Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe
-
Size
455KB
-
MD5
c2d60652899237eab1f854a06e871b80
-
SHA1
64561bbc313ee32a4e00f8ad0ab596e1721087af
-
SHA256
473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827
-
SHA512
f665a96d194c72ae1041fef979274978d28b3bec8a31e49d4b164ee8dd97d1fd3bd89166c0f7933ce84e0d19efb5b5724c71a108ed87895cdb328ba695def7a3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT2:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/1996-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-37-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2808-54-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2808-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-96-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2684-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-115-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2924-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-215-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/784-216-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/780-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-259-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2540-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/468-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-413-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1480-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-445-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2916-446-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1192-459-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2144-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-476-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2148-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-524-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2108-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1124-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-879-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2832-937-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2684-957-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-987-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2416-1031-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-1147-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1780 xrffllr.exe 2260 bthnbb.exe 2480 pjvvj.exe 2484 nnbntb.exe 2808 htnntn.exe 2764 5hbnnt.exe 1916 5htnbt.exe 2964 9jvdj.exe 2668 hbtthh.exe 2684 ddjjj.exe 2360 9hbhnt.exe 1464 ddjjv.exe 2924 tthnbh.exe 696 pjvjp.exe 2916 3lfrxfl.exe 2368 3vpvj.exe 1644 rrrfxxl.exe 2944 btnbnt.exe 1844 3rfllxf.exe 2152 5bntbh.exe 448 7lxflrl.exe 784 3hbnnh.exe 780 bnbbbt.exe 2052 thbtbb.exe 1960 ntnnnn.exe 900 9rflxfr.exe 1912 1bhhht.exe 2180 pvpdv.exe 2184 fflflrf.exe 2540 tnnttt.exe 468 dvjpv.exe 2284 tttthn.exe 3056 vpjpd.exe 2088 flxlxfr.exe 3064 bntbhh.exe 2260 ddvpp.exe 2196 vvpvp.exe 2216 9ffllrf.exe 2888 ttnthn.exe 2816 nbbbhh.exe 2768 vvvvp.exe 2744 ffrrrxl.exe 2212 5rffffl.exe 2964 7nhntt.exe 1264 dvppv.exe 2632 jdpvv.exe 2684 1llrlrx.exe 580 hhtbnn.exe 1648 pdpdd.exe 1464 ppjjp.exe 320 rrllxxf.exe 1480 3thntn.exe 1564 3jppd.exe 2916 pjvvj.exe 2140 rrxrrll.exe 1192 nntbbb.exe 2324 ppjvv.exe 2144 rlflxxf.exe 2148 xrllfrf.exe 344 hbtbhn.exe 3044 dvdvv.exe 3040 5xlrllr.exe 2552 thhbtt.exe 1036 7htbbb.exe -
