Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 21:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
30b41e3d90a9400dad9e4a2a52777400N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
30b41e3d90a9400dad9e4a2a52777400N.exe
-
Size
332KB
-
MD5
30b41e3d90a9400dad9e4a2a52777400
-
SHA1
bfc7e66313486edb2921804ffe4a5d7534699aff
-
SHA256
d524db831e844c1cb5faf96f0addaf86b0dcc73fe623dbdaceb77c83638507e7
-
SHA512
d5d696c1d020e9481f3da39349a609a04294b251da5c8cb420a8abef71be9e038618502e983fcaa43464d3d3fcd190e22e0e9c8564c2d169da252bd8439125d8
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhY:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTo
Malware Config
Signatures
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2724-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-62-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1152-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-67-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2416-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1120-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1120-83-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2104-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-122-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1660-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/108-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-171-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1656-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-209-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1584-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-237-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1244-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-256-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/760-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-294-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/528-351-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2248-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/544-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-509-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2380-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-564-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2400-591-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2788-606-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1096-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2580 nhtbhb.exe 2792 llxlrxl.exe 2612 nnbbnn.exe 2572 dvjpv.exe 2692 llrfxrx.exe 2416 hbhntn.exe 1152 jvjjd.exe 1120 lfxxffl.exe 2104 pjvdp.exe 1972 rlxlrxl.exe 2896 tthnbb.exe 2020 jjvvj.exe 1660 frfxlll.exe 2804 1ttbnt.exe 2268 vjppv.exe 108 lxlfxxl.exe 1144 nnbhtb.exe 2140 jdpjj.exe 2392 1htnnh.exe 1656 bnhttt.exe 1684 frllxxr.exe 1584 3lflrxl.exe 2500 9jpjp.exe 832 jdpjv.exe 2944 nhttbt.exe 1244 jdvvj.exe 760 bnhnth.exe 960 dpvpd.exe 1816 hhbhtt.exe 392 5bnntt.exe 1008 fxxxxxl.exe 2688 5dddj.exe 2840 xlrxlrx.exe 2816 1tnntt.exe 