Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe
-
Size
454KB
-
MD5
e52ae1b54d854bfa0476d919f52bb450
-
SHA1
50dd5b3a3f836b06a0e85ff3678bbe3498f14acf
-
SHA256
3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4
-
SHA512
7207922407e95427b03d054c4cc5826f04ee9c8da81aa73eaeef24e84bc09bef7af86be72bdfc9d0217306779af451744c14dccb4234b7729720fe07bb4287fb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/1816-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-26-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2252-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-36-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2888-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/704-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-186-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2124-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/788-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1404-446-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2104-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/404-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-667-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2080-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-1017-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-1130-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2892-1151-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2388 bthnbh.exe 2248 1jvvd.exe 2460 rllrllx.exe 1836 3bthtb.exe 2252 9xflxlf.exe 2888 nhttbn.exe 2624 7dddj.exe 2652 fxlfllr.exe 2784 tnhhbh.exe 2612 rlxxllr.exe 704 lxxlxrx.exe 992 9jvvj.exe 3008 xrrxflx.exe 2952 hbnntb.exe 304 pjjjp.exe 2980 bttthh.exe 1468 3hnnbt.exe 1936 lfrllrx.exe 2336 tnhhnb.exe 2124 vjdjj.exe 2068 rllrrfr.exe 1236 djvvj.exe 1692 rxrfllf.exe 2020 pdvvj.exe 1544 7dvjp.exe 1808 frrxxfr.exe 788 jvddd.exe 988 bnhbbt.exe 1652 jvddd.exe 2536 3rrlxfl.exe 1988 hbhttb.exe 1688 5dvjp.exe 3032 7nhhhh.exe 532 jdppd.exe 2804 9jvdv.exe 2708 3rxfllx.exe 2764 nthbhb.exe 2824 9jvdv.exe 2840 3pddd.exe 2736 ffxxfll.exe 2624 rfrrllr.exe 2672 hthhhb.exe 2872 vjvjj.exe 2648 frlrflr.exe 2292 flrlrll.exe 2340 3thnnn.exe 2660 5dpjd.exe 2844 5rllrxf.exe 2972 1lxxxrr.exe 1296 hhhnbn.exe 2996 dpvjd.exe 1864 pjvpj.exe 1612 9flffxx.exe 1404 9bnntb.exe 2508 7pppd.exe 1876 9fxrllr.exe 2104 lrlrlrf.exe 1524 7nnnbb.exe 2136 9pdvd.exe 404 vpddd.exe 1084 lrflxxf.exe 1692 bnhntt.exe 2404 jppdv.exe 1828 pjvdj.exe -