resource yara_rule behavioral1/memory/1996-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/468-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-413-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1480-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-445-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2144-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-585-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2720-618-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2756-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1124-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-790-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-1062-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-1147-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2876-1184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-1227-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1780 1996 473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe 30 PID 1996 wrote to memory of 1780 1996 473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe 30 PID 1996 wrote to memory of 1780 1996 473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe 30 PID 1996 wrote to memory of 1780 1996 473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe 30 PID 1780 wrote to memory of 2260 1780 xrffllr.exe 31 PID 1780 wrote to memory of 2260 1780 xrffllr.exe 31 PID 1780 wrote to memory of 2260 1780 xrffllr.exe 31 PID 1780 wrote to memory of 2260 1780 xrffllr.exe 31 PID 2260 wrote to memory of 2480 2260 bthnbb.exe 32 PID 2260 wrote to memory of 2480 2260 bthnbb.exe 32 PID 2260 wrote to memory of 2480 2260 bthnbb.exe 32 PID 2260 wrote to memory of 2480 2260 bthnbb.exe 32 PID 2480 wrote to memory of 2484 2480 pjvvj.exe 33 PID 2480 wrote to memory of 2484 2480 pjvvj.exe 33 PID 2480 wrote to memory of 2484 2480 pjvvj.exe 33 PID 2480 wrote to memory of 2484 2480 pjvvj.exe 33 PID 2484 wrote to memory of 2808 2484 nnbntb.exe 34 PID 2484 wrote to memory of 2808 2484 nnbntb.exe 34 PID 2484 wrote to memory of 2808 2484 nnbntb.exe 34 PID 2484 wrote to memory of 2808 2484 nnbntb.exe 34 PID 2808 wrote to memory of 2764 2808 htnntn.exe 35 PID 2808 wrote to memory of 2764 2808 htnntn.exe 35 PID 2808 wrote to memory of 2764 2808 htnntn.exe 35 PID 2808 wrote to memory of 2764 2808 htnntn.exe 35 PID 2764 wrote to memory of 1916 2764 5hbnnt.exe 36 PID 2764 wrote to memory of 1916 2764 5hbnnt.exe 36 PID 2764 wrote to memory of 1916 2764 5hbnnt.exe 36 PID 2764 wrote to memory of 1916 2764 5hbnnt.exe 36 PID 1916 wrote to memory of 2964 1916 5htnbt.exe 37 PID 1916 wrote to memory of 2964 1916 5htnbt.exe 