Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 09:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b9ab181df770c57cf1fb78f78054677352b537320d9c6324e6e133c05e7797a5.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b9ab181df770c57cf1fb78f78054677352b537320d9c6324e6e133c05e7797a5.exe
-
Size
454KB
-
MD5
f0e48d61b80929d263140dda94d9e58f
-
SHA1
e7b89e7e192acff62ec5c00d46f29a6ef7b69dd2
-
SHA256
b9ab181df770c57cf1fb78f78054677352b537320d9c6324e6e133c05e7797a5
-
SHA512
e422713ac4fca89c7a938dbedab77279cbc352a582b106cb26d6166abbe7c2847451efa0cabac54bd3fba9718a3292566d3ba726cc73f4fc01d207bef49d3321
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE8:q7Tc2NYHUrAwfMp3CDE8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2424-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-431-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1976-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1360-486-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1360-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-493-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/996-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/904-757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-783-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2776-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-844-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2632-864-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2764 jdpvd.exe 2144 826868.exe 2408 hbtthh.exe 2660 a2068.exe 2688 2646864.exe 2652 vpdjd.exe 2296 pvdjd.exe 836 fxrxlrf.exe 2432 3httnb.exe 2220 fxrrxfr.exe 2980 xfxlxrx.exe 2896 vjjvj.exe 2984 q60666.exe 2032 thbhhn.exe 3044 ttnbtb.exe 2284 o602002.exe 1904 6440224.exe 2152 hhbtht.exe 2160 nnbbbh.exe 2104 pppdv.exe 2400 xrllllx.exe 2416 2602008.exe 1148 frfflxf.exe 2600 4428000.exe 1048 nhtnnh.exe 2564 nbntbb.exe 2000 886004.exe 2240 864400.exe 1380 c866228.exe 1652 w24448.exe 324 pjdjd.exe 1700 rlfflrx.exe 2788 pjvdj.exe 3068 xrffxrx.exe 2812 lfflfxl.exe 2720 668804.exe 2688 ppjvv.exe 2696 1fxflrf.exe 2992 rrrfrrx.exe 2068 xrlfrll.exe 332 hnhtbn.exe 2428 7bnhhh.exe 2228 04802.exe 600 fxxfrfl.exe 2912 xrxrxfr.exe 2076 rfrrxrx.exe 2864 48624.exe 2468 864444.exe 3036 thhntt.exe 1900 7vjjp.exe 1444 822804.exe 568 rxlflrf.exe 900 s0406.exe 1976 s0842.exe 2376 fxllrlx.exe 2120 6080806.exe 2512 44808.exe 448 048428.exe 2312 264088.exe 1360 3ppvd.exe 1268 88026.exe 2600 20240.exe 2036 080622.exe 2584 2680242.exe -
