Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 09:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe
-
Size
455KB
-
MD5
41bec20e646e53a00f561cb782224220
-
SHA1
9b2b45d0c36a0fcf2a58812e96c3bed5e3f76c1c
-
SHA256
cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0
-
SHA512
b37ea2d6c65e56cb9e7cb76d21ce58d6a3a9fca3771ec93ba26561ef1cb2f63d4fecfa4919abffa10e4d38b5be378f8058ea6fdba4724fe77154809f709a29c3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2540-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-57-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2696-55-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2676-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-76-0x00000000001E0000-0x000000000020A000-memory.dmp family_blackmoon behavioral1/memory/1680-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-133-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2012-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1020-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-227-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1068-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-319-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3000-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-375-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2008-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1380-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-733-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2424-765-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2284-921-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2300-1022-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2852 nnbhtb.exe 2804 9jdpv.exe 3044 9fxrflx.exe 2872 nhttnt.exe 2696 xxxlxfr.exe 2840 9bnthn.exe 2676 lllxrfx.exe 1680 thnhhh.exe 2996 tntbnt.exe 2260 rlxfrxf.exe 2484 1tntht.exe 2596 xxllxfl.exe 2984 tthnnn.exe 2012 9rrlrxl.exe 2064 bhbbnh.exe 3052 frlfxll.exe 3040 bbthtt.exe 1020 vvjjv.exe 1420 hnhntb.exe 1244 3xxlflf.exe 2168 dddjd.exe 2608 nbntnb.exe 780 lrfrrlr.exe 1124 ntthbn.exe 1068 3ddjd.exe 1916 flrlrxf.exe 2324 bnbhbb.exe 1532 vvdjv.exe 672 rffrrxr.exe 832 1btbtb.exe 2432 vdvjp.exe 1576 nnthnb.exe 2180 djvjj.exe 2896 rfxfxlf.exe 2768 bntttn.exe 2668 jppdd.exe 2872 5frxfrx.exe 2780 tntbnn.exe 3000 5pdvp.exe 2692 frfrfrf.exe 2624 hhtbht.exe 840 jdjjj.exe 552 rlrxrfx.exe 2760 tbbbnt.exe 2504 jvvjj.exe 1084 jpjjv.exe 2008 rxxrrxx.exe 2764 7tnthb.exe 2964 9vdjd.exe 2236 3rlxlxl.exe 1424 btnthn.exe 2408 httbht.exe 1252 vvvdj.exe 1380 rrfrfrx.exe 3040 hthhbt.exe 1588 ddjpj.exe 1592 3frxfrf.exe 2340 bhnhhb.exe 896 djdvp.exe 2648 lfllxrl.exe 1868 9fflxfr.exe 592 nttttb.exe 3024 3vpvj.exe 2592 1fxllxr.exe -