resource yara_rule behavioral1/memory/1816-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/704-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-131-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2952-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-446-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2104-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/404-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-972-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-985-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-998-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-1017-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-1049-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-1068-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-1151-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrlflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xflllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1816 wrote to memory of 2388 1816 3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe 30 PID 1816 wrote to memory of 2388 1816 3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe 30 PID 1816 wrote to memory of 2388 1816 3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe 30 PID 1816 wrote to memory of 2388 1816 3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe 30 PID 2388 wrote to memory of 2248 2388 bthnbh.exe 31 PID 2388 wrote to memory of 2248 2388 bthnbh.exe 31 PID 2388 wrote to memory of 2248 2388 bthnbh.exe 31 PID 2388 wrote to memory of 2248 2388 bthnbh.exe 31 PID 2248 wrote to memory of 2460 2248 1jvvd.exe 32 PID 2248 wrote to memory of 2460 2248 1jvvd.exe 32 PID 2248 wrote to memory of 2460 2248 1jvvd.exe 32 PID 2248 wrote to memory of 2460 2248 1jvvd.exe 32 PID 2460 wrote to memory of 1836 2460 rllrllx.exe 33 PID 2460 wrote to memory of 1836 2460 rllrllx.exe 33 PID 2460 wrote to memory of 1836 2460 rllrllx.exe 33 PID 2460 wrote to memory of 1836 2460 rllrllx.exe 33 PID 1836 wrote to memory of 2252 1836 3bthtb.exe 34 PID 1836 wrote to memory of 2252 1836 3bthtb.exe 34 PID 1836 wrote to memory of 2252 1836 3bthtb.exe 34 PID 1836 wrote to memory of 2252 1836 3bthtb.exe 34 PID 2252 wrote to memory of 2888 2252 9xflxlf.exe 35 PID 2252 wrote to memory of 2888 2252 9xflxlf.exe 35 PID 2252 wrote to memory of 2888 2252 9xflxlf.exe 35 PID 2252 wrote to memory of 2888 2252 9xflxlf.exe 35 PID 2888 wrote to memory of 2624 2888 nhttbn.exe 36 PID 2888 wrote to memory of 2624 2888 nhttbn.exe 36 PID 2888 wrote to memory of 2624 2888 nhttbn.exe 36 PID 2888 wrote to memory of 2624 2888 nhttbn.exe 36 PID 2624 wrote to memory of 2652 2624 7dddj.exe 37 PID 2624 wrote to memory of 2652 2624 7dddj.exe 37 PID 2624 wrote to memory of 2652 2624 7dddj.exe 37 PID 2624 wrote to memory of 2652 2624 7dddj.exe 37 PID 2652 wrote to memory of 2784 2652 fxlfllr.exe 38 PID 2652 wrote to memory of 2784 2652 fxlfllr.exe 38 PID 2652 wrote to memory of 2784 2652 fxlfllr.exe 38 PID 2652 wrote to memory of 2784 2652 fxlfllr.exe 38 PID 2784 wrote to memory of 2612 2784 tnhhbh.exe 39 PID 2784 wrote to memory of 2612 2784 tnhhbh.exe 39 PID 2784 wrote to memory of 2612 2784 tnhhbh.exe 39 