resource yara_rule behavioral1/memory/2424-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-486-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1360-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/820-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-844-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2632-864-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 024888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllxrx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2764 2424 b9ab181df770c57cf1fb78f78054677352b537320d9c6324e6e133c05e7797a5.exe 31 PID 2424 wrote to memory of 2764 2424 b9ab181df770c57cf1fb78f78054677352b537320d9c6324e6e133c05e7797a5.exe 31 PID 2424 wrote to memory of 2764 2424 b9ab181df770c57cf1fb78f78054677352b537320d9c6324e6e133c05e7797a5.exe 31 PID 2424 wrote to memory of 2764 2424 b9ab181df770c57cf1fb78f78054677352b537320d9c6324e6e133c05e7797a5.exe 31 PID 2764 wrote to memory of 2144 2764 jdpvd.exe 32 PID 2764 wrote to memory of 2144 2764 jdpvd.exe 32 PID 2764 wrote to memory of 2144 2764 jdpvd.exe 32 PID 2764 wrote to memory of 2144 2764 jdpvd.exe 32 PID 2144 wrote to memory of 2408 2144 826868.exe 33 PID 2144 wrote to memory of 2408 2144 826868.exe 33 PID 2144 wrote to memory of 2408 2144 826868.exe 33 PID 2144 wrote to memory of 2408 2144 826868.exe 33 PID 2408 wrote to memory of 2660 2408 hbtthh.exe 34 PID 2408 wrote to memory of 2660 2408 hbtthh.exe 34 PID 2408 wrote to memory of 2660 2408 hbtthh.exe 34 PID 2408 wrote to memory of 2660 2408 hbtthh.exe 34 PID 2660 wrote to memory of 2688 2660 a2068.exe 35 PID 2660 wrote to memory of 2688 2660 a2068.exe 35 PID 2660 wrote to memory of 2688 2660 a2068.exe 35 PID 2660 wrote to memory of 2688 2660 a2068.exe 35 PID 2688 wrote to memory of 2652 2688 2646864.exe 36 PID 2688 wrote to memory of 2652 2688 2646864.exe 36 PID 2688 wrote to memory of 2652 2688 2646864.exe 36 PID 2688 wrote to memory of 2652 2688 2646864.exe 36 PID 2652 wrote to memory of 2296 2652 vpdjd.exe 37 PID 2652 wrote to memory of 2296 2652 vpdjd.exe 37 PID 2652 wrote to memory of 2296 2652 vpdjd.exe 37 PID 2652 wrote to memory of 2296 2652 vpdjd.exe 37 PID 2296 wrote to memory of 836 2296 pvdjd.exe 38 PID 2296 wrote to memory of 836 2296 pvdjd.exe 38 PID 2296 wrote to memory of 836 2296 pvdjd.exe 38 PID 2296 wrote to memory of 836 2296 pvdjd.exe 38 PID 836 wrote to memory of 2432 836 fxrxlrf.exe 39 PID 836 wrote to memory of 2432 836 fxrxlrf.exe 39 PID 836 wrote to memory of 2432 836 fxrxlrf.exe 39 PID 836 wrote to memory of 2432 836 fxrxlrf.exe 39 PID 2432 wrote to memory of 2220 2432 3httnb.exe 40 PID 2432 wrote to memory of 2220 2432 3httnb.exe 40 PID 2432 wrote to memory of 2220 2432 3httnb.exe 40 PID 2432 wrote to memory of 2220 2432 3httnb.exe 40 PID 2220 wrote to memory of 2980 2220 fxrrxfr.exe 41 PID 2220 wrote to memory of 2980 2220 fxrrxfr.exe 41 PID 2220 wrote to memory of 2980 2220 fxrrxfr.exe 41 PID 2220 wrote to memory of 2980 2220 fxrrxfr.exe 41 PID 2980 wrote to memory