resource yara_rule behavioral1/memory/2540-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1068-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-364-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/840-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/552-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-883-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-922-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-935-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-1071-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2852 2540 cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe 30 PID 2540 wrote to memory of 2852 2540 cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe 30 PID 2540 wrote to memory of 2852 2540 cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe 30 PID 2540 wrote to memory of 2852 2540 cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe 30 PID 2852 wrote to memory of 2804 2852 nnbhtb.exe 31 PID 2852 wrote to memory of 2804 2852 nnbhtb.exe 31 PID 2852 wrote to memory of 2804 2852 nnbhtb.exe 31 PID 2852 wrote to memory of 2804 2852 nnbhtb.exe 31 PID 2804 wrote to memory of 3044 2804 9jdpv.exe 32 PID 2804 wrote to memory of 3044 2804 9jdpv.exe 32 PID 2804 wrote to memory of 3044 2804 9jdpv.exe 32 PID 2804 wrote to memory of 3044 2804 9jdpv.exe 32 PID 3044 wrote to memory of 2872 3044 9fxrflx.exe 33 PID 3044 wrote to memory of 2872 3044 9fxrflx.exe 33 PID 3044 wrote to memory of 2872 3044 9fxrflx.exe 33 PID 3044 wrote to memory of 2872 3044 9fxrflx.exe 33 PID 2872 wrote to memory of 2696 2872 nhttnt.exe 34 PID 2872 wrote to memory of 2696 2872 nhttnt.exe 34 PID 2872 wrote to memory of 2696 2872 nhttnt.exe 34 PID 2872 wrote to memory of 2696 2872 nhttnt.exe 34 PID 2696 wrote to memory of 2840 2696 xxxlxfr.exe 35 PID 2696 wrote to memory of 2840 2696 xxxlxfr.exe 35 PID 2696 wrote to memory of 2840 2696 xxxlxfr.exe 35 PID 2696 wrote to memory of 2840 2696 xxxlxfr.exe 35 PID 2840 wrote to memory of 2676 2840 9bnthn.exe 36 PID 2840 wrote to memory of 2676 2840 9bnthn.exe 36 PID 2840 wrote to memory of 2676 2840 9bnthn.exe 36 PID 2840 wrote to memory of 2676 2840 9bnthn.exe 36 PID 2676 wrote to memory of 1680 2676 lllxrfx.exe 37 PID 2676 wrote to memory of 1680 2676 lllxrfx.exe 37 PID 2676 wrote to memory of 1680 2676 lllxrfx.exe 37 PID 2676 wrote to memory of 1680 2676 lllxrfx.exe 37 PID 1680 wrote to memory of 2996 1680 thnhhh.exe 38 PID 1680 wrote to memory of 2996 1680 thnhhh.exe 38 PID 1680 wrote to memory of 2996 1680 thnhhh.exe 38 PID 1680 wrote to memory of 2996 1680 thnhhh.exe 38 PID 2996 wrote to memory of 2260 2996 tntbnt.exe 39 PID 2996 wrote to memory of 2260 2996 tntbnt.exe 39 PID 2996 wrote to memory of 2260 2996 tntbnt.exe 39 PID 2996 wrote to memory of 2260 2996 tntbnt.exe 39 PID 2260 wrote to memory of 2484 2260 rlxfrxf.exe 40 PID 2260 wrote to memory of 2484 