Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 22:39
Behavioral task
behavioral1
Sample
b84eb741b8fcfcd892fca53f4af597c0N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
b84eb741b8fcfcd892fca53f4af597c0N.exe
-
Size
443KB
-
MD5
b84eb741b8fcfcd892fca53f4af597c0
-
SHA1
91a34dd6391af8708482cb6e513a451ca8636712
-
SHA256
8ff61e464a1c49c1bd6a1e43f7d6c439dc264df0166c146badfc39d9cfa5b730
-
SHA512
dbf32daff0261ce4de465d2d16e2b25597b6fe89135e265bda4ca1a3891756c1b704386de48e7ac9f3e8a27a07e8b473cae0fc1bd4e7214462fe7601b1411b44
-
SSDEEP
12288:M4wFHoSpg4wFHonR/nPF2LnFL4wF04wFK4wFK4wluAQ:UrR/nPRQ
Malware Config
Signatures
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2240-7-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2400-18-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2284-38-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2344-47-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2852-58-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/556-89-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1596-170-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2212-199-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2316-313-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2808-364-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1136-456-0x0000000001CD0000-0x0000000001D5C000-memory.dmp family_blackmoon behavioral1/memory/1460-488-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1460-495-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2216-513-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2000-487-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2000-480-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2092-479-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2092-471-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/448-470-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/448-462-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1136-461-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2932-446-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1492-415-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/860-408-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/688-395-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2884-357-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2908-350-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1880-292-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/924-249-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2156-275-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2956-258-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1884-240-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2920-214-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1136-223-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2504-195-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2212-205-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1500-161-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1740-152-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1652-143-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/1428-134-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/3068-107-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/528-117-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2632-98-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2880-79-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2880-77-0x0000000000370000-0x00000000003FC000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2400 nhbhtt.exe 784 fxrflrf.exe 2284 frrxxfl.exe 2344 jjjvd.exe 2852 fxrrflx.exe 2952 fxxfrxl.exe 2880 hhbhtb.exe 556 vvddv.exe 2632 3vvpj.exe 3068 ttnbth.exe 528 ttthth.exe 2040 vvpdp.exe 1428 rrfxffr.exe 1652 fxrxlxl.exe 1740 ttthbh.exe 1500 vvpvd.exe 1596 jvjpd.exe 2868 