37 PID 1916 wrote to memory of 2964 1916 5htnbt.exe 37 PID 1916 wrote to memory of 2964 1916 5htnbt.exe 37 PID 2964 wrote to memory of 2668 2964 9jvdj.exe 38 PID 2964 wrote to memory of 2668 2964 9jvdj.exe 38 PID 2964 wrote to memory of 2668 2964 9jvdj.exe 38 PID 2964 wrote to memory of 2668 2964 9jvdj.exe 38 PID 2668 wrote to memory of 2684 2668 hbtthh.exe 39 PID 2668 wrote to memory of 2684 2668 hbtthh.exe 39 PID 2668 wrote to memory of 2684 2668 hbtthh.exe 39 PID 2668 wrote to memory of 2684 2668 hbtthh.exe 39 PID 2684 wrote to memory of 2360 2684 ddjjj.exe 40 PID 2684 wrote to memory of 2360 2684 ddjjj.exe 40 PID 2684 wrote to memory of 2360 2684 ddjjj.exe 40 PID 2684 wrote to memory of 2360 2684 ddjjj.exe 40 PID 2360 wrote to memory of 1464 2360 9hbhnt.exe 41 PID 2360 wrote to memory of 1464 2360 9hbhnt.exe 41 PID 2360 wrote to memory of 1464 2360 9hbhnt.exe 41 PID 2360 wrote to memory of 1464 2360 9hbhnt.exe 41 PID 1464 wrote to memory of 2924 1464 ddjjv.exe 42 PID 1464 wrote to memory of 2924 1464 ddjjv.exe 42 PID 1464 wrote to memory of 2924 1464 ddjjv.exe 42 PID 1464 wrote to memory of 2924 1464 ddjjv.exe 42 PID 2924 wrote to memory of 696 2924 tthnbh.exe 43 PID 2924 wrote to memory of 696 2924 tthnbh.exe 43 PID 2924 wrote to memory of 696 2924 tthnbh.exe 43 PID 2924 wrote to memory of 696 2924 tthnbh.exe 43 PID 696 wrote to memory of 2916 696 pjvjp.exe 44 PID 696 wrote to memory of 2916 696 pjvjp.exe 44 PID 696 wrote to memory of 2916 696 pjvjp.exe 44 PID 696 wrote to memory of 2916 696 pjvjp.exe 44 PID 2916 wrote to memory of 2368 2916 3lfrxfl.exe 45 PID 2916 wrote to memory of 2368 2916 3lfrxfl.exe 45 PID 2916 wrote to memory of 2368 2916 3lfrxfl.exe 45 PID 2916 wrote to memory of 2368 2916 3lfrxfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe"C:\Users\Admin\AppData\Local\Temp\473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\xrffllr.exec:\xrffllr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\bthnbb.exec:\bthnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\pjvvj.exec:\pjvvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\nnbntb.exec:\nnbntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\htnntn.exec:\htnntn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\5hbnnt.exec:\5hbnnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\5htnbt.exec:\5htnbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\9jvdj.exec:\9jvdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\hbtthh.exec:\hbtthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\ddjjj.exec:\ddjjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\9hbhnt.exec:\9hbhnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\ddjjv.exec:\ddjjv.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\tthnbh.exec:\tthnbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\pjvjp.exec:\pjvjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\3lfrxfl.exec:\3lfrxfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\3vpvj.exec:\3vpvj.exe17⤵