PID 2784 wrote to memory of 2612 2784 tnhhbh.exe 39 PID 2612 wrote to memory of 704 2612 rlxxllr.exe 40 PID 2612 wrote to memory of 704 2612 rlxxllr.exe 40 PID 2612 wrote to memory of 704 2612 rlxxllr.exe 40 PID 2612 wrote to memory of 704 2612 rlxxllr.exe 40 PID 704 wrote to memory of 992 704 lxxlxrx.exe 41 PID 704 wrote to memory of 992 704 lxxlxrx.exe 41 PID 704 wrote to memory of 992 704 lxxlxrx.exe 41 PID 704 wrote to memory of 992 704 lxxlxrx.exe 41 PID 992 wrote to memory of 3008 992 9jvvj.exe 42 PID 992 wrote to memory of 3008 992 9jvvj.exe 42 PID 992 wrote to memory of 3008 992 9jvvj.exe 42 PID 992 wrote to memory of 3008 992 9jvvj.exe 42 PID 3008 wrote to memory of 2952 3008 xrrxflx.exe 43 PID 3008 wrote to memory of 2952 3008 xrrxflx.exe 43 PID 3008 wrote to memory of 2952 3008 xrrxflx.exe 43 PID 3008 wrote to memory of 2952 3008 xrrxflx.exe 43 PID 2952 wrote to memory of 304 2952 hbnntb.exe 44 PID 2952 wrote to memory of 304 2952 hbnntb.exe 44 PID 2952 wrote to memory of 304 2952 hbnntb.exe 44 PID 2952 wrote to memory of 304 2952 hbnntb.exe 44 PID 304 wrote to memory of 2980 304 pjjjp.exe 45 PID 304 wrote to memory of 2980 304 pjjjp.exe 45 PID 304 wrote to memory of 2980 304 pjjjp.exe 45 PID 304 wrote to memory of 2980 304 pjjjp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe"C:\Users\Admin\AppData\Local\Temp\3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\bthnbh.exec:\bthnbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\1jvvd.exec:\1jvvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\rllrllx.exec:\rllrllx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\3bthtb.exec:\3bthtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\9xflxlf.exec:\9xflxlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\nhttbn.exec:\nhttbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\7dddj.exec:\7dddj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\fxlfllr.exec:\fxlfllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\tnhhbh.exec:\tnhhbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\rlxxllr.exec:\rlxxllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\lxxlxrx.exec:\lxxlxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\9jvvj.exec:\9jvvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\xrrxflx.exec:\xrrxflx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\hbnntb.exec:\hbnntb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\pjjjp.exec:\pjjjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:304 -
\??\c:\bttthh.exec:\bttthh.exe17⤵
- Executes dropped EXE
PID:2980 -
\??\c:\3hnnbt.exec:\3hnnbt.exe18⤵
- Executes dropped EXE
PID:1468 -
\??\c:\lfrllrx.exec:\lfrllrx.exe19⤵
- Executes dropped EXE
PID:1936 -
\??\c:\tnhhnb.exec:\tnhhnb.exe20⤵
- Executes dropped EXE
PID:2336 -
\??\c:\vjdjj.exec:\vjdjj.exe21⤵