lfxrxfl.exe 2680 tnbhtb.exe 2504 3bbntb.exe 2212 3dvjv.exe 2920 rlflxlf.exe 1136 bhbhnt.exe 1524 5nbhnt.exe 1884 7vdvd.exe 924 7rrxflr.exe 2956 lrrfxll.exe 1612 pjvjp.exe 2156 lxxfrxx.exe 2700 tbnthn.exe 1880 9ppjv.exe 2552 xrrrrxr.exe 2208 9rxlxlx.exe 2316 bbnthn.exe 1592 dpvjj.exe 2244 xxxfxxl.exe 2256 lffrffx.exe 2344 9hnntb.exe 2836 3dvvj.exe 2908 vpjvj.exe 2884 lfflrxf.exe 2808 nhhtbh.exe 2648 1pjdv.exe 2664 pvddv.exe 2916 rflllfx.exe 112 3nhnbb.exe 688 pdppv.exe 604 jppdp.exe 860 xrlrffl.exe 1492 bhhnhh.exe 1688 jddpd.exe 2888 ppppp.exe 596 3flxlfl.exe 2680 nhbnbh.exe 2932 jvvvv.exe 1672 jvvpd.exe 1136 7llrxfl.exe 448 7ppdj.exe 2092 xfxlxlx.exe 2000 tbbnbn.exe 1460 btnbtb.exe 628 pvvjd.exe 1504 llrxlfl.exe 2216 hbbhth.exe -
resource yara_rule behavioral1/memory/2240-0-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/files/0x0007000000012117-8.dat upx behavioral1/memory/2400-9-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2240-7-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/files/0x00080000000173a9-19.dat upx behavioral1/memory/2400-18-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2400-17-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/784-23-0x0000000000220000-0x00000000002AC000-memory.dmp upx behavioral1/files/0x0008000000017488-29.dat upx behavioral1/memory/784-28-0x0000000000220000-0x00000000002AC000-memory.dmp upx behavioral1/files/0x0008000000017492-40.dat upx behavioral1/memory/2344-39-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2284-38-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2852-49-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/files/0x00080000000174cc-48.dat upx behavioral1/memory/2344-47-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/files/0x0006000000018683-55.dat upx behavioral1/memory/2952-59-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2852-58-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/files/0x00060000000186e4-67.dat upx behavioral1/memory/2880-68-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/files/0x00070000000186fd-90.dat upx behavioral1/memory/556-89-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/528-110-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/files/0x0005000000019461-136.dat upx behavioral1/files/0x000500000001950c-144.dat upx behavioral1/memory/1596-170-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/files/0x00050000000195c5-162.dat upx behavioral1/files/0x0005000000019609-180.dat upx behavioral1/memory/2212-199-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/files/0x0005000000019611-216.dat upx behavioral1/files/0x0005000000019615-233.dat upx behavioral1/files/0x0005000000019619-251.dat upx behavioral1/files/0x000500000001961d-268.dat upx behavioral1/memory/2316-313-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2808-364-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1136-453-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1136-456-0x0000000001CD0000-0x0000000001D5C000-memory.dmp upx behavioral1/memory/1460-488-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1460-495-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2216-513-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1680-519-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2000-487-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2000-480-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2092-479-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2092-474-0x0000000000350000-0x00000000003DC000-memory.dmp upx behavioral1/memory/2092-471-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/448-470-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/448-469-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/448-465-0x0000000000490000-0x000000000051C000-memory.dmp upx