Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 05:42
Behavioral task
behavioral1
Sample
344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe
-
Size
97KB
-
MD5
56600ed41f70a29baa3506d7f603240f
-
SHA1
2471b2d43a54198af4a8b81147db57cf7d2a5d71
-
SHA256
344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4
-
SHA512
69ca518c0620f4851d1040df8571a888fc853a07997fb43407c7ccfff813447a0d2e9b794e357e444acd55ef633beb4db8010db85a76cc99725388c3aee2fe82
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgRb:8cm4FmowdHoSgWrXUgN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral1/memory/2084-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3000-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2264-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2268-23-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/484-39-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2816-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2732-57-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2732-56-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/484-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2868-62-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2868-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-75-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2680-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1664-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/664-111-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/664-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/840-123-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/840-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1856-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1760-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2844-172-0x00000000002F0000-0x0000000000317000-memory.dmp family_blackmoon behavioral1/memory/2844-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/960-203-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/960-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1724-211-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/800-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2240-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3020-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1580-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2968-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2812-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3036-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1764-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/632-396-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1192-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1744-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2480-449-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2476-490-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2476-486-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2096-496-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1588-550-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-566-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2736-572-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1856-655-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1568-676-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2564-697-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/332-790-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2216-791-0x00000000777D0000-0x00000000778EF000-memory.dmp family_blackmoon behavioral1/memory/2692-805-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2776-856-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2772-862-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/3036-868-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/268-939-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2308-952-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1508-963-0x00000000001C0000-0x00000000001E7000-memory.dmp