- Executes dropped EXE
PID:2124 -
\??\c:\rllrrfr.exec:\rllrrfr.exe22⤵
- Executes dropped EXE
PID:2068 -
\??\c:\djvvj.exec:\djvvj.exe23⤵
- Executes dropped EXE
PID:1236 -
\??\c:\rxrfllf.exec:\rxrfllf.exe24⤵
- Executes dropped EXE
PID:1692 -
\??\c:\pdvvj.exec:\pdvvj.exe25⤵
- Executes dropped EXE
PID:2020 -
\??\c:\7dvjp.exec:\7dvjp.exe26⤵
- Executes dropped EXE
PID:1544 -
\??\c:\frrxxfr.exec:\frrxxfr.exe27⤵
- Executes dropped EXE
PID:1808 -
\??\c:\jvddd.exec:\jvddd.exe28⤵
- Executes dropped EXE
PID:788 -
\??\c:\bnhbbt.exec:\bnhbbt.exe29⤵
- Executes dropped EXE
PID:988 -
\??\c:\jvddd.exec:\jvddd.exe30⤵
- Executes dropped EXE
PID:1652 -
\??\c:\3rrlxfl.exec:\3rrlxfl.exe31⤵
- Executes dropped EXE
PID:2536 -
\??\c:\hbhttb.exec:\hbhttb.exe32⤵
- Executes dropped EXE
PID:1988 -
\??\c:\5dvjp.exec:\5dvjp.exe33⤵
- Executes dropped EXE
PID:1688 -
\??\c:\7nhhhh.exec:\7nhhhh.exe34⤵
- Executes dropped EXE
PID:3032 -
\??\c:\jdppd.exec:\jdppd.exe35⤵
- Executes dropped EXE
PID:532 -
\??\c:\9jvdv.exec:\9jvdv.exe36⤵
- Executes dropped EXE
PID:2804 -
\??\c:\3rxfllx.exec:\3rxfllx.exe37⤵
- Executes dropped EXE
PID:2708 -
\??\c:\nthbhb.exec:\nthbhb.exe38⤵
- Executes dropped EXE
PID:2764 -
\??\c:\9jvdv.exec:\9jvdv.exe39⤵
- Executes dropped EXE
PID:2824 -
\??\c:\3pddd.exec:\3pddd.exe40⤵
- Executes dropped EXE
PID:2840 -
\??\c:\ffxxfll.exec:\ffxxfll.exe41⤵
- Executes dropped EXE
PID:2736 -
\??\c:\rfrrllr.exec:\rfrrllr.exe42⤵
- Executes dropped EXE
PID:2624 -
\??\c:\hthhhb.exec:\hthhhb.exe43⤵
- Executes dropped EXE
PID:2672 -
\??\c:\vjvjj.exec:\vjvjj.exe44⤵
- Executes dropped EXE
PID:2872 -
\??\c:\frlrflr.exec:\frlrflr.exe45⤵
- Executes dropped EXE
PID:2648 -
\??\c:\flrlrll.exec:\flrlrll.exe46⤵
- Executes dropped EXE
PID:2292 -
\??\c:\3thnnn.exec:\3thnnn.exe47⤵
- Executes dropped EXE
PID:2340 -
\??\c:\5dpjd.exec:\5dpjd.exe48⤵
- Executes dropped EXE
PID:2660 -
\??\c:\5rllrxf.exec:\5rllrxf.exe49⤵
- Executes dropped EXE
PID:2844 -
\??\c:\1lxxxrr.exec:\1lxxxrr.exe50⤵
- Executes dropped EXE
PID:2972 -
\??\c:\hhhnbn.exec:\hhhnbn.exe51⤵
- Executes dropped EXE
PID:1296 -
\??\c:\dpvjd.exec:\dpvjd.exe52⤵
- Executes dropped EXE
PID:2996 -
\??\c:\pjvpj.exec:\pjvpj.exe53⤵
- Executes dropped EXE
PID:1864 -
\??\c:\9flffxx.exec:\9flffxx.exe54⤵
- Executes dropped EXE
PID:1612 -
\??\c:\9bnntb.exec:\9bnntb.exe55⤵
- Executes dropped EXE
PID:1404 -
\??\c:\7pppd.exec:\7pppd.exe56⤵
- Executes dropped EXE
PID:2508 -
\??\c:\9fxrllr.exec:\9fxrllr.exe57⤵
- Executes dropped EXE
PID:1876 -
\??\c:\lrlrlrf.exec:\lrlrlrf.exe58⤵
- Executes dropped EXE
PID:2104 -
\??\c:\7nnnbb.exec:\7nnnbb.exe59⤵
- Executes dropped EXE
PID:1524 -
\??\c:\9pdvd.exec:\9pdvd.exe60⤵
- Executes dropped EXE
PID:2136 -
\??\c:\vpddd.exec:\vpddd.exe61⤵
- Executes dropped EXE
PID:404 -
\??\c:\lrflxxf.exec:\lrflxxf.exe62⤵
- Executes dropped EXE