2568 tnhbnh.exe 2648 pjdpd.exe 3024 dvdjv.exe 528 rlfffll.exe 3028 tnbhbh.exe 924 dvvdd.exe 1852 jjvdd.exe 1440 rlflxfl.exe 2120 1bhbhh.exe 2248 hbnntb.exe 2996 vpddp.exe 1248 rlrxllx.exe 308 xrxrlxf.exe 2864 5bbhnn.exe 2408 1nhnbb.exe 2192 jdppd.exe 316 lfrlfxl.exe 1264 bthntb.exe 544 bbthtt.exe 1144 pdjdj.exe 2388 3xlfrfl.exe 2312 rxflfxl.exe 2696 bnbhnn.exe 2440 vjvdp.exe 2492 dpjpv.exe 2496 1flfllr.exe 2532 htbhnn.exe 1364 dpjjd.exe 832 vvppp.exe 2352 xrllrrr.exe -
resource yara_rule behavioral1/memory/2724-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-143-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/108-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-433-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/544-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-556-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2380-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-564-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2844-583-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2596-598-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2572-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-686-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tththb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2580 2724 30b41e3d90a9400dad9e4a2a52777400N.exe 30 PID 2724 wrote to memory of 2580 2724 30b41e3d90a9400dad9e4a2a52777400N.exe 30 PID 2724 wrote to memory of 2580 2724 30b41e3d90a9400dad9e4a2a52777400N.exe 30 PID 2724 wrote to memory of 2580 2724 30b41e3d90a9400dad9e4a2a52777400N.exe 30 PID 2580 wrote to memory of 2792 2580 nhtbhb.exe 31 PID 2580 wrote to memory of 2792 2580 nhtbhb.exe 31 PID 2580 wrote to memory of 2792 2580 nhtbhb.exe 31 PID 2580 wrote to memory of 2792 2580 nhtbhb.exe 31 PID 2792 wrote to memory of 2612 2792 llxlrxl.exe 32 PID 2792 wrote to memory of 2612 2792 llxlrxl.exe 32 PID 2792 wrote to memory of 2612 2792 llxlrxl.exe 32 PID 2792 wrote to memory of 2612 2792 llxlrxl.exe 32 PID 2612 wrote to memory of 2572 2612 nnbbnn.exe 33 PID 2612 wrote to memory of 2572 2612 nnbbnn.exe 33 PID 2612 wrote to memory of 2572 2612 nnbbnn.exe 33 PID 2612 wrote to memory of 2572 2612 nnbbnn.exe 33 PID 2572 wrote to memory of 2692 2572 dvjpv.exe 34 PID 2572 wrote to memory of 2692 2572 dvjpv.exe 34 PID 2572 wrote to memory of 2692 2572 dvjpv.exe 34 PID 2572 wrote to memory of 2692 2572 dvjpv.exe 34 PID 2692 wrote to memory of 2416 2692 llrfxrx.exe 35 PID 2692 wrote to memory of 2416 2692 llrfxrx.exe 35 PID 2692 wrote to memory of 2416 2692 llrfxrx.exe 35 PID 2692 wrote to memory of 2416 2692 llrfxrx.exe 35 PID 2416 wrote to memory of 1152 2416 hbhntn.exe 36 PID 2416 wrote to memory of 1152 2416 hbhntn.exe 36 PID 2416 wrote to memory of 1152 2416 hbhntn.exe 36 PID 2416 wrote to memory of 1152 2416 hbhntn.exe 36 PID 1152 wrote to memory of 1120 1152 jvjjd.exe 37 PID 1152 wrote to memory of 1120 1152 jvjjd.exe 37 PID 1152 wrote to memory of 1120 1152 jvjjd.exe 