family_blackmoon behavioral1/memory/2260-1001-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2216-9230-0x00000000777D0000-0x00000000778EF000-memory.dmp family_blackmoon behavioral1/memory/2216-15773-0x00000000777D0000-0x00000000778EF000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3000 fxllrrx.exe 2268 hthntt.exe 2264 7djjj.exe 484 xlxflrx.exe 2816 1fxxfxl.exe 2732 btnbnn.exe 2868 9bnnnh.exe 2628 vjjjp.exe 2720 3rffrrf.exe 2680 rrfrrrx.exe 3040 dpdvj.exe 1664 xrxxffl.exe 664 rlrxflr.exe 840 hhtbhb.exe 1856 ppdpd.exe 1808 9frrrrr.exe 2384 3tnhtb.exe 1760 hbnnnh.exe 1492 tnhnbb.exe 2844 9lffrxf.exe 2784 lfxlxff.exe 2472 1tbhnt.exe 2940 vpjpv.exe 960 jdjjp.exe 1724 lfflrrx.exe 920 3bbttn.exe 1784 7vjvv.exe 716 rflfflx.exe 2132 nbnhhb.exe 600 nhbbbh.exe 1672 jjdjp.exe 800 xrflxfr.exe 2240 xrlrxrf.exe 2576 nhnthn.exe 3020 jdjdj.exe 2960 dpvpv.exe 1580 7lrrrxl.exe 2956 7lxxfxf.exe 2700 tnhtbb.exe 2752 3tnthn.exe 2812 9jjpd.exe 2968 dpddd.exe 2864 lfxxffr.exe 2768 lfxfxxx.exe 2788 htnhnh.exe 2528 pdjdp.exe 2608 ddvdv.exe 3036 rrfrxff.exe 2660 3lxfxfr.exe 1676 7bttnn.exe 1116 ttbthb.exe 1764 7vdvd.exe 1392 1lrlrrf.exe 1728 rlrrxxf.exe 632 bbtbnt.exe 1192 ntbbtt.exe 2004 pjppp.exe 2092 pjpvd.exe 1320 xrlfxfl.exe 1932 frlfrrf.exe 268 dpppj.exe 1744 1llfrxf.exe 2704 5rlrfrx.exe 2480 nhntbh.exe -
resource yara_rule behavioral1/memory/2084-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2084-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3000-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000012117-8.dat upx behavioral1/files/0x0009000000016d5e-16.dat upx behavioral1/memory/2264-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d68-25.dat upx behavioral1/files/0x0008000000016d6d-33.dat upx behavioral1/files/0x00070000000171a8-50.dat upx behavioral1/memory/2816-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000173a7-58.dat upx behavioral1/files/0x0008000000016d89-42.dat upx behavioral1/memory/484-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000017488-67.dat upx behavioral1/memory/2868-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001925e-84.dat upx behavioral1/files/0x0007000000019023-78.dat upx behavioral1/memory/2628-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019261-91.dat upx behavioral1/memory/2680-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019282-99.dat upx behavioral1/files/0x0005000000019334-106.dat upx behavioral1/memory/1664-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019350-116.dat upx behavioral1/memory/664-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/840-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193b4-124.dat upx behavioral1/memory/1856-133-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/files/0x00050000000193c2-134.dat upx behavioral1/memory/1856-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193e1-143.dat upx behavioral1/files/0x000500000001941e-151.dat upx behavioral1/memory/1760-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1760-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019427-157.dat upx behavioral1/files/0x0005000000019431-165.dat upx behavioral1/memory/2844-172-0x00000000002F0000-0x0000000000317000-memory.dmp upx behavioral1/memory/2844-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019441-173.dat upx behavioral1/files/0x000500000001944f-181.dat upx behavioral1/files/0x0005000000019461-188.dat upx behavioral1/files/0x000500000001950c-196.dat upx behavioral1/memory/2940-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019582-204.dat upx behavioral1/memory/960-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/920-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c5-215.dat upx behavioral1/files/0x0005000000019609-221.dat upx