behavioral1/memory/448-462-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1136-461-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2932-446-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1492-415-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/860-408-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/688-395-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2884-357-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2908-350-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/files/0x0005000000019621-285.dat upx behavioral1/files/0x0005000000019622-294.dat upx behavioral1/memory/1880-292-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/files/0x000500000001961f-277.dat upx behavioral1/memory/924-249-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2156-275-0x0000000000400000-0x000000000048C000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2400 2240 b84eb741b8fcfcd892fca53f4af597c0N.exe 30 PID 2240 wrote to memory of 2400 2240 b84eb741b8fcfcd892fca53f4af597c0N.exe 30 PID 2240 wrote to memory of 2400 2240 b84eb741b8fcfcd892fca53f4af597c0N.exe 30 PID 2240 wrote to memory of 2400 2240 b84eb741b8fcfcd892fca53f4af597c0N.exe 30 PID 2400 wrote to memory of 784 2400 nhbhtt.exe 31 PID 2400 wrote to memory of 784 2400 nhbhtt.exe 31 PID 2400 wrote to memory of 784 2400 nhbhtt.exe 31 PID 2400 wrote to memory of 784 2400 nhbhtt.exe 31 PID 784 wrote to memory of 2284 784 fxrflrf.exe 32 PID 784 wrote to memory of 2284 784 fxrflrf.exe 32 PID 784 wrote to memory of 2284 784 fxrflrf.exe 32 PID 784 wrote to memory of 2284 784 fxrflrf.exe 32 PID 2284 wrote to memory of 2344 2284 frrxxfl.exe 67 PID 2284 wrote to memory of 2344 2284 frrxxfl.exe 67 PID 2284 wrote to memory of 2344 2284 frrxxfl.exe 67 PID 2284 wrote to memory of 2344 2284 frrxxfl.exe 67 PID 2344 wrote to memory of 2852 2344 jjjvd.exe 34 PID 2344 wrote to memory of 2852 2344 jjjvd.exe 34 PID 2344 wrote to memory of 2852 2344 jjjvd.exe 34 PID 2344 wrote to memory of 2852 2344 jjjvd.exe 34 PID 2852 wrote to memory of 2952 2852 fxrrflx.exe 35 PID 2852 wrote to memory of 2952 2852 fxrrflx.exe 35 PID 2852 wrote to memory of 2952 2852 fxrrflx.exe 35 PID 2852 wrote to memory of 2952 2852 fxrrflx.exe 35 PID 2952 wrote to memory of 2880 2952 fxxfrxl.exe 36 PID 2952 wrote to memory of 2880 2952 fxxfrxl.exe 36 PID 2952 wrote to memory of 2880 2952 fxxfrxl.exe 36 PID 2952 wrote to memory of 2880 2952 fxxfrxl.exe 36 PID 2880 wrote to memory of 556 2880 hhbhtb.exe 37 PID 2880 wrote to memory of 556 2880 hhbhtb.exe 37 PID 2880 wrote to memory of 556 2880 hhbhtb.exe 37 PID 2880 wrote to memory of 556 2880 hhbhtb.exe 37 PID 556 wrote to memory of 2632 556 vvddv.exe 111 PID 556 wrote to memory of 2632 556 vvddv.exe 111 PID 556 wrote to memory of 2632 556 vvddv.exe 111 PID 556 wrote to memory of 2632 556 vvddv.exe 111 PID 2632 wrote to memory of 3068 2632 3vvpj.exe 39 PID 2632 wrote to memory of 3068 2632 3vvpj.exe 39 PID 2632 wrote to memory of 3068 2632 3vvpj.exe 39 PID 2632 wrote to memory of 3068 2632 3vvpj.exe 39 PID 3068 wrote to memory of 528 3068 ttnbth.exe 114 PID 3068 wrote to memory of 528 3068 ttnbth.exe 114 PID 3068 wrote to memory of 528 3068 ttnbth.exe 114 PID 3068 wrote to memory of 528 3068 ttnbth.exe 114 PID 528 wrote to memory of 2040 528 ttthth.exe 41 PID 528 wrote to memory of 2040 528 ttthth.exe 41 PID 528 wrote to memory of 2040 528 ttthth.exe 41 PID 528 wrote to memory of 2040 528 ttthth.exe 41 PID 2040 wrote to memory of 1428 2040 vvpdp.exe 42 PID 2040 wrote to memory of 1428 2040 vvpdp.exe 42 PID 2040 wrote to memory of 1428 2040 vvpdp.exe 42 PID 2040 wrote to memory of 1428 2040 vvpdp.exe 42 PID 1428 wrote to memory of 1652 1428 rrfxffr.exe 43 PID 1428 wrote to memory of 1652 1428 rrfxffr.exe 43 PID 1428 wrote to memory of 1652 1428 rrfxffr.exe 43 PID 1428 