Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 14:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe
-
Size
454KB
-
MD5
739bd19772fe3de80a2b8e1974bacb80
-
SHA1
a7d9e0601d872600566008846ae6d9ec2481ea66
-
SHA256
410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1
-
SHA512
3523567ba3c7c59a97996a12520250de892422d7ff70607d9f4bc21e66c3aaff21611baf01d3f3b909c9f8a4368b9f445fbbc4f2b2bd543b30d573c7bc3907e8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2396-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-383-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2684-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-390-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2920-417-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2944-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-456-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/908-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-552-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2972-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-825-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1476-953-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1452-980-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2184-1048-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-1110-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/584-1212-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1984-1215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2028 404680.exe 2200 1fxrrrr.exe 2012 pjvjp.exe 2300 480640.exe 2872 2604620.exe 2848 nhbbnt.exe 2732 9pjpv.exe 2812 g2686.exe 2808 2422840.exe 2736 642286.exe 2288 tnhhnh.exe 876 48666.exe 1992 864086.exe 1364 82684.exe 328 xrrrxxf.exe 1920 9frxffx.exe 1660 0006442.exe 1704 vvjpv.exe 2976 446688.exe 2156 5vjpv.exe 1904 pjdjp.exe 2032 7xrxfrx.exe 1960 pvjpd.exe 1720 5tnhnt.exe 1740 vdvjp.exe 1604 pdq06.exe 236 9jvdj.exe 2552 1vjvv.exe 1420 m2628.exe 348 2222468.exe 3068 9fflfxr.exe 320 i824668.exe 1680 ppdjp.exe 2192 dvdvj.exe 2828 486684.exe 2800 xrlxrxr.exe 2764 jpjdp.exe 2724 jdvdd.exe 3020 820062.exe 2748 vpdvj.exe 2064 tnnbht.exe 2752 vpjvp.exe 2832 44464.exe 2668 vvpvp.exe 2684 6088002.exe 2736 802288.exe 548 q88844.exe 1744 bntbbb.exe 1984 xrxxffr.exe 2920 220400.exe 2136 046684.exe 2944 pdpvd.exe 1228 xxflllr.exe 1912 u268040.exe 852 8828402.exe 1876 2082468.exe 532 u444064.exe 1700 jjpjd.exe 2708 a6002.exe 1780 42062.exe 2448 m2288.exe 2480 424440.exe 836 1btntt.exe 908 hbthnh.exe -
resource yara_rule behavioral1/memory/2396-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1452-980-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/2184-1048-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-1061-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-1068-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-1087-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-1100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-1135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-1173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-1186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-1200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-1212-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1984-1215-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxllfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w02608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i200606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2028 2396 410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe 30 PID 2396 wrote to memory of 2028 2396 410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe 30 PID 2396 wrote to memory of 2028 2396 410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe 30 PID 2396 wrote to memory of 2028 2396 410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe 30 PID 2028 wrote to memory of 2200 2028 404680.exe 31 PID 2028 wrote to memory of 2200 2028 404680.exe 31 PID 2028 wrote to memory of 2200 2028 404680.exe 31 PID 2028 wrote to memory of 2200 2028 404680.exe 31 PID 2200 wrote to memory of 2012 2200 1fxrrrr.exe 32 PID 2200 wrote to memory of 2012 2200 1fxrrrr.exe 32 PID 2200 wrote to memory of 2012 2200 1fxrrrr.exe 32 PID 2200 wrote to memory of 2012 2200 1fxrrrr.exe 32 PID 2012 wrote to memory of 2300 2012 pjvjp.exe 33 PID 2012 wrote to memory of 2300 2012 pjvjp.exe 33 PID 2012 wrote to memory of 2300 2012 pjvjp.exe 33 PID 2012 wrote to memory of 2300 2012 pjvjp.exe 33 PID 2300 wrote to memory of 2872 2300 480640.exe 34 PID 2300 wrote to memory of 2872 2300 480640.exe 34 PID 2300 wrote to memory of 2872 2300 480640.exe 34 PID 2300 wrote to memory of 2872 2300 480640.exe 34 PID 2872 wrote to memory of 2848 2872 2604620.exe 35 PID 2872 wrote to memory of 2848 2872 2604620.exe 35 PID 2872 wrote to memory of 2848 2872 2604620.exe 35 PID 2872 wrote to memory of 2848 2872 2604620.exe 35 PID 2848 wrote to memory of 2732 2848 nhbbnt.exe 36 PID 2848 wrote to memory of 2732 2848 nhbbnt.exe 36 PID 2848 wrote to memory of 2732 2848 nhbbnt.exe 36 PID 2848 wrote to memory of 2732 2848 nhbbnt.exe 36 PID 2732 wrote to memory of 2812 2732 9pjpv.exe 37 PID 2732 wrote to memory of 2812 2732 9pjpv.exe 37 PID 2732 wrote to memory of 2812 2732 9pjpv.exe 37 PID 2732 wrote to memory of 2812 2732 9pjpv.exe 37 PID 2812 wrote to memory of 2808 2812 g2686.exe 38 PID 2812 wrote to memory of 2808 2812 g2686.exe 38 PID 2812 wrote to memory of 2808 2812 g2686.exe 38 PID 2812 wrote to memory of 2808 2812 g2686.exe 38 PID 2808 wrote to memory of 2736 2808 2422840.exe 39 PID 2808 wrote to memory of 2736 2808 2422840.exe 39 PID 2808 wrote to memory of 2736 2808 2422840.exe 39 PID 2808 wrote to memory of 2736 2808 2422840.exe 39 PID 2736 wrote to memory of 2288 2736 642286.exe 40 PID 2736 wrote to memory of 2288 2736 642286.exe 40 PID 2736 wrote to memory of 2288 2736 642286.exe 40 PID 2736 wrote to memory of 2288 2736 642286.exe 40 PID 2288 wrote to memory of 876 2288 tnhhnh.exe 41 PID 2288 wrote to memory of 876 2288 tnhhnh.exe 41 PID 2288 wrote to memory of 876 2288 tnhhnh.exe 41 PID 2288 wrote to memory of 876 2288 tnhhnh.exe 41 PID 876 wrote to memory of 1992 876 48666.exe 42 PID 876 wrote to memory of 1992 876 48666.exe 42 PID 876 wrote to memory of 1992 876 48666.exe 42 PID 876 wrote to memory of 1992 876 48666.exe 42 PID 1992 wrote to memory of 1364 1992 864086.exe 43 PID 1992 wrote to memory of 1364 1992 864086.exe 43 PID 1992 wrote to memory of 1364 1992 864086.exe 43 PID 1992 wrote to memory of 1364 1992 864086.exe 43 PID 1364 wrote to memory of 328 1364 82684.exe 44 PID 1364 wrote to memory of 328 1364 82684.exe 44 PID 1364 wrote to memory of 328 1364 82684.exe 44 PID 1364 wrote to memory of 328 1364 82684.exe 44 PID 328 wrote to memory of 1920 328 xrrrxxf.exe 45 PID 328 wrote to memory of 1920 328 xrrrxxf.exe 45 PID 328 wrote to memory of 1920 328 xrrrxxf.exe 45 PID 328 wrote to memory of 1920 328 xrrrxxf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe"C:\Users\Admin\AppData\Local\Temp\410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\404680.exec:\404680.