2260 rlxfrxf.exe 40 PID 2260 wrote to memory of 2484 2260 rlxfrxf.exe 40 PID 2260 wrote to memory of 2484 2260 rlxfrxf.exe 40 PID 2484 wrote to memory of 2596 2484 1tntht.exe 41 PID 2484 wrote to memory of 2596 2484 1tntht.exe 41 PID 2484 wrote to memory of 2596 2484 1tntht.exe 41 PID 2484 wrote to memory of 2596 2484 1tntht.exe 41 PID 2596 wrote to memory of 2984 2596 xxllxfl.exe 42 PID 2596 wrote to memory of 2984 2596 xxllxfl.exe 42 PID 2596 wrote to memory of 2984 2596 xxllxfl.exe 42 PID 2596 wrote to memory of 2984 2596 xxllxfl.exe 42 PID 2984 wrote to memory of 2012 2984 tthnnn.exe 43 PID 2984 wrote to memory of 2012 2984 tthnnn.exe 43 PID 2984 wrote to memory of 2012 2984 tthnnn.exe 43 PID 2984 wrote to memory of 2012 2984 tthnnn.exe 43 PID 2012 wrote to memory of 2064 2012 9rrlrxl.exe 44 PID 2012 wrote to memory of 2064 2012 9rrlrxl.exe 44 PID 2012 wrote to memory of 2064 2012 9rrlrxl.exe 44 PID 2012 wrote to memory of 2064 2012 9rrlrxl.exe 44 PID 2064 wrote to memory of 3052 2064 bhbbnh.exe 45 PID 2064 wrote to memory of 3052 2064 bhbbnh.exe 45 PID 2064 wrote to memory of 3052 2064 bhbbnh.exe 45 PID 2064 wrote to memory of 3052 2064 bhbbnh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe"C:\Users\Admin\AppData\Local\Temp\cb46397e13ee1b9621d6cce08807183dee7127e1febf2e7e796ca6acf683bbe0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\nnbhtb.exec:\nnbhtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\9jdpv.exec:\9jdpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\9fxrflx.exec:\9fxrflx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\nhttnt.exec:\nhttnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\xxxlxfr.exec:\xxxlxfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\9bnthn.exec:\9bnthn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\lllxrfx.exec:\lllxrfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\thnhhh.exec:\thnhhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\tntbnt.exec:\tntbnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\rlxfrxf.exec:\rlxfrxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\1tntht.exec:\1tntht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\xxllxfl.exec:\xxllxfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\tthnnn.exec:\tthnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\9rrlrxl.exec:\9rrlrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\bhbbnh.exec:\bhbbnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\frlfxll.exec:\frlfxll.exe17⤵
- Executes dropped EXE
PID:3052 -
\??\c:\bbthtt.exec:\bbthtt.exe18⤵
- Executes dropped EXE
PID:3040 -
\??\c:\vvjjv.exec:\vvjjv.exe19⤵
- Executes dropped EXE
PID:1020 -
\??\c:\hnhntb.exec:\hnhntb.exe20⤵
- Executes dropped EXE
PID:1420 -
\??\c:\3xxlflf.exec:\3xxlflf.exe21⤵
- Executes dropped EXE