wrote to memory of 1652 1428 rrfxffr.exe 43 PID 1652 wrote to memory of 1740 1652 fxrxlxl.exe 44 PID 1652 wrote to memory of 1740 1652 fxrxlxl.exe 44 PID 1652 wrote to memory of 1740 1652 fxrxlxl.exe 44 PID 1652 wrote to memory of 1740 1652 fxrxlxl.exe 44 PID 1740 wrote to memory of 1500 1740 ttthbh.exe 45 PID 1740 wrote to memory of 1500 1740 ttthbh.exe 45 PID 1740 wrote to memory of 1500 1740 ttthbh.exe 45 PID 1740 wrote to memory of 1500 1740 ttthbh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b84eb741b8fcfcd892fca53f4af597c0N.exe"C:\Users\Admin\AppData\Local\Temp\b84eb741b8fcfcd892fca53f4af597c0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\nhbhtt.exec:\nhbhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\fxrflrf.exec:\fxrflrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\frrxxfl.exec:\frrxxfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\jjjvd.exec:\jjjvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\fxrrflx.exec:\fxrrflx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\fxxfrxl.exec:\fxxfrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\hhbhtb.exec:\hhbhtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\vvddv.exec:\vvddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\3vvpj.exec:\3vvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\ttnbth.exec:\ttnbth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\ttthth.exec:\ttthth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\vvpdp.exec:\vvpdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\rrfxffr.exec:\rrfxffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\fxrxlxl.exec:\fxrxlxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\ttthbh.exec:\ttthbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\vvpvd.exec:\vvpvd.exe17⤵
- Executes dropped EXE
PID:1500 -
\??\c:\jvjpd.exec:\jvjpd.exe18⤵
- Executes dropped EXE
PID:1596 -
\??\c:\lfxrxfl.exec:\lfxrxfl.exe19⤵
- Executes dropped EXE
PID:2868 -
\??\c:\tnbhtb.exec:\tnbhtb.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
\??\c:\3bbntb.exec:\3bbntb.exe21⤵
- Executes dropped EXE
PID:2504 -
\??\c:\3dvjv.exec:\3dvjv.exe22⤵
- Executes dropped EXE
PID:2212 -
\??\c:\rlflxlf.exec:\rlflxlf.exe23⤵
- Executes dropped EXE
PID:2920 -
\??\c:\bhbhnt.exec:\bhbhnt.exe24⤵
- Executes dropped EXE
PID:1136 -
\??\c:\5nbhnt.exec:\5nbhnt.exe25⤵
- Executes dropped EXE
PID:1524 -
\??\c:\7vdvd.exec:\7vdvd.exe26⤵
- Executes dropped EXE
PID:1884 -
\??\c:\7rrxflr.exec:\7rrxflr.exe27⤵
- Executes dropped EXE
PID:924 -
\??\c:\lrrfxll.exec:\lrrfxll.exe28⤵
- Executes dropped EXE
PID:2956 -
\??\c:\pjvjp.exec:\pjvjp.exe29⤵
- Executes dropped EXE
PID:1612 -
\??\c:\lxxfrxx.exec:\lxxfrxx.exe30⤵
- Executes dropped EXE
PID:2156 -
\??\c:\tbnthn.exec:\tbnthn.exe31⤵
- Executes dropped EXE
PID:2700 -
\??\c:\9ppjv.exec:\9ppjv.exe32⤵
- Executes dropped EXE
PID:1880 -
\??\c:\xrrrrxr.exec:\xrrrrxr.exe33⤵
- Executes dropped EXE
PID:2552 -
\??\c:\9rxlxlx.exec:\9rxlxlx.exe34⤵
- Executes dropped EXE
PID:2208 -
\??\c:\bbnthn.exec:\bbnthn.exe35⤵
- Executes dropped EXE
PID:2316 -
\??\c:\dpvjj.exec:\dpvjj.exe36⤵
- Executes dropped EXE
PID:1592 -
\??\c:\xxxfxxl.exec:\xxxfxxl.exe37⤵
- Executes dropped EXE
PID:2244 -
\??\c:\lffrffx.exec:\lffrffx.exe38⤵
- Executes dropped EXE
PID:2256 -
\??\c:\9hnntb.exec:\9hnntb.exe39⤵
- Executes dropped EXE
PID:2344 -
\??\c:\3dvvj.exec:\3dvvj.exe40⤵
- Executes dropped EXE
PID:2836 -
\??\c:\vpjvj.exec:\vpjvj.exe41⤵
- Executes dropped EXE
PID:2908 -
\??\c:\lfflrxf.exec:\lfflrxf.exe42⤵
- Executes dropped EXE
PID:2884 -
\??\c:\nhhtbh.exec:\nhhtbh.exe43⤵
- Executes dropped EXE
PID:2808 -
\??\c:\1pjdv.exec:\1pjdv.exe44⤵
- Executes dropped EXE
PID:2648 -
\??\c:\pvddv.exec:\pvddv.exe45⤵
- Executes dropped EXE
PID:2664 -
\??\c:\rflllfx.exec:\rflllfx.exe46⤵
- Executes dropped EXE
PID:2916 -