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\1fxrrrr.exec:\1fxrrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\pjvjp.exec:\pjvjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\480640.exec:\480640.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\2604620.exec:\2604620.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\nhbbnt.exec:\nhbbnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\9pjpv.exec:\9pjpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\g2686.exec:\g2686.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\2422840.exec:\2422840.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\642286.exec:\642286.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\tnhhnh.exec:\tnhhnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\48666.exec:\48666.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\864086.exec:\864086.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\82684.exec:\82684.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\xrrrxxf.exec:\xrrrxxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:328 -
\??\c:\9frxffx.exec:\9frxffx.exe17⤵
- Executes dropped EXE
PID:1920 -
\??\c:\0006442.exec:\0006442.exe18⤵
- Executes dropped EXE
PID:1660 -
\??\c:\vvjpv.exec:\vvjpv.exe19⤵
- Executes dropped EXE
PID:1704 -
\??\c:\446688.exec:\446688.exe20⤵
- Executes dropped EXE
PID:2976 -
\??\c:\5vjpv.exec:\5vjpv.exe21⤵
- Executes dropped EXE
PID:2156 -
\??\c:\pjdjp.exec:\pjdjp.exe22⤵
- Executes dropped EXE
PID:1904 -
\??\c:\7xrxfrx.exec:\7xrxfrx.exe23⤵
- Executes dropped EXE
PID:2032 -
\??\c:\pvjpd.exec:\pvjpd.exe24⤵
- Executes dropped EXE
PID:1960 -
\??\c:\5tnhnt.exec:\5tnhnt.exe25⤵
- Executes dropped EXE
PID:1720 -
\??\c:\vdvjp.exec:\vdvjp.exe26⤵
- Executes dropped EXE
PID:1740 -
\??\c:\pdq06.exec:\pdq06.exe27⤵
- Executes dropped EXE
PID:1604 -
\??\c:\9jvdj.exec:\9jvdj.exe28⤵
- Executes dropped EXE
PID:236 -
\??\c:\1vjvv.exec:\1vjvv.exe29⤵
- Executes dropped EXE
PID:2552 -
\??\c:\m2628.exec:\m2628.exe30⤵
- Executes dropped EXE
PID:1420 -
\??\c:\2222468.exec:\2222468.exe31⤵
- Executes dropped EXE
PID:348 -
\??\c:\9fflfxr.exec:\9fflfxr.exe32⤵
- Executes dropped EXE
PID:3068 -
\??\c:\i824668.exec:\i824668.exe33⤵
- Executes dropped EXE
PID:320 -
\??\c:\ppdjp.exec:\ppdjp.exe34⤵
- Executes dropped EXE
PID:1680 -
\??\c:\dvdvj.exec:\dvdvj.exe35⤵
- Executes dropped EXE
PID:2192 -
\??\c:\486684.exec:\486684.exe36⤵
- Executes dropped EXE
PID:2828 -
\??\c:\xrlxrxr.exec:\xrlxrxr.exe37⤵
- Executes dropped EXE
PID:2800 -
\??\c:\jpjdp.exec:\jpjdp.exe38⤵
- Executes dropped EXE
PID:2764 -
\??\c:\jdvdd.exec:\jdvdd.exe39⤵
- Executes dropped EXE
PID:2724 -
\??\c:\820062.exec:\820062.exe40⤵
- Executes dropped EXE
PID:3020 -
\??\c:\vpdvj.exec:\vpdvj.exe41⤵
- Executes dropped EXE
PID:2748 -
\??\c:\tnnbht.exec:\tnnbht.exe42⤵
- Executes dropped EXE
PID:2064 -
\??\c:\vpjvp.exec:\vpjvp.exe43⤵
- Executes dropped EXE
PID:2752 -
\??\c:\44464.exec:\44464.exe44⤵
- Executes dropped EXE
PID:2832 -
\??\c:\vvpvp.exec:\vvpvp.exe45⤵
- Executes dropped EXE
PID:2668 -
\??\c:\6088002.exec:\6088002.exe46⤵
- Executes dropped EXE
PID:2684 -
\??\c:\802288.exec:\802288.exe47⤵
- Executes dropped EXE
PID:2736 -
\??\c:\q88844.exec:\q88844.exe48⤵
- Executes dropped EXE
PID:548 -
\??\c:\bntbbb.exec:\bntbbb.exe49⤵
- Executes dropped EXE
PID:1744 -
\??\c:\xrxxffr.exec:\xrxxffr.exe50⤵
- Executes dropped EXE
PID:1984 -
\??\c:\220400.exec:\220400.exe51⤵
- Executes dropped EXE
PID:2920 -
\??\c:\046684.exec:\046684.exe52⤵
- Executes dropped EXE
PID:2136 -
\??\c:\pdpvd.exec:\pdpvd.exe53⤵