- Executes dropped EXE
PID:2368 -
\??\c:\rrrfxxl.exec:\rrrfxxl.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644 -
\??\c:\btnbnt.exec:\btnbnt.exe19⤵
- Executes dropped EXE
PID:2944 -
\??\c:\3rfllxf.exec:\3rfllxf.exe20⤵
- Executes dropped EXE
PID:1844 -
\??\c:\5bntbh.exec:\5bntbh.exe21⤵
- Executes dropped EXE
PID:2152 -
\??\c:\7lxflrl.exec:\7lxflrl.exe22⤵
- Executes dropped EXE
PID:448 -
\??\c:\3hbnnh.exec:\3hbnnh.exe23⤵
- Executes dropped EXE
PID:784 -
\??\c:\bnbbbt.exec:\bnbbbt.exe24⤵
- Executes dropped EXE
PID:780 -
\??\c:\thbtbb.exec:\thbtbb.exe25⤵
- Executes dropped EXE
PID:2052 -
\??\c:\ntnnnn.exec:\ntnnnn.exe26⤵
- Executes dropped EXE
PID:1960 -
\??\c:\9rflxfr.exec:\9rflxfr.exe27⤵
- Executes dropped EXE
PID:900 -
\??\c:\1bhhht.exec:\1bhhht.exe28⤵
- Executes dropped EXE
PID:1912 -
\??\c:\pvpdv.exec:\pvpdv.exe29⤵
- Executes dropped EXE
PID:2180 -
\??\c:\fflflrf.exec:\fflflrf.exe30⤵
- Executes dropped EXE
PID:2184 -
\??\c:\tnnttt.exec:\tnnttt.exe31⤵
- Executes dropped EXE
PID:2540 -
\??\c:\dvjpv.exec:\dvjpv.exe32⤵
- Executes dropped EXE
PID:468 -
\??\c:\tttthn.exec:\tttthn.exe33⤵
- Executes dropped EXE
PID:2284 -
\??\c:\vpjpd.exec:\vpjpd.exe34⤵
- Executes dropped EXE
PID:3056 -
\??\c:\flxlxfr.exec:\flxlxfr.exe35⤵
- Executes dropped EXE
PID:2088 -
\??\c:\bntbhh.exec:\bntbhh.exe36⤵
- Executes dropped EXE
PID:3064 -
\??\c:\ddvpp.exec:\ddvpp.exe37⤵
- Executes dropped EXE
PID:2260 -
\??\c:\vvpvp.exec:\vvpvp.exe38⤵
- Executes dropped EXE
PID:2196 -
\??\c:\9ffllrf.exec:\9ffllrf.exe39⤵
- Executes dropped EXE
PID:2216 -
\??\c:\ttnthn.exec:\ttnthn.exe40⤵
- Executes dropped EXE
PID:2888 -
\??\c:\nbbbhh.exec:\nbbbhh.exe41⤵
- Executes dropped EXE
PID:2816 -
\??\c:\vvvvp.exec:\vvvvp.exe42⤵
- Executes dropped EXE
PID:2768 -
\??\c:\ffrrrxl.exec:\ffrrrxl.exe43⤵
- Executes dropped EXE
PID:2744 -
\??\c:\5rffffl.exec:\5rffffl.exe44⤵
- Executes dropped EXE
PID:2212 -
\??\c:\7nhntt.exec:\7nhntt.exe45⤵
- Executes dropped EXE
PID:2964 -
\??\c:\dvppv.exec:\dvppv.exe46⤵
- Executes dropped EXE
PID:1264 -
\??\c:\jdpvv.exec:\jdpvv.exe47⤵
- Executes dropped EXE
PID:2632 -
\??\c:\1llrlrx.exec:\1llrlrx.exe48⤵
- Executes dropped EXE
PID:2684 -
\??\c:\hhtbnn.exec:\hhtbnn.exe49⤵
- Executes dropped EXE
PID:580 -
\??\c:\pdpdd.exec:\pdpdd.exe50⤵
- Executes dropped EXE
PID:1648 -
\??\c:\ppjjp.exec:\ppjjp.exe51⤵
- Executes dropped EXE
PID:1464 -
\??\c:\rrllxxf.exec:\rrllxxf.exe52⤵
- Executes dropped EXE
PID:320 -
\??\c:\3thntn.exec:\3thntn.exe53⤵
- Executes dropped EXE
PID:1480 -
\??\c:\3jppd.exec:\3jppd.exe54⤵
- Executes dropped EXE
PID:1564 -
\??\c:\pjvvj.exec:\pjvvj.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
\??\c:\rrxrrll.exec:\rrxrrll.exe56⤵
- Executes dropped EXE
PID:2140 -
\??\c:\nntbbb.exec:\nntbbb.exe57⤵
- Executes dropped EXE
PID:1192 -
\??\c:\ppjvv.exec:\ppjvv.exe58⤵
- Executes dropped EXE
PID:2324 -
\??\c:\rlflxxf.exec:\rlflxxf.exe59⤵
- Executes dropped EXE
PID:2144 -
\??\c:\xrllfrf.exec:\xrllfrf.exe60⤵
- Executes dropped EXE
