exe 43 PID 2928 wrote to memory of 1740 2928 9ppvd.exe 43 PID 2928 wrote to memory of 1740 2928 9ppvd.exe 43 PID 2928 wrote to memory of 1740 2928 9ppvd.exe 43 PID 1740 wrote to memory of 1704 1740 7llxlxr.exe 44 PID 1740 wrote to memory of 1704 1740 7llxlxr.exe 44 PID 1740 wrote to memory of 1704 1740 7llxlxr.exe 44 PID 1740 wrote to memory of 1704 1740 7llxlxr.exe 44 PID 1704 wrote to memory of 2996 1704 22026.exe 162 PID 1704 wrote to memory of 2996 1704 22026.exe 162 PID 1704 wrote to memory of 2996 1704 22026.exe 162 PID 1704 wrote to memory of 2996 1704 22026.exe 162
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe"C:\Users\Admin\AppData\Local\Temp\3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\ttnthh.exec:\ttnthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\bbhbhn.exec:\bbhbhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\7nttnt.exec:\7nttnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\480006.exec:\480006.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\btnhbn.exec:\btnhbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\w68866.exec:\w68866.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:276 -
\??\c:\ppjvj.exec:\ppjvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\hbbbnt.exec:\hbbbnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\dvpdj.exec:\dvpdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\ffrxfrl.exec:\ffrxfrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\vvjpv.exec:\vvjpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\nntnhb.exec:\nntnhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\9ppvd.exec:\9ppvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\7llxlxr.exec:\7llxlxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\22026.exec:\22026.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\244468.exec:\244468.exe17⤵
- Executes dropped EXE
PID:2996 -
\??\c:\fxlrxfl.exec:\fxlrxfl.exe18⤵
- Executes dropped EXE
PID:1564 -
\??\c:\hhttbb.exec:\hhttbb.exe19⤵
- Executes dropped EXE
PID:1696 -
\??\c:\w22408.exec:\w22408.exe20⤵
- Executes dropped EXE
PID:3032 -
\??\c:\20228.exec:\20228.exe21⤵
- Executes dropped EXE
PID:2200 -
\??\c:\4806662.exec:\4806662.exe22⤵
- Executes dropped EXE
PID:2500 -
\??\c:\28204.exec:\28204.exe23⤵
- Executes dropped EXE
PID:2400 -
\??\c:\bhthht.exec:\bhthht.exe24⤵
- Executes dropped EXE
PID:1600 -
\??\c:\fxfrffr.exec:\fxfrffr.exe25⤵
- Executes dropped EXE
PID:1632 -
\??\c:\006604.exec:\006604.exe26⤵
- Executes dropped EXE
PID:2476 -
\??\c:\468800.exec:\468800.exe27⤵
- Executes dropped EXE
PID:2012 -
\??\c:\dpjdj.exec:\dpjdj.exe28⤵
