Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/11/2024, 22:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe
-
Size
452KB
-
MD5
bd5f899c7b74ff1b9f1e2ac928f43181
-
SHA1
89608414370638927d5ef841fffdec184746d8a5
-
SHA256
4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646
-
SHA512
520d834259bbf2950ed8116aa0cf9c4dfe82ed132564eb00ad74295357bcfde575f44258d1c6a4046604c219d82d5af497059aa529b1c8da5fbfb6445e4b8051
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2916-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-41-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1936-43-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2904-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-65-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2872-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-126-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2156-145-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2156-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-157-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1572-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/648-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-525-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1012-548-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-727-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2876-746-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1332-765-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2440-816-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2368-853-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/1568-1117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3044 7nnhtt.exe 1856 9djpv.exe 2804 rrllxxf.exe 1936 jpdjp.exe 2904 bbhntb.exe 2752 hhhnth.exe 2892 jvppv.exe 2872 rxlfrll.exe 2632 nhbbbt.exe 3056 djpdv.exe 1740 flfxrxx.exe 1536 nntnhb.exe 1876 djvdd.exe 2156 dddjp.exe 592 ppjpj.exe 1572 lrxllff.exe 1712 nnnnht.exe 1612 bhnthh.exe 2940 bhbbbt.exe 3004 xfxrfrf.exe 1280 pvpvv.exe 648 httnnb.exe 1288 xxxxrxr.exe 1268 htbtnh.exe 2212 ddjvj.exe 2224 vddpv.exe 584 xffxrxx.exe 1664 xffxrrl.exe 3016 nhhttn.exe 2016 xxfrfxx.exe 2916 hhhnnn.exe 2112 bthnnn.exe 1504 pjdpv.exe 1924 flrrrfr.exe 2804 pdjdd.exe 2852 xlxrrrr.exe 1936 nbbnnh.exe 2908 dvvvp.exe 2744 rrfxlfx.exe 2720 vvdjv.exe 2784 vpvjj.exe 2628 xffrlrf.exe 2692 bbhnnh.exe 2152 pjdjd.exe 2072 5lxfxxx.exe 2516 tbnhnh.exe 1740 lxllxfx.exe 1536 nhthth.exe 536 jpjpd.exe 1972 lrfffxf.exe 1684 thnnth.exe 1608 jpppv.exe 1912 pppdd.exe 2800 rrlrfrf.exe 576 ttbtht.exe 1612 7pdjd.exe 1224 ffxrfrf.exe 3000 nhhtnb.exe 1808 xlxxrfr.exe 1036 7tbnhb.exe 1640 pjddd.exe 2304 rffrlrf.exe 2144 hhhhbh.exe 1428 jjjvp.exe -