of 2896 2980 xfxlxrx.exe 42 PID 2980 wrote to memory of 2896 2980 xfxlxrx.exe 42 PID 2980 wrote to memory of 2896 2980 xfxlxrx.exe 42 PID 2980 wrote to memory of 2896 2980 xfxlxrx.exe 42 PID 2896 wrote to memory of 2984 2896 vjjvj.exe 43 PID 2896 wrote to memory of 2984 2896 vjjvj.exe 43 PID 2896 wrote to memory of 2984 2896 vjjvj.exe 43 PID 2896 wrote to memory of 2984 2896 vjjvj.exe 43 PID 2984 wrote to memory of 2032 2984 q60666.exe 44 PID 2984 wrote to memory of 2032 2984 q60666.exe 44 PID 2984 wrote to memory of 2032 2984 q60666.exe 44 PID 2984 wrote to memory of 2032 2984 q60666.exe 44 PID 2032 wrote to memory of 3044 2032 thbhhn.exe 45 PID 2032 wrote to memory of 3044 2032 thbhhn.exe 45 PID 2032 wrote to memory of 3044 2032 thbhhn.exe 45 PID 2032 wrote to memory of 3044 2032 thbhhn.exe 45 PID 3044 wrote to memory of 2284 3044 ttnbtb.exe 46 PID 3044 wrote to memory of 2284 3044 ttnbtb.exe 46 PID 3044 wrote to memory of 2284 3044 ttnbtb.exe 46 PID 3044 wrote to memory of 2284 3044 ttnbtb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9ab181df770c57cf1fb78f78054677352b537320d9c6324e6e133c05e7797a5.exe"C:\Users\Admin\AppData\Local\Temp\b9ab181df770c57cf1fb78f78054677352b537320d9c6324e6e133c05e7797a5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\jdpvd.exec:\jdpvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\826868.exec:\826868.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\hbtthh.exec:\hbtthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\a2068.exec:\a2068.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\2646864.exec:\2646864.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\vpdjd.exec:\vpdjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\pvdjd.exec:\pvdjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\fxrxlrf.exec:\fxrxlrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\3httnb.exec:\3httnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\fxrrxfr.exec:\fxrrxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\xfxlxrx.exec:\xfxlxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\vjjvj.exec:\vjjvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\q60666.exec:\q60666.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\thbhhn.exec:\thbhhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\ttnbtb.exec:\ttnbtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\o602002.exec:\o602002.exe17⤵
- Executes dropped EXE
PID:2284 -
\??\c:\6440224.exec:\6440224.exe18⤵
- Executes dropped EXE
PID:1904 -
\??\c:\hhbtht.exec:\hhbtht.exe19⤵
- Executes dropped EXE
PID:2152 -
\??\c:\nnbbbh.exec:\nnbbbh.exe20⤵
- Executes dropped EXE
PID:2160 -
\??\c:\pppdv.exec:\pppdv.exe21⤵
- Executes dropped EXE
PID:2104 -
\??\c:\xrllllx.exec:\xrllllx.exe22⤵