PID:2148 -
\??\c:\hbtbhn.exec:\hbtbhn.exe61⤵
- Executes dropped EXE
PID:344 -
\??\c:\dvdvv.exec:\dvdvv.exe62⤵
- Executes dropped EXE
PID:3044 -
\??\c:\5xlrllr.exec:\5xlrllr.exe63⤵
- Executes dropped EXE
PID:3040 -
\??\c:\thhbtt.exec:\thhbtt.exe64⤵
- Executes dropped EXE
PID:2552 -
\??\c:\7htbbb.exec:\7htbbb.exe65⤵
- Executes dropped EXE
PID:1036 -
\??\c:\vpddd.exec:\vpddd.exe66⤵PID:1768
-
\??\c:\frxxfxx.exec:\frxxfxx.exe67⤵PID:1848
-
\??\c:\frlxxxf.exec:\frlxxxf.exe68⤵PID:1960
-
\??\c:\bbbhtb.exec:\bbbhtb.exe69⤵PID:1944
-
\??\c:\pdvvd.exec:\pdvvd.exe70⤵PID:2108
-
\??\c:\xrllxxl.exec:\xrllxxl.exe71⤵PID:2500
-
\??\c:\7xrrlrr.exec:\7xrrlrr.exe72⤵PID:2524
-
\??\c:\ttthnn.exec:\ttthnn.exe73⤵PID:1488
-
\??\c:\vpdjj.exec:\vpdjj.exe74⤵PID:1956
-
\??\c:\jdvvd.exec:\jdvvd.exe75⤵PID:3020
-
\??\c:\frfxffl.exec:\frfxffl.exe76⤵PID:2192
-
\??\c:\nhbnbb.exec:\nhbnbb.exe77⤵PID:1060
-
\??\c:\7jvvv.exec:\7jvvv.exe78⤵PID:2256
-
\??\c:\ppjjj.exec:\ppjjj.exe79⤵PID:2116
-
\??\c:\rfxxffl.exec:\rfxxffl.exe80⤵PID:2428
-
\??\c:\hthntb.exec:\hthntb.exe81⤵PID:2720
-
\??\c:\nnbbhh.exec:\nnbbhh.exe82⤵PID:2828
-
\??\c:\ppjvp.exec:\ppjvp.exe83⤵PID:2072
-
\??\c:\7xllrrx.exec:\7xllrrx.exe84⤵PID:2756
-
\??\c:\bbnntb.exec:\bbnntb.exe85⤵PID:2432
-
\??\c:\tnnnbh.exec:\tnnnbh.exe86⤵PID:2832
-
\??\c:\jpvjp.exec:\jpvjp.exe87⤵PID:2700
-
\??\c:\jdpdj.exec:\jdpdj.exe88⤵PID:2880
-
\??\c:\frllrlx.exec:\frllrlx.exe89⤵PID:2724
-
\??\c:\tbnhnh.exec:\tbnhnh.exe90⤵PID:2664
-
\??\c:\bnbtnt.exec:\bnbtnt.exe91⤵PID:2656
-
\??\c:\dpvdd.exec:\dpvdd.exe92⤵PID:2492
-
\??\c:\pvvvd.exec:\pvvvd.exe93⤵PID:2956
-
\??\c:\rrffrrx.exec:\rrffrrx.exe94⤵PID:800
-
\??\c:\9nnthh.exec:\9nnthh.exe95⤵
- System Location Discovery: System Language Discovery
PID:596 -
\??\c:\7dppp.exec:\7dppp.exe96⤵PID:320
-
\??\c:\ddvjd.exec:\ddvjd.exe97⤵PID:1304
-
\??\c:\rfxxxxf.exec:\rfxxxxf.exe98⤵PID:1124
-
\??\c:\bbnnth.exec:\bbnnth.exe99⤵PID:1900
-
\??\c:\9btntt.exec:\9btntt.exe100⤵PID:2936
-
\??\c:\djjjv.exec:\djjjv.exe101⤵PID:1192
-
\??\c:\xxlrxxx.exec:\xxlrxxx.exe102⤵PID:2132
-
\??\c:\ttbthb.exec:\ttbthb.exe103⤵PID:1984
-
\??\c:\bbnnnt.exec:\bbnnnt.exe104⤵PID:2652
-
\??\c:\3djpv.exec:\3djpv.exe105⤵PID:344
-
\??\c:\5xlxxff.exec:\5xlxxff.exe106⤵PID:1344
-
\??\c:\hbnnnn.exec:\hbnnnn.exe107⤵PID:784
-
\??\c:\9nhtbt.exec:\9nhtbt.exe108⤵PID:708
-
\??\c:\vpjpv.exec:\vpjpv.exe109⤵PID:1268
-
\??\c:\frxrrll.exec:\frxrrll.exe110⤵PID:316
-
\??\c:\rfxflff.exec:\rfxflff.exe111⤵PID:840
-
\??\c:\1hnnhh.exec:\1hnnhh.exe112⤵PID:1328
-
\??\c:\jjpvp.exec:\jjpvp.exe113⤵PID:2476
-
\??\c:\llfllrr.exec:\llfllrr.exe114⤵PID:2532
-
\??\c:\xrffrlr.exec:\xrffrlr.exe115⤵PID:1752
-
\??\c:\hthbbb.exec:\hthbbb.exe116⤵PID:2032
-
\??\c:\7dppj.exec:\7dppj.exe117⤵PID:704
-
\??\c:\dvppd.exec:\dvppd.exe118⤵PID:1652
-
\??\c:\rllxxfl.exec:\rllxxfl.exe119⤵PID:1852
-
\??\c:\bthbnn.exec:\bthbnn.exe120⤵PID:1560
-
\??\c:\3pvvv.exec:\3pvvv.exe121⤵PID:2284
-
\??\c:\dpddp.exec:\dpddp.exe122⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-