37 PID 1152 wrote to memory of 1120 1152 jvjjd.exe 37 PID 1120 wrote to memory of 2104 1120 lfxxffl.exe 38 PID 1120 wrote to memory of 2104 1120 lfxxffl.exe 38 PID 1120 wrote to memory of 2104 1120 lfxxffl.exe 38 PID 1120 wrote to memory of 2104 1120 lfxxffl.exe 38 PID 2104 wrote to memory of 1972 2104 pjvdp.exe 39 PID 2104 wrote to memory of 1972 2104 pjvdp.exe 39 PID 2104 wrote to memory of 1972 2104 pjvdp.exe 39 PID 2104 wrote to memory of 1972 2104 pjvdp.exe 39 PID 1972 wrote to memory of 2896 1972 rlxlrxl.exe 40 PID 1972 wrote to memory of 2896 1972 rlxlrxl.exe 40 PID 1972 wrote to memory of 2896 1972 rlxlrxl.exe 40 PID 1972 wrote to memory of 2896 1972 rlxlrxl.exe 40 PID 2896 wrote to memory of 2020 2896 tthnbb.exe 41 PID 2896 wrote to memory of 2020 2896 tthnbb.exe 41 PID 2896 wrote to memory of 2020 2896 tthnbb.exe 41 PID 2896 wrote to memory of 2020 2896 tthnbb.exe 41 PID 2020 wrote to memory of 1660 2020 jjvvj.exe 42 PID 2020 wrote to memory of 1660 2020 jjvvj.exe 42 PID 2020 wrote to memory of 1660 2020 jjvvj.exe 42 PID 2020 wrote to memory of 1660 2020 jjvvj.exe 42 PID 1660 wrote to memory of 2804 1660 frfxlll.exe 43 PID 1660 wrote to memory of 2804 1660 frfxlll.exe 43 PID 1660 wrote to memory of 2804 1660 frfxlll.exe 43 PID 1660 wrote to memory of 2804 1660 frfxlll.exe 43 PID 2804 wrote to memory of 2268 2804 1ttbnt.exe 44 PID 2804 wrote to memory of 2268 2804 1ttbnt.exe 44 PID 2804 wrote to memory of 2268 2804 1ttbnt.exe 44 PID 2804 wrote to memory of 2268 2804 1ttbnt.exe 44 PID 2268 wrote to memory of 108 2268 vjppv.exe 45 PID 2268 wrote to memory of 108 2268 vjppv.exe 45 PID 2268 wrote to memory of 108 2268 vjppv.exe 45 PID 2268 wrote to memory of 108 2268 vjppv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\30b41e3d90a9400dad9e4a2a52777400N.exe"C:\Users\Admin\AppData\Local\Temp\30b41e3d90a9400dad9e4a2a52777400N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\nhtbhb.exec:\nhtbhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\llxlrxl.exec:\llxlrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\nnbbnn.exec:\nnbbnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\dvjpv.exec:\dvjpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\llrfxrx.exec:\llrfxrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\hbhntn.exec:\hbhntn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\jvjjd.exec:\jvjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\lfxxffl.exec:\lfxxffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\pjvdp.exec:\pjvdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\rlxlrxl.exec:\rlxlrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\tthnbb.exec:\tthnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\jjvvj.exec:\jjvvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\frfxlll.exec:\frfxlll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\1ttbnt.exec:\1ttbnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\vjppv.exec:\vjppv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\lxlfxxl.exec:\lxlfxxl.exe17⤵