\??\c:\3nhnbb.exec:\3nhnbb.exe47⤵
- Executes dropped EXE
PID:112 -
\??\c:\pdppv.exec:\pdppv.exe48⤵
- Executes dropped EXE
PID:688 -
\??\c:\jppdp.exec:\jppdp.exe49⤵
- Executes dropped EXE
PID:604 -
\??\c:\xrlrffl.exec:\xrlrffl.exe50⤵
- Executes dropped EXE
PID:860 -
\??\c:\bhhnhh.exec:\bhhnhh.exe51⤵
- Executes dropped EXE
PID:1492 -
\??\c:\jddpd.exec:\jddpd.exe52⤵
- Executes dropped EXE
PID:1688 -
\??\c:\ppppp.exec:\ppppp.exe53⤵
- Executes dropped EXE
PID:2888 -
\??\c:\3flxlfl.exec:\3flxlfl.exe54⤵
- Executes dropped EXE
PID:596 -
\??\c:\nhbnbh.exec:\nhbnbh.exe55⤵
- Executes dropped EXE
PID:2680 -
\??\c:\jvvvv.exec:\jvvvv.exe56⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jvvpd.exec:\jvvpd.exe57⤵
- Executes dropped EXE
PID:1672 -
\??\c:\7llrxfl.exec:\7llrxfl.exe58⤵
- Executes dropped EXE
PID:1136 -
\??\c:\7ppdj.exec:\7ppdj.exe59⤵
- Executes dropped EXE
PID:448 -
\??\c:\xfxlxlx.exec:\xfxlxlx.exe60⤵
- Executes dropped EXE
PID:2092 -
\??\c:\tbbnbn.exec:\tbbnbn.exe61⤵
- Executes dropped EXE
PID:2000 -
\??\c:\btnbtb.exec:\btnbtb.exe62⤵
- Executes dropped EXE
PID:1460 -
\??\c:\pvvjd.exec:\pvvjd.exe63⤵
- Executes dropped EXE
PID:628 -
\??\c:\llrxlfl.exec:\llrxlfl.exe64⤵
- Executes dropped EXE
PID:1504 -
\??\c:\hbbhth.exec:\hbbhth.exe65⤵
- Executes dropped EXE
PID:2216 -
\??\c:\jvpdv.exec:\jvpdv.exe66⤵PID:1680
-
\??\c:\djjdp.exec:\djjdp.exe67⤵PID:1956
-
\??\c:\rlfrflx.exec:\rlfrflx.exe68⤵PID:2132
-
\??\c:\btnbnt.exec:\btnbnt.exe69⤵PID:1052
-
\??\c:\vpjdv.exec:\vpjdv.exe70⤵PID:2520
-
\??\c:\rxxlflf.exec:\rxxlflf.exe71⤵PID:2280
-
\??\c:\thbhbn.exec:\thbhbn.exe72⤵PID:2256
-
\??\c:\vppvj.exec:\vppvj.exe73⤵PID:1992
-
\??\c:\frflllf.exec:\frflllf.exe74⤵PID:2760
-
\??\c:\5nbbhh.exec:\5nbbhh.exe75⤵PID:2800
-
\??\c:\pvpdp.exec:\pvpdp.exe76⤵PID:2848
-
\??\c:\jpjjp.exec:\jpjjp.exe77⤵PID:2764
-
\??\c:\lffxrll.exec:\lffxrll.exe78⤵PID:2452
-
\??\c:\7hnthh.exec:\7hnthh.exe79⤵PID:2828
-
\??\c:\ntntht.exec:\ntntht.exe80⤵PID:2664
-
\??\c:\vpjpp.exec:\vpjpp.exe81⤵PID:2656
-
\??\c:\dvpvp.exec:\dvpvp.exe82⤵PID:2916
-
\??\c:\3llflff.exec:\3llflff.exe83⤵PID:2632
-
\??\c:\hbhnnh.exec:\hbhnnh.exe84⤵PID:556
-
\??\c:\3bnbhn.exec:\3bnbhn.exe85⤵PID:1392
-
\??\c:\ppjpv.exec:\ppjpv.exe86⤵PID:528
-
\??\c:\vvpjd.exec:\vvpjd.exe87⤵PID:2784
-
\??\c:\fxxlflf.exec:\fxxlflf.exe88⤵PID:1780
-
\??\c:\3fxlxxf.exec:\3fxlxxf.exe89⤵PID:1824
-
\??\c:\bhbthn.exec:\bhbthn.exe90⤵PID:2024
-
\??\c:\bbthbn.exec:\bbthbn.exe91⤵PID:2888
-
\??\c:\vppvp.exec:\vppvp.exe92⤵PID:2608
-
\??\c:\pvvdp.exec:\pvvdp.exe93⤵PID:1940
-
\??\c:\lrxlxfl.exec:\lrxlxfl.exe94⤵PID:2088
-
\??\c:\xxxfxfx.exec:\xxxfxfx.exe95⤵PID:2212
-
\??\c:\nnbbnb.exec:\nnbbnb.exe96⤵PID:1828
-
\??\c:\nhthtb.exec:\nhthtb.exe97⤵PID:1672
-
\??\c:\vvpdv.exec:\vvpdv.exe98⤵PID:1072
-
\??\c:\djpdv.exec:\djpdv.exe99⤵PID:496
-
\??\c:\rrlfxff.exec:\rrlfxff.exe100⤵PID:108
-
\??\c:\xxxlxfr.exec:\xxxlxfr.exe101⤵PID:2392
-
\??\c:\3hhtbb.exec:\3hhtbb.exe102⤵PID:2224
-
\??\c:\httntb.exec:\httntb.exe103⤵PID:2796
-
\??\c:\vvvjj.exec:\vvvjj.exe104⤵PID:960
-
\??\c:\rrlxxlr.exec:\rrlxxlr.exe105⤵PID:2128
-
\??\c:\3lfrxlx.exec:\3lfrxlx.exe106⤵PID:1796
-
\??\c:\ttttbn.exec:\ttttbn.exe107⤵PID:2236
-
\??\c:\btthtb.exec:\btthtb.exe108⤵PID:1972
-
\??\c:\jjpjj.exec:\jjpjj.exe109⤵PID:2216
-
\??\c:\9jjdp.exec:\9jjdp.exe110⤵PID:2472
-
\??\c:\1xxfrlx.exec:\1xxfrlx.exe111⤵PID:2540
-
\??\c:\xrfrxfl.exec:\xrfrxfl.exe112⤵PID:2688
-
\??\c:\nbnhht.exec:\nbnhht.exe113⤵PID:2300
-
\??\c:\3bhhhb.exec:\3bhhhb.exe114⤵PID:1624
-
\??\c:\9jdpp.exec:\9jdpp.exe115⤵PID:2560
-
\??\c:\flflfrf.exec:\flflfrf.exe116⤵PID:1580
-
\??\c:\5xflrxf.exec:\5xflrxf.exe117⤵PID:2360
-
\??\c:\bntnbb.exec:\bntnbb.exe118⤵PID:2112
-
\??\c:\hhhtht.exec:\hhhtht.exe119⤵PID:2908
-
\??\c:\jvvjp.exec:\jvvjp.exe120⤵PID:2884
-
\??\c:\vppvp.exec:\vppvp.exe121⤵PID:2848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-