behavioral1/memory/716-229-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001960b-228.dat upx behavioral1/files/0x000500000001960d-236.dat upx behavioral1/memory/600-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d42-243.dat upx behavioral1/files/0x000500000001960f-252.dat upx behavioral1/files/0x0005000000019611-259.dat upx behavioral1/memory/800-266-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2240-272-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3020-279-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1580-289-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2752-310-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2968-322-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2864-323-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2788-340-0x00000000002C0000-0x00000000002E7000-memory.dmp upx behavioral1/memory/3036-359-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllllxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lffrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 3000 2084 344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe 31 PID 2084 wrote to memory of 3000 2084 344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe 31 PID 2084 wrote to memory of 3000 2084 344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe 31 PID 2084 wrote to memory of 3000 2084 344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe 31 PID 3000 wrote to memory of 2268 3000 fxllrrx.exe 32 PID 3000 wrote to memory of 2268 3000 fxllrrx.exe 32 PID 3000 wrote to memory of 2268 3000 fxllrrx.exe 32 PID 3000 wrote to memory of 2268 3000 fxllrrx.exe 32 PID 2268 wrote to memory of 2264 2268 hthntt.exe 33 PID 2268 wrote to memory of 2264 2268 hthntt.exe 33 PID 2268 wrote to memory of 2264 2268 hthntt.exe 33 PID 2268 wrote to memory of 2264 2268 hthntt.exe 33 PID 2264 wrote to memory of 484 2264 7djjj.exe 34 PID 2264 wrote to memory of 484 2264 7djjj.exe 34 PID 2264 wrote to memory of 484 2264 7djjj.exe 34 PID 2264 wrote to memory of 484 2264 7djjj.exe 34 PID 484 wrote to memory of 2816 484 xlxflrx.exe 35 PID 484 wrote to memory of 2816 484 xlxflrx.exe 35 PID 484 wrote to memory of 2816 484 xlxflrx.exe 35 PID 484 wrote to memory of 2816 484 xlxflrx.exe 35 PID 2816 wrote to memory of 2732 2816 1fxxfxl.exe 36 PID 2816 wrote to memory of 2732 2816 1fxxfxl.exe 36 PID 2816 wrote to memory of 2732 2816 1fxxfxl.exe 36 PID 2816 wrote to memory of 2732 2816 1fxxfxl.exe 36 PID 2732 wrote to memory of 2868 2732 btnbnn.exe 37 PID 2732 wrote to memory of 2868 2732 btnbnn.exe 37 PID 2732 wrote to memory of 2868 2732 btnbnn.exe 37 PID 2732 wrote to memory of 2868 2732 btnbnn.exe 37 PID 2868 wrote to memory of 2628 2868 9bnnnh.exe 38 PID 2868 wrote to memory of 2628 2868 9bnnnh.exe 38 PID 2868 wrote to memory of 2628 2868 9bnnnh.exe 38 PID 2868 wrote to memory of 2628 2868 9bnnnh.exe 38 PID 2628 wrote to memory of 2720 2628 vjjjp.exe 39 PID 2628 wrote to memory of 2720 2628 vjjjp.exe 39 PID 2628 wrote to memory of 2720 2628 vjjjp.exe 39 PID 2628 wrote to memory of 2720 2628 vjjjp.exe 39 PID 2720 wrote to memory of 2680 2720 3rffrrf.exe 40 PID 2720 wrote to memory of 2680 2720 3rffrrf.exe 40 PID 2720 wrote to memory of 2680 2720 3rffrrf.exe 40 PID 2720 wrote to memory of 2680 2720 3rffrrf.exe 40 PID 2680 wrote to memory of 3040 2680 rrfrrrx.exe 41 PID 2680 wrote to memory of 3040 2680 rrfrrrx.exe 41 PID 2680 wrote to memory of 3040 2680 rrfrrrx.exe 41 PID 2680 wrote to memory of 3040 2680 rrfrrrx.exe 41 PID 3040 wrote to memory of 1664 3040 dpdvj.exe 42 PID 3040 wrote to memory of 1664 3040 dpdvj.exe 42 PID 3040 wrote to memory of 1664 3040 dpdvj.exe 42 PID 3040 wrote to memory of 1664 3040 dpdvj.exe 42 PID 1664 wrote to memory of 664 1664 xrxxffl.exe 43 PID 1664 wrote to memory of 664 1664 xrxxffl.exe 43 PID 1664 wrote to memory of 664 1664 xrxxffl.exe 43 PID 1664 wrote to memory