PID:1244 -
\??\c:\dddjd.exec:\dddjd.exe22⤵
- Executes dropped EXE
PID:2168 -
\??\c:\nbntnb.exec:\nbntnb.exe23⤵
- Executes dropped EXE
PID:2608 -
\??\c:\lrfrrlr.exec:\lrfrrlr.exe24⤵
- Executes dropped EXE
PID:780 -
\??\c:\ntthbn.exec:\ntthbn.exe25⤵
- Executes dropped EXE
PID:1124 -
\??\c:\3ddjd.exec:\3ddjd.exe26⤵
- Executes dropped EXE
PID:1068 -
\??\c:\flrlrxf.exec:\flrlrxf.exe27⤵
- Executes dropped EXE
PID:1916 -
\??\c:\bnbhbb.exec:\bnbhbb.exe28⤵
- Executes dropped EXE
PID:2324 -
\??\c:\vvdjv.exec:\vvdjv.exe29⤵
- Executes dropped EXE
PID:1532 -
\??\c:\rffrrxr.exec:\rffrrxr.exe30⤵
- Executes dropped EXE
PID:672 -
\??\c:\1btbtb.exec:\1btbtb.exe31⤵
- Executes dropped EXE
PID:832 -
\??\c:\vdvjp.exec:\vdvjp.exe32⤵
- Executes dropped EXE
PID:2432 -
\??\c:\nnthnb.exec:\nnthnb.exe33⤵
- Executes dropped EXE
PID:1576 -
\??\c:\djvjj.exec:\djvjj.exe34⤵
- Executes dropped EXE
PID:2180 -
\??\c:\rfxfxlf.exec:\rfxfxlf.exe35⤵
- Executes dropped EXE
PID:2896 -
\??\c:\bntttn.exec:\bntttn.exe36⤵
- Executes dropped EXE
PID:2768 -
\??\c:\jppdd.exec:\jppdd.exe37⤵
- Executes dropped EXE
PID:2668 -
\??\c:\5frxfrx.exec:\5frxfrx.exe38⤵
- Executes dropped EXE
PID:2872 -
\??\c:\tntbnn.exec:\tntbnn.exe39⤵
- Executes dropped EXE
PID:2780 -
\??\c:\5pdvp.exec:\5pdvp.exe40⤵
- Executes dropped EXE
PID:3000 -
\??\c:\frfrfrf.exec:\frfrfrf.exe41⤵
- Executes dropped EXE
PID:2692 -
\??\c:\hhtbht.exec:\hhtbht.exe42⤵
- Executes dropped EXE
PID:2624 -
\??\c:\jdjjj.exec:\jdjjj.exe43⤵
- Executes dropped EXE
PID:840 -
\??\c:\rlrxrfx.exec:\rlrxrfx.exe44⤵
- Executes dropped EXE
PID:552 -
\??\c:\tbbbnt.exec:\tbbbnt.exe45⤵
- Executes dropped EXE
PID:2760 -
\??\c:\jvvjj.exec:\jvvjj.exe46⤵
- Executes dropped EXE
PID:2504 -
\??\c:\jpjjv.exec:\jpjjv.exe47⤵
- Executes dropped EXE
PID:1084 -
\??\c:\rxxrrxx.exec:\rxxrrxx.exe48⤵
- Executes dropped EXE
PID:2008 -
\??\c:\7tnthb.exec:\7tnthb.exe49⤵
- Executes dropped EXE
PID:2764 -
\??\c:\9vdjd.exec:\9vdjd.exe50⤵
- Executes dropped EXE
PID:2964 -
\??\c:\3rlxlxl.exec:\3rlxlxl.exe51⤵
- Executes dropped EXE
PID:2236 -
\??\c:\btnthn.exec:\btnthn.exe52⤵
- Executes dropped EXE
PID:1424 -
\??\c:\httbht.exec:\httbht.exe53⤵
- Executes dropped EXE
PID:2408 -
\??\c:\vvvdj.exec:\vvvdj.exe54⤵
- Executes dropped EXE
PID:1252 -
\??\c:\rrfrfrx.exec:\rrfrfrx.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380 -
\??\c:\hthhbt.exec:\hthhbt.exe56⤵
- Executes dropped EXE
PID:3040 -
\??\c:\ddjpj.exec:\ddjpj.exe57⤵
- Executes dropped EXE
PID:1588 -
\??\c:\3frxfrf.exec:\3frxfrf.exe58⤵
- Executes dropped EXE
PID:1592 -
\??\c:\bhnhhb.exec:\bhnhhb.exe59⤵
- Executes dropped EXE
PID:2340 -
\??\c:\djdvp.exec:\djdvp.exe60⤵
- Executes dropped EXE
PID:896 -
\??\c:\lfllxrl.exec:\lfllxrl.exe61⤵
- Executes dropped EXE
PID:2648 -
\??\c:\9fflxfr.exec:\9fflxfr.exe62⤵
- Executes dropped EXE