PID:1084 -
\??\c:\bnhntt.exec:\bnhntt.exe63⤵
- Executes dropped EXE
PID:1692 -
\??\c:\jppdv.exec:\jppdv.exe64⤵
- Executes dropped EXE
PID:2404 -
\??\c:\pjvdj.exec:\pjvdj.exe65⤵
- Executes dropped EXE
PID:1828 -
\??\c:\rffrlxf.exec:\rffrlxf.exe66⤵PID:1492
-
\??\c:\nbhhbb.exec:\nbhhbb.exe67⤵PID:2380
-
\??\c:\3ntnhb.exec:\3ntnhb.exe68⤵PID:2208
-
\??\c:\vpddj.exec:\vpddj.exe69⤵PID:328
-
\??\c:\xrfllll.exec:\xrfllll.exe70⤵PID:1748
-
\??\c:\rrlrxfr.exec:\rrlrxfr.exe71⤵PID:1760
-
\??\c:\bthnhh.exec:\bthnhh.exe72⤵PID:1292
-
\??\c:\1jjpj.exec:\1jjpj.exe73⤵PID:2052
-
\??\c:\vddpj.exec:\vddpj.exe74⤵PID:1688
-
\??\c:\xrllrxr.exec:\xrllrxr.exe75⤵PID:596
-
\??\c:\nbnnnt.exec:\nbnnnt.exe76⤵PID:2456
-
\??\c:\bbtbnt.exec:\bbtbnt.exe77⤵PID:2108
-
\??\c:\vpvdj.exec:\vpvdj.exe78⤵PID:616
-
\??\c:\lfxlxxl.exec:\lfxlxxl.exe79⤵PID:2828
-
\??\c:\3xxlfxr.exec:\3xxlfxr.exe80⤵PID:2768
-
\??\c:\1ttbhh.exec:\1ttbhh.exe81⤵PID:3040
-
\??\c:\pjdvv.exec:\pjdvv.exe82⤵PID:2780
-
\??\c:\lfrrxff.exec:\lfrrxff.exe83⤵PID:2908
-
\??\c:\lxlrlxx.exec:\lxlrlxx.exe84⤵PID:2656
-
\??\c:\3bnbhn.exec:\3bnbhn.exe85⤵PID:2664
-
\??\c:\ppjjv.exec:\ppjjv.exe86⤵PID:2616
-
\??\c:\jvvdd.exec:\jvvdd.exe87⤵PID:1604
-
\??\c:\xxrlfff.exec:\xxrlfff.exe88⤵PID:844
-
\??\c:\nhbhnt.exec:\nhbhnt.exe89⤵PID:992
-
\??\c:\thttht.exec:\thttht.exe90⤵PID:2860
-
\??\c:\vpjpd.exec:\vpjpd.exe91⤵PID:2968
-
\??\c:\rlrrffx.exec:\rlrrffx.exe92⤵PID:2972
-
\??\c:\lfrfrrl.exec:\lfrfrrl.exe93⤵PID:2928
-
\??\c:\bbthnh.exec:\bbthnh.exe94⤵PID:2988
-
\??\c:\hhbhtt.exec:\hhbhtt.exe95⤵PID:1864
-
\??\c:\vjdpj.exec:\vjdpj.exe96⤵PID:2224
-
\??\c:\lfrlxxf.exec:\lfrlxxf.exe97⤵PID:1468
-
\??\c:\lfrlrrx.exec:\lfrlrrx.exe98⤵PID:572
-
\??\c:\bnbhhn.exec:\bnbhhn.exe99⤵PID:1876
-
\??\c:\7vvpp.exec:\7vvpp.exe100⤵PID:1472
-
\??\c:\vvppd.exec:\vvppd.exe101⤵PID:1112
-
\??\c:\xlxrrrr.exec:\xlxrrrr.exe102⤵PID:2080
-
\??\c:\btnbnn.exec:\btnbnn.exe103⤵PID:464
-
\??\c:\thbbbt.exec:\thbbbt.exe104⤵PID:2540
-
\??\c:\1vdjv.exec:\1vdjv.exe105⤵PID:1384
-
\??\c:\5rxrxxx.exec:\5rxrxxx.exe106⤵PID:848
-
\??\c:\3ffxxrr.exec:\3ffxxrr.exe107⤵PID:2588
-
\??\c:\htbttn.exec:\htbttn.exe108⤵PID:2316
-
\??\c:\dpjjp.exec:\dpjjp.exe109⤵PID:2524
-
\??\c:\1dpdd.exec:\1dpdd.exe110⤵PID:2392
-
\??\c:\1lllxxf.exec:\1lllxxf.exe111⤵PID:2284
-
\??\c:\rfrllll.exec:\rfrllll.exe112⤵PID:1752
-
\??\c:\1tnntb.exec:\1tnntb.exe113⤵PID:1992
-
\??\c:\5jppp.exec:\5jppp.exe114⤵PID:2172
-
\??\c:\pjddp.exec:\pjddp.exe115⤵PID:1292
-
\??\c:\flrlllr.exec:\flrlllr.exe116⤵PID:2304
-
\??\c:\hbnntn.exec:\hbnntn.exe117⤵PID:2264
-
\??\c:\htbttt.exec:\htbttt.exe118⤵PID:532
-
\??\c:\1jjvp.exec:\1jjvp.exe119⤵PID:2456
-
\??\c:\lxlrrfl.exec:\lxlrrfl.exe120⤵PID:2108
-
\??\c:\9rfrxfl.exec:\9rfrxfl.exe121⤵PID:2876
-
\??\c:\7nnnbb.exec:\7nnnbb.exe122⤵PID:2744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-