of 664 1664 xrxxffl.exe 43 PID 664 wrote to memory of 840 664 rlrxflr.exe 44 PID 664 wrote to memory of 840 664 rlrxflr.exe 44 PID 664 wrote to memory of 840 664 rlrxflr.exe 44 PID 664 wrote to memory of 840 664 rlrxflr.exe 44 PID 840 wrote to memory of 1856 840 hhtbhb.exe 45 PID 840 wrote to memory of 1856 840 hhtbhb.exe 45 PID 840 wrote to memory of 1856 840 hhtbhb.exe 45 PID 840 wrote to memory of 1856 840 hhtbhb.exe 45 PID 1856 wrote to memory of 1808 1856 ppdpd.exe 46 PID 1856 wrote to memory of 1808 1856 ppdpd.exe 46 PID 1856 wrote to memory of 1808 1856 ppdpd.exe 46 PID 1856 wrote to memory of 1808 1856 ppdpd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe"C:\Users\Admin\AppData\Local\Temp\344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\fxllrrx.exec:\fxllrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\hthntt.exec:\hthntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\7djjj.exec:\7djjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\xlxflrx.exec:\xlxflrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
\??\c:\1fxxfxl.exec:\1fxxfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\btnbnn.exec:\btnbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\9bnnnh.exec:\9bnnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\vjjjp.exec:\vjjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\3rffrrf.exec:\3rffrrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\rrfrrrx.exec:\rrfrrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\dpdvj.exec:\dpdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\xrxxffl.exec:\xrxxffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\rlrxflr.exec:\rlrxflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\hhtbhb.exec:\hhtbhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\ppdpd.exec:\ppdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\9frrrrr.exec:\9frrrrr.exe17⤵
- Executes dropped EXE
PID:1808 -
\??\c:\3tnhtb.exec:\3tnhtb.exe18⤵
- Executes dropped EXE
PID:2384 -
\??\c:\hbnnnh.exec:\hbnnnh.exe19⤵
- Executes dropped EXE
PID:1760 -
\??\c:\tnhnbb.exec:\tnhnbb.exe20⤵
- Executes dropped EXE
PID:1492 -
\??\c:\9lffrxf.exec:\9lffrxf.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
\??\c:\lfxlxff.exec:\lfxlxff.exe22⤵
- Executes dropped EXE
PID:2784 -
\??\c:\1tbhnt.exec:\1tbhnt.exe23⤵
- Executes dropped EXE
PID:2472 -
\??\c:\vpjpv.exec:\vpjpv.exe24⤵
- Executes dropped EXE
PID:2940 -
\??\c:\jdjjp.exec:\jdjjp.exe25⤵
- Executes dropped EXE
PID:960 -
\??\c:\lfflrrx.exec:\lfflrrx.exe26⤵
- Executes dropped EXE
PID:1724 -
\??\c:\3bbttn.exec:\3bbttn.exe27⤵
- Executes dropped EXE
PID:920 -
\??\c:\7vjvv.exec:\7vjvv.exe28⤵
- Executes dropped EXE
PID:1784 -
\??\c:\rflfflx.exec:\rflfflx.exe29⤵
- Executes dropped EXE
PID:716 -
\??\c:\nbnhhb.exec:\nbnhhb.exe30⤵
- Executes dropped EXE
PID:2132 -
\??\c:\nhbbbh.exec:\nhbbbh.exe31⤵
- Executes dropped EXE
PID:600 -
\??\c:\jjdjp.exec:\jjdjp.exe32⤵
- Executes dropped EXE
PID:1672 -
\??\c:\xrflxfr.exec:\xrflxfr.exe33⤵
- Executes dropped EXE
PID:800 -
\??\c:\xrlrxrf.exec:\xrlrxrf.exe34⤵
- Executes dropped EXE
PID:2240 -
\??\c:\nhnthn.exec:\nhnthn.exe35⤵
- Executes dropped EXE
PID:2576 -
\??\c:\jdjdj.exec:\jdjdj.exe36⤵
- Executes dropped EXE
PID:3020 -
\??\c:\dpvpv.exec:\dpvpv.exe37⤵
- Executes dropped EXE
PID:2960 -
\??\c:\7lrrrxl.exec:\7lrrrxl.exe38⤵
- Executes dropped EXE
PID:1580 -
\??\c:\7lxxfxf.exec:\7lxxfxf.exe39⤵
- Executes dropped EXE
PID:2956 -
\??\c:\tnhtbb.exec:\tnhtbb.exe40⤵
- Executes dropped EXE
PID:2700 -
\??\c:\3tnthn.exec:\3tnthn.exe41⤵
- Executes dropped EXE
PID:2752 -
\??\c:\9jjpd.exec:\9jjpd.exe42⤵
- Executes dropped EXE
PID:2812 -
\??\c:\dpddd.exec:\dpddd.exe43⤵
- Executes dropped EXE
PID:2968 -
\??\c:\lfxxffr.exec:\lfxxffr.exe44⤵
- Executes dropped EXE
PID:2864 -
\??\c:\lfxfxxx.exec:\lfxfxxx.exe45⤵
- Executes dropped EXE
PID:2768 -
\??\c:\htnhnh.exec:\htnhnh.exe46⤵