- Executes dropped EXE
PID:108 -
\??\c:\nnbhtb.exec:\nnbhtb.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144 -
\??\c:\jdpjj.exec:\jdpjj.exe19⤵
- Executes dropped EXE
PID:2140 -
\??\c:\1htnnh.exec:\1htnnh.exe20⤵
- Executes dropped EXE
PID:2392 -
\??\c:\bnhttt.exec:\bnhttt.exe21⤵
- Executes dropped EXE
PID:1656 -
\??\c:\frllxxr.exec:\frllxxr.exe22⤵
- Executes dropped EXE
PID:1684 -
\??\c:\3lflrxl.exec:\3lflrxl.exe23⤵
- Executes dropped EXE
PID:1584 -
\??\c:\9jpjp.exec:\9jpjp.exe24⤵
- Executes dropped EXE
PID:2500 -
\??\c:\jdpjv.exec:\jdpjv.exe25⤵
- Executes dropped EXE
PID:832 -
\??\c:\nhttbt.exec:\nhttbt.exe26⤵
- Executes dropped EXE
PID:2944 -
\??\c:\jdvvj.exec:\jdvvj.exe27⤵
- Executes dropped EXE
PID:1244 -
\??\c:\bnhnth.exec:\bnhnth.exe28⤵
- Executes dropped EXE
PID:760 -
\??\c:\dpvpd.exec:\dpvpd.exe29⤵
- Executes dropped EXE
PID:960 -
\??\c:\hhbhtt.exec:\hhbhtt.exe30⤵
- Executes dropped EXE
PID:1816 -
\??\c:\5bnntt.exec:\5bnntt.exe31⤵
- Executes dropped EXE
PID:392 -
\??\c:\fxxxxxl.exec:\fxxxxxl.exe32⤵
- Executes dropped EXE
PID:1008 -
\??\c:\frllrxl.exec:\frllrxl.exe33⤵PID:1716
-
\??\c:\5dddj.exec:\5dddj.exe34⤵
- Executes dropped EXE
PID:2688 -
\??\c:\xlrxlrx.exec:\xlrxlrx.exe35⤵
- Executes dropped EXE
PID:2840 -
\??\c:\1tnntt.exec:\1tnntt.exe36⤵
- Executes dropped EXE
PID:2816 -
\??\c:\tnhbnh.exec:\tnhbnh.exe37⤵
- Executes dropped EXE
PID:2568 -
\??\c:\pjdpd.exec:\pjdpd.exe38⤵
- Executes dropped EXE
PID:2648 -
\??\c:\dvdjv.exec:\dvdjv.exe39⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rlfffll.exec:\rlfffll.exe40⤵
- Executes dropped EXE
PID:528 -
\??\c:\tnbhbh.exec:\tnbhbh.exe41⤵
- Executes dropped EXE
PID:3028 -
\??\c:\dvvdd.exec:\dvvdd.exe42⤵
- Executes dropped EXE
PID:924 -
\??\c:\jjvdd.exec:\jjvdd.exe43⤵
- Executes dropped EXE
PID:1852 -
\??\c:\rlflxfl.exec:\rlflxfl.exe44⤵
- Executes dropped EXE
PID:1440 -
\??\c:\1bhbhh.exec:\1bhbhh.exe45⤵
- Executes dropped EXE
PID:2120 -
\??\c:\hbnntb.exec:\hbnntb.exe46⤵
- Executes dropped EXE
PID:2248 -
\??\c:\vpddp.exec:\vpddp.exe47⤵
- Executes dropped EXE
PID:2996 -
\??\c:\rlrxllx.exec:\rlrxllx.exe48⤵
- Executes dropped EXE
PID:1248 -
\??\c:\xrxrlxf.exec:\xrxrlxf.exe49⤵
- Executes dropped EXE
PID:308 -
\??\c:\5bbhnn.exec:\5bbhnn.exe50⤵
- Executes dropped EXE
PID:2864 -
\??\c:\1nhnbb.exec:\1nhnbb.exe51⤵
- Executes dropped EXE
PID:2408 -
\??\c:\jdppd.exec:\jdppd.exe52⤵
- Executes dropped EXE
PID:2192 -
\??\c:\lfrlfxl.exec:\lfrlfxl.exe53⤵
- Executes dropped EXE
PID:316 -
\??\c:\bthntb.exec:\bthntb.exe54⤵
- Executes dropped EXE
PID:1264 -
\??\c:\bbthtt.exec:\bbthtt.exe55⤵
- Executes dropped EXE
PID:544 -
\??\c:\pdjdj.exec:\pdjdj.exe56⤵
- Executes dropped EXE
PID:1144 -
\??\c:\3xlfrfl.exec:\3xlfrfl.exe57⤵
- Executes dropped EXE
PID:2388 -
\??\c:\rxflfxl.exec:\rxflfxl.exe58⤵
- Executes dropped EXE
PID:2312 -
\??\c:\bnbhnn.exec:\bnbhnn.exe59⤵
- Executes dropped EXE
PID:2696 -
\??\c:\vjvdp.exec:\vjvdp.exe60⤵