resource yara_rule behavioral1/memory/2916-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/648-217-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/648-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-520-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1012-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-921-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-977-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-1117-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 3044 2916 4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe 30 PID 2916 wrote to memory of 3044 2916 4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe 30 PID 2916 wrote to memory of 3044 2916 4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe 30 PID 2916 wrote to memory of 3044 2916 4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe 30 PID 3044 wrote to memory of 1856 3044 7nnhtt.exe 31 PID 3044 wrote to memory of 1856 3044 7nnhtt.exe 31 PID 3044 wrote to memory of 1856 3044 7nnhtt.exe 31 PID 3044 wrote to memory of 1856 3044 7nnhtt.exe 31 PID 1856 wrote to memory of 2804 1856 9djpv.exe 32 PID 1856 wrote to memory of 2804 1856 9djpv.exe 32 PID 1856 wrote to memory of 2804 1856 9djpv.exe 32 PID 1856 wrote to memory of 2804 1856 9djpv.exe 32 PID 2804 wrote to memory of 1936 2804 rrllxxf.exe 33 PID 2804 wrote to memory of 1936 2804 rrllxxf.exe 33 PID 2804 wrote to memory of 1936 2804 rrllxxf.exe 33 PID 2804 wrote to memory of 1936 2804 rrllxxf.exe 33 PID 1936 wrote to memory of 2904 1936 jpdjp.exe 34 PID 1936 wrote to memory of 2904 1936 jpdjp.exe 34 PID 1936 wrote to memory of 2904 1936 jpdjp.exe 34 PID 1936 wrote to memory of 2904 1936 jpdjp.exe 34 PID 2904 wrote to memory of 2752 2904 bbhntb.exe 35 PID 2904 wrote to memory of 2752 2904 bbhntb.exe 35 PID 2904 wrote to memory of 2752 2904 bbhntb.exe 35 PID 2904 wrote to memory of 2752 2904 bbhntb.exe 35 PID 2752 wrote to memory of 2892 2752 hhhnth.exe 36 PID 2752 wrote to memory of 2892 2752 hhhnth.exe 36 PID 2752 wrote to memory of 2892 2752 hhhnth.exe 36 PID 2752 wrote to memory of 2892 2752 hhhnth.exe 36 PID 2892 wrote to memory of 2872 2892 jvppv.exe 37 PID 2892 wrote to memory of 2872 2892 jvppv.exe 37 PID 2892 wrote to memory of 2872 2892 jvppv.exe 37 PID 2892 wrote to memory of 2872 2892 jvppv.exe 37 PID 2872 wrote to memory of 2632 2872 rxlfrll.exe 38 PID 2872 wrote to memory of 2632 2872 rxlfrll.exe 38 PID 2872 wrote to memory of 2632 2872 rxlfrll.exe 38 PID 2872 wrote to memory of 2632 2872 rxlfrll.exe 38 PID 2632 wrote to memory of 3056 2632 nhbbbt.exe 39 PID 2632 wrote to memory of 3056 2632 nhbbbt.exe 39 PID 2632 wrote to memory of 3056 2632 nhbbbt.exe 39 PID 2632 wrote to memory of 3056 2632 nhbbbt.exe 39 PID 3056 wrote to memory of 1740 3056 djpdv.exe 40 PID 3056 wrote to memory of 1740 3056 djpdv.exe 40 PID 3056 wrote to memory of 1740 3056 djpdv.exe 40 PID 3056 wrote to memory of 1740 3056 djpdv.exe 40 PID 1740 wrote to memory of 1536 1740 flfxrxx.exe 41 PID 1740 wrote to memory of 1536 1740 flfxrxx.exe 41 PID 1740 wrote to memory of 1536 1740 flfxrxx.exe 41 PID 1740 wrote to memory of 1536 1740 flfxrxx.exe 41 PID 1536 wrote to memory of 1876 1536 nntnhb.exe 42 PID 1536 wrote to memory of 1876 1536 nntnhb.exe 42 PID 1536 wrote to memory of 1876 1536 nntnhb.exe 42 PID 1536 wrote to memory of 1876 1536 nntnhb.exe 42 PID 1876 wrote to memory of 2156 1876 djvdd.exe 43 PID 1876 wrote to memory of 2156 1876 djvdd.exe 