- Executes dropped EXE
PID:2400 -
\??\c:\2602008.exec:\2602008.exe23⤵
- Executes dropped EXE
PID:2416 -
\??\c:\frfflxf.exec:\frfflxf.exe24⤵
- Executes dropped EXE
PID:1148 -
\??\c:\4428000.exec:\4428000.exe25⤵
- Executes dropped EXE
PID:2600 -
\??\c:\nhtnnh.exec:\nhtnnh.exe26⤵
- Executes dropped EXE
PID:1048 -
\??\c:\nbntbb.exec:\nbntbb.exe27⤵
- Executes dropped EXE
PID:2564 -
\??\c:\886004.exec:\886004.exe28⤵
- Executes dropped EXE
PID:2000 -
\??\c:\864400.exec:\864400.exe29⤵
- Executes dropped EXE
PID:2240 -
\??\c:\c866228.exec:\c866228.exe30⤵
- Executes dropped EXE
PID:1380 -
\??\c:\w24448.exec:\w24448.exe31⤵
- Executes dropped EXE
PID:1652 -
\??\c:\pjdjd.exec:\pjdjd.exe32⤵
- Executes dropped EXE
PID:324 -
\??\c:\rlfflrx.exec:\rlfflrx.exe33⤵
- Executes dropped EXE
PID:1700 -
\??\c:\pjvdj.exec:\pjvdj.exe34⤵
- Executes dropped EXE
PID:2788 -
\??\c:\xrffxrx.exec:\xrffxrx.exe35⤵
- Executes dropped EXE
PID:3068 -
\??\c:\lfflfxl.exec:\lfflfxl.exe36⤵
- Executes dropped EXE
PID:2812 -
\??\c:\668804.exec:\668804.exe37⤵
- Executes dropped EXE
PID:2720 -
\??\c:\ppjvv.exec:\ppjvv.exe38⤵
- Executes dropped EXE
PID:2688 -
\??\c:\1fxflrf.exec:\1fxflrf.exe39⤵
- Executes dropped EXE
PID:2696 -
\??\c:\rrrfrrx.exec:\rrrfrrx.exe40⤵
- Executes dropped EXE
PID:2992 -
\??\c:\xrlfrll.exec:\xrlfrll.exe41⤵
- Executes dropped EXE
PID:2068 -
\??\c:\hnhtbn.exec:\hnhtbn.exe42⤵
- Executes dropped EXE
PID:332 -
\??\c:\7bnhhh.exec:\7bnhhh.exe43⤵
- Executes dropped EXE
PID:2428 -
\??\c:\04802.exec:\04802.exe44⤵
- Executes dropped EXE
PID:2228 -
\??\c:\fxxfrfl.exec:\fxxfrfl.exe45⤵
- Executes dropped EXE
PID:600 -
\??\c:\xrxrxfr.exec:\xrxrxfr.exe46⤵
- Executes dropped EXE
PID:2912 -
\??\c:\rfrrxrx.exec:\rfrrxrx.exe47⤵
- Executes dropped EXE
PID:2076 -
\??\c:\48624.exec:\48624.exe48⤵
- Executes dropped EXE
PID:2864 -
\??\c:\864444.exec:\864444.exe49⤵
- Executes dropped EXE
PID:2468 -
\??\c:\thhntt.exec:\thhntt.exe50⤵
- Executes dropped EXE
PID:3036 -
\??\c:\7vjjp.exec:\7vjjp.exe51⤵
- Executes dropped EXE
PID:1900 -
\??\c:\822804.exec:\822804.exe52⤵
- Executes dropped EXE
PID:1444 -
\??\c:\rxlflrf.exec:\rxlflrf.exe53⤵
- Executes dropped EXE
PID:568 -
\??\c:\s0406.exec:\s0406.exe54⤵
- Executes dropped EXE
PID:900 -
\??\c:\s0842.exec:\s0842.exe55⤵
- Executes dropped EXE
PID:1976 -
\??\c:\fxllrlx.exec:\fxllrlx.exe56⤵
- Executes dropped EXE
PID:2376 -
\??\c:\6080806.exec:\6080806.exe57⤵
- Executes dropped EXE
PID:2120 -
\??\c:\44808.exec:\44808.exe58⤵
- Executes dropped EXE
PID:2512 -
\??\c:\048428.exec:\048428.exe59⤵
- Executes dropped EXE
PID:448 -
\??\c:\264088.exec:\264088.exe60⤵
- Executes dropped EXE
PID:2312 -
\??\c:\3ppvd.exec:\3ppvd.exe61⤵
- Executes dropped EXE
PID:1360 -
\??\c:\88026.exec:\88026.exe62⤵
- Executes dropped EXE