- Executes dropped EXE
PID:2440 -
\??\c:\dpjpv.exec:\dpjpv.exe61⤵
- Executes dropped EXE
PID:2492 -
\??\c:\1flfllr.exec:\1flfllr.exe62⤵
- Executes dropped EXE
PID:2496 -
\??\c:\htbhnn.exec:\htbhnn.exe63⤵
- Executes dropped EXE
PID:2532 -
\??\c:\dpjjd.exec:\dpjjd.exe64⤵
- Executes dropped EXE
PID:1364 -
\??\c:\vvppp.exec:\vvppp.exe65⤵
- Executes dropped EXE
PID:832 -
\??\c:\xrllrrr.exec:\xrllrrr.exe66⤵
- Executes dropped EXE
PID:2352 -
\??\c:\thntbh.exec:\thntbh.exe67⤵PID:2096
-
\??\c:\9nbbhn.exec:\9nbbhn.exe68⤵PID:2412
-
\??\c:\vpvdp.exec:\vpvdp.exe69⤵PID:340
-
\??\c:\fxlrxxx.exec:\fxlrxxx.exe70⤵PID:2380
-
\??\c:\btntnn.exec:\btntnn.exe71⤵PID:2164
-
\??\c:\btbnnh.exec:\btbnnh.exe72⤵PID:2212
-
\??\c:\ddjpv.exec:\ddjpv.exe73⤵PID:2704
-
\??\c:\lfrlrxf.exec:\lfrlrxf.exe74⤵PID:2844
-
\??\c:\nbnbnn.exec:\nbnbnn.exe75⤵PID:2400
-
\??\c:\nnhbnt.exec:\nnhbnt.exe76⤵PID:2596
-
\??\c:\vpppp.exec:\vpppp.exe77⤵PID:2788
-
\??\c:\xlxxxfx.exec:\xlxxxfx.exe78⤵PID:2604
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe79⤵PID:2572
-
\??\c:\nnhntt.exec:\nnhntt.exe80⤵PID:2692
-
\??\c:\pvdjj.exec:\pvdjj.exe81⤵PID:564
-
\??\c:\5jvdp.exec:\5jvdp.exe82⤵PID:1096
-
\??\c:\rfrrxxx.exec:\rfrrxxx.exe83⤵PID:1152
-
\??\c:\5tttbt.exec:\5tttbt.exe84⤵PID:1120
-
\??\c:\pdjpp.exec:\pdjpp.exe85⤵PID:1992
-
\??\c:\vpjpv.exec:\vpjpv.exe86⤵PID:2540
-
\??\c:\9rrrrrx.exec:\9rrrrrx.exe87⤵PID:1972
-
\??\c:\bhnhhn.exec:\bhnhhn.exe88⤵PID:2116
-
\??\c:\dvppp.exec:\dvppp.exe89⤵PID:2916
-
\??\c:\xlxffll.exec:\xlxffll.exe90⤵PID:836
-
\??\c:\llllrrl.exec:\llllrrl.exe91⤵PID:2888
-
\??\c:\7bnntb.exec:\7bnntb.exe92⤵PID:2668
-
\??\c:\dpddj.exec:\dpddj.exe93⤵PID:2224
-
\??\c:\rllxxfr.exec:\rllxxfr.exe94⤵PID:2268
-
\??\c:\rllrfrx.exec:\rllrfrx.exe95⤵PID:1712
-
\??\c:\bbnthh.exec:\bbnthh.exe96⤵PID:1860
-
\??\c:\5bttbn.exec:\5bttbn.exe97⤵PID:1792
-
\??\c:\jdppv.exec:\jdppv.exe98⤵PID:2368
-
\??\c:\1llfflx.exec:\1llfflx.exe99⤵PID:2236
-
\??\c:\llfflfl.exec:\llfflfl.exe100⤵PID:2312
-
\??\c:\nbhbbh.exec:\nbhbbh.exe101⤵PID:1128
-
\??\c:\ppdvp.exec:\ppdvp.exe102⤵PID:400
-
\??\c:\jdjpv.exec:\jdjpv.exe103⤵PID:1584
-
\??\c:\lffffxl.exec:\lffffxl.exe104⤵PID:2384
-
\??\c:\9bnhtb.exec:\9bnhtb.exe105⤵PID:824
-
\??\c:\tbnnhh.exec:\tbnnhh.exe106⤵PID:1944
-
\??\c:\dpvvj.exec:\dpvvj.exe107⤵PID:1644
-
\??\c:\7vjvj.exec:\7vjvj.exe108⤵PID:2420
-
\??\c:\xrrrrxl.exec:\xrrrrxl.exe109⤵PID:2112
-
\??\c:\tttbnn.exec:\tttbnn.exe110⤵PID:2452
-
\??\c:\dvdjp.exec:\dvdjp.exe111⤵PID:2716
-
\??\c:\vpjpp.exec:\vpjpp.exe112⤵PID:2780
-
\??\c:\3lrlflr.exec:\3lrlflr.exe113⤵PID:2448
-
\??\c:\tbhbnh.exec:\tbhbnh.exe114⤵PID:1600
-
\??\c:\9hbbnb.exec:\9hbbnb.exe115⤵PID:2296
-
\??\c:\jdppd.exec:\jdppd.exe116⤵PID:2860
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe117⤵PID:2736
-
\??\c:\hbnhnn.exec:\hbnhnn.exe118⤵PID:1976
-
\??\c:\tnbhnn.exec:\tnbhnn.exe119⤵PID:2568
-
\??\c:\pjppd.exec:\pjppd.exe120⤵PID:2604
-
\??\c:\3llxlrf.exec:\3llxlrf.exe121⤵PID:3016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-