43 PID 1876 wrote to memory of 2156 1876 djvdd.exe 43 PID 1876 wrote to memory of 2156 1876 djvdd.exe 43 PID 2156 wrote to memory of 592 2156 dddjp.exe 44 PID 2156 wrote to memory of 592 2156 dddjp.exe 44 PID 2156 wrote to memory of 592 2156 dddjp.exe 44 PID 2156 wrote to memory of 592 2156 dddjp.exe 44 PID 592 wrote to memory of 1572 592 ppjpj.exe 45 PID 592 wrote to memory of 1572 592 ppjpj.exe 45 PID 592 wrote to memory of 1572 592 ppjpj.exe 45 PID 592 wrote to memory of 1572 592 ppjpj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe"C:\Users\Admin\AppData\Local\Temp\4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\7nnhtt.exec:\7nnhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\9djpv.exec:\9djpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\rrllxxf.exec:\rrllxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\jpdjp.exec:\jpdjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\bbhntb.exec:\bbhntb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\hhhnth.exec:\hhhnth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\jvppv.exec:\jvppv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\rxlfrll.exec:\rxlfrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\nhbbbt.exec:\nhbbbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\djpdv.exec:\djpdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\flfxrxx.exec:\flfxrxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\nntnhb.exec:\nntnhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\djvdd.exec:\djvdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\dddjp.exec:\dddjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\ppjpj.exec:\ppjpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\lrxllff.exec:\lrxllff.exe17⤵
- Executes dropped EXE
PID:1572 -
\??\c:\nnnnht.exec:\nnnnht.exe18⤵
- Executes dropped EXE
PID:1712 -
\??\c:\bhnthh.exec:\bhnthh.exe19⤵
- Executes dropped EXE
PID:1612 -
\??\c:\bhbbbt.exec:\bhbbbt.exe20⤵
- Executes dropped EXE
PID:2940 -
\??\c:\xfxrfrf.exec:\xfxrfrf.exe21⤵
- Executes dropped EXE
PID:3004 -
\??\c:\pvpvv.exec:\pvpvv.exe22⤵
- Executes dropped EXE
PID:1280 -
\??\c:\httnnb.exec:\httnnb.exe23⤵
- Executes dropped EXE
PID:648 -
\??\c:\xxxxrxr.exec:\xxxxrxr.exe24⤵
- Executes dropped EXE
PID:1288 -
\??\c:\htbtnh.exec:\htbtnh.exe25⤵
- Executes dropped EXE
PID:1268 -
\??\c:\ddjvj.exec:\ddjvj.exe26⤵
- Executes dropped EXE
PID:2212 -
\??\c:\vddpv.exec:\vddpv.exe27⤵
- Executes dropped EXE
PID:2224 -
\??\c:\xffxrxx.exec:\xffxrxx.exe28⤵
- Executes dropped EXE
PID:584 -
\??\c:\xffxrrl.exec:\xffxrrl.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664 -
\??\c:\nhhttn.exec:\nhhttn.exe30⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xxfrfxx.exec:\xxfrfxx.exe31⤵
- Executes dropped EXE
PID:2016 -
\??\c:\hhhnnn.exec:\hhhnnn.exe32⤵
- Executes dropped EXE
PID:2916 -
\??\c:\bthnnn.exec:\bthnnn.exe33⤵
- Executes dropped EXE
PID:2112 -
\??\c:\pjdpv.exec:\pjdpv.exe34⤵
- Executes dropped EXE
PID:1504 -
\??\c:\flrrrfr.exec:\flrrrfr.exe35⤵
- Executes dropped EXE
PID:1924 -
\??\c:\pdjdd.exec:\pdjdd.exe36⤵