- Executes dropped EXE
PID:2944 -
\??\c:\xxflllr.exec:\xxflllr.exe54⤵
- Executes dropped EXE
PID:1228 -
\??\c:\u268040.exec:\u268040.exe55⤵
- Executes dropped EXE
PID:1912 -
\??\c:\8828402.exec:\8828402.exe56⤵
- Executes dropped EXE
PID:852 -
\??\c:\2082468.exec:\2082468.exe57⤵
- Executes dropped EXE
PID:1876 -
\??\c:\u444064.exec:\u444064.exe58⤵
- Executes dropped EXE
PID:532 -
\??\c:\jjpjd.exec:\jjpjd.exe59⤵
- Executes dropped EXE
PID:1700 -
\??\c:\a6002.exec:\a6002.exe60⤵
- Executes dropped EXE
PID:2708 -
\??\c:\42062.exec:\42062.exe61⤵
- Executes dropped EXE
PID:1780 -
\??\c:\m2288.exec:\m2288.exe62⤵
- Executes dropped EXE
PID:2448 -
\??\c:\424440.exec:\424440.exe63⤵
- Executes dropped EXE
PID:2480 -
\??\c:\1btntt.exec:\1btntt.exe64⤵
- Executes dropped EXE
PID:836 -
\??\c:\hbthnh.exec:\hbthnh.exe65⤵
- Executes dropped EXE
PID:908 -
\??\c:\rlxfrxx.exec:\rlxfrxx.exe66⤵PID:844
-
\??\c:\08222.exec:\08222.exe67⤵PID:1740
-
\??\c:\djdvd.exec:\djdvd.exe68⤵PID:1632
-
\??\c:\pvvjj.exec:\pvvjj.exe69⤵PID:2556
-
\??\c:\2640860.exec:\2640860.exe70⤵PID:684
-
\??\c:\rrfrffr.exec:\rrfrffr.exe71⤵PID:1972
-
\??\c:\26284.exec:\26284.exe72⤵PID:2340
-
\??\c:\3bthnn.exec:\3bthnn.exe73⤵PID:1748
-
\??\c:\c044624.exec:\c044624.exe74⤵PID:3068
-
\??\c:\20020.exec:\20020.exe75⤵PID:1436
-
\??\c:\lrllfxl.exec:\lrllfxl.exe76⤵PID:1504
-
\??\c:\6084040.exec:\6084040.exe77⤵PID:1680
-
\??\c:\4424068.exec:\4424068.exe78⤵PID:2132
-
\??\c:\7rlrlrx.exec:\7rlrlrx.exe79⤵PID:2972
-
\??\c:\e80288.exec:\e80288.exe80⤵PID:2468
-
\??\c:\htbbtn.exec:\htbbtn.exe81⤵PID:2864
-
\??\c:\5vddd.exec:\5vddd.exe82⤵PID:2300
-
\??\c:\nbhhnn.exec:\nbhhnn.exe83⤵PID:2816
-
\??\c:\64680.exec:\64680.exe84⤵PID:2804
-
\??\c:\9lfxxfl.exec:\9lfxxfl.exe85⤵PID:2660
-
\??\c:\2044408.exec:\2044408.exe86⤵PID:2896
-
\??\c:\800680.exec:\800680.exe87⤵PID:2588
-
\??\c:\046888.exec:\046888.exe88⤵PID:2668
-
\??\c:\666440.exec:\666440.exe89⤵PID:1620
-
\??\c:\264040.exec:\264040.exe90⤵PID:2212
-
\??\c:\pjjpd.exec:\pjjpd.exe91⤵PID:584
-
\??\c:\9nbtnn.exec:\9nbtnn.exe92⤵PID:2912
-
\??\c:\pjdjv.exec:\pjdjv.exe93⤵PID:1964
-
\??\c:\nhtntt.exec:\nhtntt.exe94⤵PID:2968
-
\??\c:\04046.exec:\04046.exe95⤵PID:2444
-
\??\c:\hbbbht.exec:\hbbbht.exe96⤵PID:1732
-
\??\c:\tnntbh.exec:\tnntbh.exe97⤵PID:2944
-
\??\c:\vvdjv.exec:\vvdjv.exe98⤵PID:1228
-
\??\c:\486802.exec:\486802.exe99⤵PID:1612
-
\??\c:\486202.exec:\486202.exe100⤵PID:852
-
\??\c:\ffxxlfx.exec:\ffxxlfx.exe101⤵PID:1876
-
\??\c:\1xfrrll.exec:\1xfrrll.exe102⤵PID:2296
-
\??\c:\20226.exec:\20226.exe103⤵PID:2236
-
\??\c:\nbnttt.exec:\nbnttt.exe104⤵PID:1908
-
\??\c:\0868446.exec:\0868446.exe105⤵PID:1780
-
\??\c:\m6062.exec:\m6062.exe106⤵PID:1968
-
\??\c:\pjddp.exec:\pjddp.exe107⤵PID:1720
-
\??\c:\bttthn.exec:\bttthn.exe108⤵
- System Location Discovery: System Language Discovery
PID:1588 -
\??\c:\40020.exec:\40020.exe109⤵PID:2672
-
\??\c:\vpdpv.exec:\vpdpv.exe110⤵PID:1932
-
\??\c:\6406228.exec:\6406228.exe111⤵PID:3056
-
\??\c:\2028668.exec:\2028668.exe112⤵PID:2424
-
\??\c:\20288.exec:\20288.exe113⤵PID:2556
-
\??\c:\fxfffxf.exec:\fxfffxf.exe114⤵PID:1928
-
\??\c:\3vdjp.exec:\3vdjp.exe115⤵PID:2476
-
\??\c:\i200606.exec:\i200606.exe116⤵
- System Location Discovery: System Language Discovery
PID:1596 -
\??\c:\4862888.exec:\4862888.exe117⤵PID:2144
-
\??\c:\9tntbb.exec:\9tntbb.exe118⤵PID:3068
-
\??\c:\k22800.exec:\k22800.exe119⤵PID:592
-
\??\c:\vjvdj.exec:\vjvdj.exe120⤵PID:952
-
\??\c:\486846.exec:\486846.exe121⤵PID:580
-
\??\c:\6428408.exec:\6428408.exe122⤵PID:1636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-