- Executes dropped EXE
PID:2060 -
\??\c:\2620442.exec:\2620442.exe29⤵
- Executes dropped EXE
PID:2520 -
\??\c:\44628.exec:\44628.exe30⤵
- Executes dropped EXE
PID:1236 -
\??\c:\046288.exec:\046288.exe31⤵
- Executes dropped EXE
PID:892 -
\??\c:\lrfxrfl.exec:\lrfxrfl.exe32⤵
- Executes dropped EXE
PID:2820 -
\??\c:\64286.exec:\64286.exe33⤵
- Executes dropped EXE
PID:2744 -
\??\c:\6400268.exec:\6400268.exe34⤵
- Executes dropped EXE
PID:2644 -
\??\c:\1rlflfl.exec:\1rlflfl.exe35⤵
- Executes dropped EXE
PID:1532 -
\??\c:\bbnbhn.exec:\bbnbhn.exe36⤵
- Executes dropped EXE
PID:2444 -
\??\c:\1tnthn.exec:\1tnthn.exe37⤵
- Executes dropped EXE
PID:2632 -
\??\c:\tnbhtn.exec:\tnbhtn.exe38⤵
- Executes dropped EXE
PID:2872 -
\??\c:\fxlxxll.exec:\fxlxxll.exe39⤵
- Executes dropped EXE
PID:2228 -
\??\c:\jjpdv.exec:\jjpdv.exe40⤵
- Executes dropped EXE
PID:276 -
\??\c:\s8664.exec:\s8664.exe41⤵
- Executes dropped EXE
PID:1064 -
\??\c:\482484.exec:\482484.exe42⤵
- Executes dropped EXE
PID:716 -
\??\c:\0886686.exec:\0886686.exe43⤵
- Executes dropped EXE
PID:1624 -
\??\c:\nhthtb.exec:\nhthtb.exe44⤵
- Executes dropped EXE
PID:1868 -
\??\c:\bhnntt.exec:\bhnntt.exe45⤵
- Executes dropped EXE
PID:2684 -
\??\c:\40644.exec:\40644.exe46⤵
- Executes dropped EXE
PID:2868 -
\??\c:\404602.exec:\404602.exe47⤵
- Executes dropped EXE
PID:2932 -
\??\c:\htntbh.exec:\htntbh.exe48⤵
- Executes dropped EXE
PID:2296 -
\??\c:\a8002.exec:\a8002.exe49⤵
- Executes dropped EXE
PID:2280 -
\??\c:\828844.exec:\828844.exe50⤵
- Executes dropped EXE
PID:988 -
\??\c:\q62002.exec:\q62002.exe51⤵
- Executes dropped EXE
PID:2516 -
\??\c:\thhttt.exec:\thhttt.exe52⤵
- Executes dropped EXE
PID:1572 -
\??\c:\jjjdd.exec:\jjjdd.exe53⤵
- Executes dropped EXE
PID:1844 -
\??\c:\5flrrrx.exec:\5flrrrx.exe54⤵
- Executes dropped EXE
PID:1696 -
\??\c:\pjvpv.exec:\pjvpv.exe55⤵
- Executes dropped EXE
PID:2968 -
\??\c:\e20640.exec:\e20640.exe56⤵
- Executes dropped EXE
PID:896 -
\??\c:\u028662.exec:\u028662.exe57⤵
- Executes dropped EXE
PID:2068 -
\??\c:\2640666.exec:\2640666.exe58⤵
- Executes dropped EXE
PID:2500 -
\??\c:\s2260.exec:\s2260.exe59⤵
- Executes dropped EXE
PID:1676 -
\??\c:\84204.exec:\84204.exe60⤵
- Executes dropped EXE
PID:2596 -
\??\c:\4248400.exec:\4248400.exe61⤵
- Executes dropped EXE
PID:1604 -
\??\c:\djpjj.exec:\djpjj.exe62⤵
- Executes dropped EXE
PID:2076 -
\??\c:\nhhnnn.exec:\nhhnnn.exe63⤵
- Executes dropped EXE
PID:1472 -
\??\c:\xrxflrx.exec:\xrxflrx.exe64⤵
- Executes dropped EXE
PID:2416 -
\??\c:\3lfrffl.exec:\3lfrffl.exe65⤵
- Executes dropped EXE
PID:1556 -
\??\c:\4280668.exec:\4280668.exe66⤵PID:1020
-