- Executes dropped EXE
PID:2788 -
\??\c:\pdjdp.exec:\pdjdp.exe47⤵
- Executes dropped EXE
PID:2528 -
\??\c:\ddvdv.exec:\ddvdv.exe48⤵
- Executes dropped EXE
PID:2608 -
\??\c:\rrfrxff.exec:\rrfrxff.exe49⤵
- Executes dropped EXE
PID:3036 -
\??\c:\3lxfxfr.exec:\3lxfxfr.exe50⤵
- Executes dropped EXE
PID:2660 -
\??\c:\7bttnn.exec:\7bttnn.exe51⤵
- Executes dropped EXE
PID:1676 -
\??\c:\ttbthb.exec:\ttbthb.exe52⤵
- Executes dropped EXE
PID:1116 -
\??\c:\7vdvd.exec:\7vdvd.exe53⤵
- Executes dropped EXE
PID:1764 -
\??\c:\1lrlrrf.exec:\1lrlrrf.exe54⤵
- Executes dropped EXE
PID:1392 -
\??\c:\rlrrxxf.exec:\rlrrxxf.exe55⤵
- Executes dropped EXE
PID:1728 -
\??\c:\bbtbnt.exec:\bbtbnt.exe56⤵
- Executes dropped EXE
PID:632 -
\??\c:\ntbbtt.exec:\ntbbtt.exe57⤵
- Executes dropped EXE
PID:1192 -
\??\c:\pjppp.exec:\pjppp.exe58⤵
- Executes dropped EXE
PID:2004 -
\??\c:\pjpvd.exec:\pjpvd.exe59⤵
- Executes dropped EXE
PID:2092 -
\??\c:\xrlfxfl.exec:\xrlfxfl.exe60⤵
- Executes dropped EXE
PID:1320 -
\??\c:\frlfrrf.exec:\frlfrrf.exe61⤵
- Executes dropped EXE
PID:1932 -
\??\c:\dpppj.exec:\dpppj.exe62⤵
- Executes dropped EXE
PID:268 -
\??\c:\1llfrxf.exec:\1llfrxf.exe63⤵
- Executes dropped EXE
PID:1744 -
\??\c:\5rlrfrx.exec:\5rlrfrx.exe64⤵
- Executes dropped EXE
PID:2704 -
\??\c:\nhntbh.exec:\nhntbh.exe65⤵
- Executes dropped EXE
PID:2480 -
\??\c:\hbhhtb.exec:\hbhhtb.exe66⤵PID:2500
-
\??\c:\pjvdj.exec:\pjvdj.exe67⤵PID:2932
-
\??\c:\jdvpd.exec:\jdvpd.exe68⤵PID:2236
-
\??\c:\xlrrfff.exec:\xlrrfff.exe69⤵PID:612
-
\??\c:\frflrxf.exec:\frflrxf.exe70⤵PID:1724
-
\??\c:\nbhhhn.exec:\nbhhhn.exe71⤵PID:1780
-
\??\c:\tnbbhh.exec:\tnbbhh.exe72⤵PID:2476
-
\??\c:\vjppp.exec:\vjppp.exe73⤵PID:2096
-
\??\c:\3frxxfl.exec:\3frxxfl.exe74⤵PID:716
-
\??\c:\1xrfxrx.exec:\1xrfxrx.exe75⤵PID:1052
-
\??\c:\hbnnbh.exec:\hbnnbh.exe76⤵PID:1736
-
\??\c:\7bhntn.exec:\7bhntn.exe77⤵PID:2556
-
\??\c:\jvpvd.exec:\jvpvd.exe78⤵PID:564
-
\??\c:\jjjjj.exec:\jjjjj.exe79⤵PID:316
-
\??\c:\1lflxxf.exec:\1lflxxf.exe80⤵PID:332
-
\??\c:\9frxlrx.exec:\9frxlrx.exe81⤵PID:2524
-
\??\c:\tnntbn.exec:\tnntbn.exe82⤵PID:3016
-
\??\c:\btnnbb.exec:\btnnbb.exe83⤵PID:1588
-
\??\c:\pjvpp.exec:\pjvpp.exe84⤵PID:2328
-
\??\c:\dvddj.exec:\dvddj.exe85⤵PID:2264
-
\??\c:\xxxfflx.exec:\xxxfflx.exe86⤵PID:2896
-
\??\c:\lxrxfxf.exec:\lxrxfxf.exe87⤵PID:2736
-
\??\c:\bnhntb.exec:\bnhntb.exe88⤵PID:2840
-
\??\c:\1nbnnt.exec:\1nbnnt.exe89⤵PID:2968
-
\??\c:\7dpvp.exec:\7dpvp.exe90⤵PID:2888
-
\??\c:\ddpjv.exec:\ddpjv.exe91⤵PID:2732
-
\??\c:\fxxlrxl.exec:\fxxlrxl.exe92⤵PID:2744
-
\??\c:\lxfxfff.exec:\lxfxfff.exe93⤵PID:2656
-
\??\c:\thhntb.exec:\thhntb.exe94⤵PID:2528
-
\??\c:\hhtbhh.exec:\hhtbhh.exe95⤵PID:2664
-
\??\c:\pjjjv.exec:\pjjjv.exe96⤵PID:1504
-
\??\c:\dvdvj.exec:\dvdvj.exe97⤵PID:1484
-
\??\c:\vpjpp.exec:\vpjpp.exe98⤵PID:1816
-
\??\c:\lfxfrrx.exec:\lfxfrrx.exe99⤵PID:1512
-
\??\c:\7xrxlfl.exec:\7xrxlfl.exe100⤵PID:272
-
\??\c:\7bthnn.exec:\7bthnn.exe101⤵PID:1968
-
\??\c:\5htnnt.exec:\5htnnt.exe102⤵PID:1800
-
\??\c:\3vjpv.exec:\3vjpv.exe103⤵PID:1856
-
\??\c:\ddppj.exec:\ddppj.exe104⤵PID:2392
-
\??\c:\3rlrxxl.exec:\3rlrxxl.exe105⤵PID:1692
-
\??\c:\ttnthn.exec:\ttnthn.exe106⤵PID:1712
-
\??\c:\nbnbnt.exec:\nbnbnt.exe107⤵PID:1568
-
\??\c:\pjdpp.exec:\pjdpp.exe108⤵PID:1320
-
\??\c:\9ppdj.exec:\9ppdj.exe109⤵PID:1804
-
\??\c:\1rlrflr.exec:\1rlrflr.exe110⤵PID:2852
-
\??\c:\9rxxlrf.exec:\9rxxlrf.exe111⤵PID:2564
-
\??\c:\nbnnhb.exec:\nbnnhb.exe112⤵PID:2444
-
\??\c:\bttttb.exec:\bttttb.exe113⤵PID:2480
-
\??\c:\btnnnn.exec:\btnnnn.exe114⤵PID:2472
-
\??\c:\1vdjp.exec:\1vdjp.exe115⤵PID:2940
-
\??\c:\vjjjj.exec:\vjjjj.exe116⤵PID:2116
-
\??\c:\rrrrrrx.exec:\rrrrrrx.exe117⤵PID:1344
-
\??\c:\9xrlxxx.exec:\9xrlxxx.exe118⤵PID:1452
-
\??\c:\ttbhnn.exec:\ttbhnn.exe119⤵PID:904
-
\??\c:\hbbtbb.exec:\hbbtbb.exe120⤵PID:1660
-
\??\c:\pppdd.exec:\pppdd.exe121⤵PID:2108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-