PID:1868 -
\??\c:\nttttb.exec:\nttttb.exe63⤵
- Executes dropped EXE
PID:592 -
\??\c:\3vpvj.exec:\3vpvj.exe64⤵
- Executes dropped EXE
PID:3024 -
\??\c:\1fxllxr.exec:\1fxllxr.exe65⤵
- Executes dropped EXE
PID:2592 -
\??\c:\xflxrxl.exec:\xflxrxl.exe66⤵PID:1924
-
\??\c:\ntbbnn.exec:\ntbbnn.exe67⤵PID:2416
-
\??\c:\vpjpv.exec:\vpjpv.exe68⤵PID:1928
-
\??\c:\fxrxrrx.exec:\fxrxrrx.exe69⤵PID:2020
-
\??\c:\bbtbnh.exec:\bbtbnh.exe70⤵PID:2448
-
\??\c:\djdvj.exec:\djdvj.exe71⤵PID:1664
-
\??\c:\vpjpd.exec:\vpjpd.exe72⤵PID:832
-
\??\c:\tthtnb.exec:\tthtnb.exe73⤵PID:2216
-
\??\c:\bhttnt.exec:\bhttnt.exe74⤵PID:1780
-
\??\c:\jpjjj.exec:\jpjjj.exe75⤵
- System Location Discovery: System Language Discovery
PID:2884 -
\??\c:\xfllxxl.exec:\xfllxxl.exe76⤵PID:2912
-
\??\c:\bhhbnh.exec:\bhhbnh.exe77⤵PID:2864
-
\??\c:\tbnthn.exec:\tbnthn.exe78⤵PID:2052
-
\??\c:\dpvdp.exec:\dpvdp.exe79⤵PID:2668
-
\??\c:\rxllrxf.exec:\rxllrxf.exe80⤵PID:3012
-
\??\c:\hnhtht.exec:\hnhtht.exe81⤵PID:3028
-
\??\c:\3ddjv.exec:\3ddjv.exe82⤵PID:2712
-
\??\c:\xfxxlrx.exec:\xfxxlrx.exe83⤵PID:2664
-
\??\c:\1fflxlx.exec:\1fflxlx.exe84⤵PID:2284
-
\??\c:\5nnbhn.exec:\5nnbhn.exe85⤵PID:1684
-
\??\c:\vdvjd.exec:\vdvjd.exe86⤵PID:1488
-
\??\c:\flfrfxr.exec:\flfrfxr.exe87⤵PID:552
-
\??\c:\ntnnbn.exec:\ntnnbn.exe88⤵PID:1376
-
\??\c:\pvjvj.exec:\pvjvj.exe89⤵PID:2504
-
\??\c:\3vvvd.exec:\3vvvd.exe90⤵PID:1084
-
\??\c:\7lxfxrx.exec:\7lxfxrx.exe91⤵PID:3048
-
\??\c:\nthnhh.exec:\nthnhh.exe92⤵PID:2856
-
\??\c:\jvjvv.exec:\jvjvv.exe93⤵PID:2616
-
\??\c:\rfxfxxr.exec:\rfxfxxr.exe94⤵PID:2944
-
\??\c:\hnbnhb.exec:\hnbnhb.exe95⤵PID:2064
-
\??\c:\bbhntt.exec:\bbhntt.exe96⤵PID:2396
-
\??\c:\jpdjd.exec:\jpdjd.exe97⤵PID:636
-
\??\c:\fffxffl.exec:\fffxffl.exe98⤵PID:568
-
\??\c:\tntnhn.exec:\tntnhn.exe99⤵PID:532
-
\??\c:\dvvpp.exec:\dvvpp.exe100⤵PID:2188
-
\??\c:\rrfffxr.exec:\rrfffxr.exe101⤵PID:2300
-
\??\c:\ttbhbn.exec:\ttbhbn.exe102⤵PID:1876
-
\??\c:\5vvdv.exec:\5vvdv.exe103⤵PID:2424
-
\??\c:\xlrffrr.exec:\xlrffrr.exe104⤵PID:1536
-
\??\c:\thnnbh.exec:\thnnbh.exe105⤵PID:344
-
\??\c:\pvvjv.exec:\pvvjv.exe106⤵PID:1504
-
\??\c:\vdpdv.exec:\vdpdv.exe107⤵PID:1748
-
\??\c:\5lflrxf.exec:\5lflrxf.exe108⤵PID:2376
-
\??\c:\tbtbtb.exec:\tbtbtb.exe109⤵PID:660
-
\??\c:\pjpvv.exec:\pjpvv.exe110⤵PID:1804
-
\??\c:\9vjpv.exec:\9vjpv.exe111⤵PID:1100
-
\??\c:\1fxfxfr.exec:\1fxfxfr.exe112⤵PID:1628
-
\??\c:\thtnbh.exec:\thtnbh.exe113⤵PID:1972
-
\??\c:\3pjvd.exec:\3pjvd.exe114⤵PID:2448
-
\??\c:\9lflxll.exec:\9lflxll.exe115⤵PID:1708
-
\??\c:\rxrlxrx.exec:\rxrlxrx.exe116⤵PID:1580
-
\??\c:\nttbtb.exec:\nttbtb.exe117⤵PID:2152
-
\??\c:\pvddp.exec:\pvddp.exe118⤵PID:2792
-
\??\c:\lfflxfr.exec:\lfflxfr.exe119⤵PID:2904
-
\??\c:\xxlxfrf.exec:\xxlxfrf.exe120⤵PID:2788
-
\??\c:\nnhntb.exec:\nnhntb.exe121⤵PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-