\??\c:\7thtbh.exec:\7thtbh.exe67⤵PID:1880
-
\??\c:\lrxlfxf.exec:\lrxlfxf.exe68⤵PID:2520
-
\??\c:\flxlrxr.exec:\flxlrxr.exe69⤵PID:2692
-
\??\c:\s4482.exec:\s4482.exe70⤵
- System Location Discovery: System Language Discovery
PID:892 -
\??\c:\480622.exec:\480622.exe71⤵PID:764
-
\??\c:\hnnntn.exec:\hnnntn.exe72⤵PID:2312
-
\??\c:\8642808.exec:\8642808.exe73⤵PID:2888
-
\??\c:\60468.exec:\60468.exe74⤵PID:2644
-
\??\c:\btnnhh.exec:\btnnhh.exe75⤵PID:1532
-
\??\c:\xlrflff.exec:\xlrflff.exe76⤵PID:2608
-
\??\c:\4226688.exec:\4226688.exe77⤵PID:2624
-
\??\c:\hbhthn.exec:\hbhthn.exe78⤵PID:2652
-
\??\c:\ffrlfff.exec:\ffrlfff.exe79⤵PID:1736
-
\??\c:\8824262.exec:\8824262.exe80⤵PID:2228
-
\??\c:\0444084.exec:\0444084.exe81⤵PID:2864
-
\??\c:\bnnhnb.exec:\bnnhnb.exe82⤵PID:332
-
\??\c:\486828.exec:\486828.exe83⤵PID:2800
-
\??\c:\djdpv.exec:\djdpv.exe84⤵PID:2376
-
\??\c:\082608.exec:\082608.exe85⤵PID:1624
-
\??\c:\lrxllfx.exec:\lrxllfx.exe86⤵PID:2724
-
\??\c:\thtthn.exec:\thtthn.exe87⤵PID:2732
-
\??\c:\22842.exec:\22842.exe88⤵PID:528
-
\??\c:\fxfxlxf.exec:\fxfxlxf.exe89⤵PID:2660
-
\??\c:\fxrxllr.exec:\fxrxllr.exe90⤵PID:1440
-
\??\c:\xxlrxxf.exec:\xxlrxxf.exe91⤵PID:2180
-
\??\c:\7lrrrlx.exec:\7lrrrlx.exe92⤵PID:2360
-
\??\c:\rrrfxfl.exec:\rrrfxfl.exe93⤵PID:2592
-
\??\c:\rrlfxfr.exec:\rrlfxfr.exe94⤵PID:3024
-
\??\c:\tbtnhn.exec:\tbtnhn.exe95⤵
- System Location Discovery: System Language Discovery
PID:2204 -
\??\c:\thttht.exec:\thttht.exe96⤵PID:3032
-
\??\c:\flflffr.exec:\flflffr.exe97⤵PID:2428
-
\??\c:\llxlrrl.exec:\llxlrrl.exe98⤵PID:2696
-
\??\c:\tttbhn.exec:\tttbhn.exe99⤵PID:3036
-
\??\c:\062020.exec:\062020.exe100⤵PID:2168
-
\??\c:\04624.exec:\04624.exe101⤵PID:340
-
\??\c:\1pdjp.exec:\1pdjp.exe102⤵PID:2812
-
\??\c:\thnbnn.exec:\thnbnn.exe103⤵PID:2136
-
\??\c:\2000440.exec:\2000440.exe104⤵PID:704
-
\??\c:\hhbbnt.exec:\hhbbnt.exe105⤵PID:1016
-
\??\c:\6062882.exec:\6062882.exe106⤵PID:2544
-
\??\c:\nhnnth.exec:\nhnnth.exe107⤵PID:1760
-
\??\c:\o822664.exec:\o822664.exe108⤵PID:2292
-
\??\c:\60284.exec:\60284.exe109⤵PID:1020
-
\??\c:\28264.exec:\28264.exe110⤵PID:1880
-
\??\c:\lxlxfrx.exec:\lxlxfrx.exe111⤵PID:700
-
\??\c:\8860846.exec:\8860846.exe112⤵PID:2836
-
\??\c:\xxxlllx.exec:\xxxlllx.exe113⤵PID:2336
-
\??\c:\jjvpj.exec:\jjvpj.exe114⤵PID:3028
-
\??\c:\480022.exec:\480022.exe115⤵PID:2312
-
\??\c:\nhtbbb.exec:\nhtbbb.exe116⤵PID:1636
-
\??\c:\nnnhbn.exec:\nnnhbn.exe117⤵PID:1680
-
\??\c:\44408.exec:\44408.exe118⤵PID:2972
-
\??\c:\s6842.exec:\s6842.exe119⤵PID:2608
-
\??\c:\3pjpv.exec:\3pjpv.exe120⤵PID:2624
-
\??\c:\602462.exec:\602462.exe121⤵PID:2664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-