PID:1268 -
\??\c:\20240.exec:\20240.exe63⤵
- Executes dropped EXE
PID:2600 -
\??\c:\080622.exec:\080622.exe64⤵
- Executes dropped EXE
PID:2036 -
\??\c:\2680242.exec:\2680242.exe65⤵
- Executes dropped EXE
PID:2584 -
\??\c:\9vvdd.exec:\9vvdd.exe66⤵PID:832
-
\??\c:\a2024.exec:\a2024.exe67⤵PID:1844
-
\??\c:\rrffffl.exec:\rrffffl.exe68⤵PID:996
-
\??\c:\044680.exec:\044680.exe69⤵PID:1804
-
\??\c:\i880268.exec:\i880268.exe70⤵PID:1660
-
\??\c:\lfxxrrf.exec:\lfxxrrf.exe71⤵PID:1672
-
\??\c:\nthhtb.exec:\nthhtb.exe72⤵PID:308
-
\??\c:\4406840.exec:\4406840.exe73⤵PID:2556
-
\??\c:\260240.exec:\260240.exe74⤵PID:2144
-
\??\c:\9flrxxf.exec:\9flrxxf.exe75⤵PID:2788
-
\??\c:\640288.exec:\640288.exe76⤵PID:2656
-
\??\c:\xxlxrxl.exec:\xxlxrxl.exe77⤵PID:2880
-
\??\c:\1htbbb.exec:\1htbbb.exe78⤵PID:2720
-
\??\c:\hhhtbh.exec:\hhhtbh.exe79⤵PID:2940
-
\??\c:\82462.exec:\82462.exe80⤵PID:2696
-
\??\c:\g0280.exec:\g0280.exe81⤵PID:2884
-
\??\c:\4220424.exec:\4220424.exe82⤵PID:2532
-
\??\c:\206202.exec:\206202.exe83⤵PID:2472
-
\??\c:\nhnnhn.exec:\nhnnhn.exe84⤵PID:2444
-
\??\c:\nhtbnn.exec:\nhtbnn.exe85⤵PID:2220
-
\??\c:\s4846.exec:\s4846.exe86⤵PID:3016
-
\??\c:\djjdd.exec:\djjdd.exe87⤵PID:2372
-
\??\c:\xxrxfll.exec:\xxrxfll.exe88⤵PID:2700
-
\??\c:\42646.exec:\42646.exe89⤵PID:1664
-
\??\c:\46206.exec:\46206.exe90⤵PID:3028
-
\??\c:\g2068.exec:\g2068.exe91⤵PID:820
-
\??\c:\jjvdp.exec:\jjvdp.exe92⤵PID:2744
-
\??\c:\a4282.exec:\a4282.exe93⤵PID:2692
-
\??\c:\4424628.exec:\4424628.exe94⤵PID:1932
-
\??\c:\xxxlflf.exec:\xxxlflf.exe95⤵PID:1600
-
\??\c:\2662842.exec:\2662842.exe96⤵PID:2100
-
\??\c:\hbtbhh.exec:\hbtbhh.exe97⤵PID:2172
-
\??\c:\60808.exec:\60808.exe98⤵PID:2924
-
\??\c:\pjpdv.exec:\pjpdv.exe99⤵PID:1096
-
\??\c:\rrxxlrl.exec:\rrxxlrl.exe100⤵PID:2340
-
\??\c:\w86804.exec:\w86804.exe101⤵PID:2028
-
\??\c:\80642.exec:\80642.exe102⤵PID:1148
-
\??\c:\jjjjv.exec:\jjjjv.exe103⤵PID:904
-
\??\c:\hbhnbb.exec:\hbhnbb.exe104⤵PID:1284
-
\??\c:\q02844.exec:\q02844.exe105⤵PID:1048
-
\??\c:\2602664.exec:\2602664.exe106⤵PID:1520
-
\??\c:\pjjpv.exec:\pjjpv.exe107⤵PID:2552
-
\??\c:\08624.exec:\08624.exe108⤵PID:1816
-
\??\c:\4246222.exec:\4246222.exe109⤵PID:3060
-
\??\c:\08422.exec:\08422.exe110⤵PID:1992
-
\??\c:\2448440.exec:\2448440.exe111⤵PID:1692
-
\??\c:\xrfrxfr.exec:\xrfrxfr.exe112⤵PID:2776
-
\??\c:\dpddj.exec:\dpddj.exe113⤵PID:2844
-
\??\c:\pjvpj.exec:\pjvpj.exe114⤵PID:2840
-
\??\c:\tnbbbt.exec:\tnbbbt.exe115⤵PID:2752
-
\??\c:\42008.exec:\42008.exe116⤵PID:1432
-
\??\c:\bthtbt.exec:\bthtbt.exe117⤵PID:2680
-
\??\c:\20880.exec:\20880.exe118⤵PID:2632
-
\??\c:\2606220.exec:\2606220.exe119⤵PID:2800
-
\??\c:\ffxxlrf.exec:\ffxxlrf.exe120⤵PID:2688
-
\??\c:\bnnbhh.exec:\bnnbhh.exe121⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-