- Executes dropped EXE
PID:2804 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe37⤵
- Executes dropped EXE
PID:2852 -
\??\c:\nbbnnh.exec:\nbbnnh.exe38⤵
- Executes dropped EXE
PID:1936 -
\??\c:\dvvvp.exec:\dvvvp.exe39⤵
- Executes dropped EXE
PID:2908 -
\??\c:\rrfxlfx.exec:\rrfxlfx.exe40⤵
- Executes dropped EXE
PID:2744 -
\??\c:\vvdjv.exec:\vvdjv.exe41⤵
- Executes dropped EXE
PID:2720 -
\??\c:\vpvjj.exec:\vpvjj.exe42⤵
- Executes dropped EXE
PID:2784 -
\??\c:\xffrlrf.exec:\xffrlrf.exe43⤵
- Executes dropped EXE
PID:2628 -
\??\c:\bbhnnh.exec:\bbhnnh.exe44⤵
- Executes dropped EXE
PID:2692 -
\??\c:\pjdjd.exec:\pjdjd.exe45⤵
- Executes dropped EXE
PID:2152 -
\??\c:\5lxfxxx.exec:\5lxfxxx.exe46⤵
- Executes dropped EXE
PID:2072 -
\??\c:\tbnhnh.exec:\tbnhnh.exe47⤵
- Executes dropped EXE
PID:2516 -
\??\c:\lxllxfx.exec:\lxllxfx.exe48⤵
- Executes dropped EXE
PID:1740 -
\??\c:\nhthth.exec:\nhthth.exe49⤵
- Executes dropped EXE
PID:1536 -
\??\c:\jpjpd.exec:\jpjpd.exe50⤵
- Executes dropped EXE
PID:536 -
\??\c:\lrfffxf.exec:\lrfffxf.exe51⤵
- Executes dropped EXE
PID:1972 -
\??\c:\thnnth.exec:\thnnth.exe52⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jpppv.exec:\jpppv.exe53⤵
- Executes dropped EXE
PID:1608 -
\??\c:\pppdd.exec:\pppdd.exe54⤵
- Executes dropped EXE
PID:1912 -
\??\c:\rrlrfrf.exec:\rrlrfrf.exe55⤵
- Executes dropped EXE
PID:2800 -
\??\c:\ttbtht.exec:\ttbtht.exe56⤵
- Executes dropped EXE
PID:576 -
\??\c:\7pdjd.exec:\7pdjd.exe57⤵
- Executes dropped EXE
PID:1612 -
\??\c:\ffxrfrf.exec:\ffxrfrf.exe58⤵
- Executes dropped EXE
PID:1224 -
\??\c:\nhhtnb.exec:\nhhtnb.exe59⤵
- Executes dropped EXE
PID:3000 -
\??\c:\xlxxrfr.exec:\xlxxrfr.exe60⤵
- Executes dropped EXE
PID:1808 -
\??\c:\7tbnhb.exec:\7tbnhb.exe61⤵
- Executes dropped EXE
PID:1036 -
\??\c:\pjddd.exec:\pjddd.exe62⤵
- Executes dropped EXE
PID:1640 -
\??\c:\rffrlrf.exec:\rffrlrf.exe63⤵
- Executes dropped EXE
PID:2304 -
\??\c:\hhhhbh.exec:\hhhhbh.exe64⤵
- Executes dropped EXE
PID:2144 -
\??\c:\jjjvp.exec:\jjjvp.exe65⤵
- Executes dropped EXE
PID:1428 -
\??\c:\xxxxfxl.exec:\xxxxfxl.exe66⤵PID:2796
-
\??\c:\tnnbtb.exec:\tnnbtb.exe67⤵PID:2212
-
\??\c:\vvvpp.exec:\vvvpp.exe68⤵PID:1004
-
\??\c:\lxrflxr.exec:\lxrflxr.exe69⤵PID:1012
-
\??\c:\htbtbt.exec:\htbtbt.exe70⤵PID:912
-
\??\c:\xfxxffl.exec:\xfxxffl.exe71⤵PID:2088
-
\??\c:\xxlfrfr.exec:\xxlfrfr.exe72⤵PID:2096
-
\??\c:\bnnhhn.exec:\bnnhhn.exe73⤵PID:2196
-
\??\c:\pvvpv.exec:\pvvpv.exe74⤵PID:1376
-
\??\c:\ntthbn.exec:\ntthbn.exe75⤵PID:2580
-
\??\c:\dvppd.exec:\dvppd.exe76⤵PID:1496
-
\??\c:\rlxrlrl.exec:\rlxrlrl.exe77⤵PID:2920
-
\??\c:\ntbthn.exec:\ntbthn.exe78⤵PID:2220
-
\??\c:\lfxxffl.exec:\lfxxffl.exe79⤵PID:2900
-
\??\c:\fffrlrx.exec:\fffrlrx.exe80⤵PID:2848
-
\??\c:\jpjdj.exec:\jpjdj.exe81⤵PID:2820
-
\??\c:\9lfrxll.exec:\9lfrxll.exe82⤵PID:2936
-
\??\c:\thhbhn.exec:\thhbhn.exe83⤵PID:2640
-
\??\c:\djpvv.exec:\djpvv.exe84⤵PID:2788
-
\??\c:\lflrflr.exec:\lflrflr.exe85⤵PID:2680
-
\??\c:\nnhbbh.exec:\nnhbbh.exe86⤵PID:2628
-
\??\c:\pdvjv.exec:\pdvjv.exe87⤵
- System Location Discovery: System Language Discovery
PID:2692 -
\??\c:\rrxxxxf.exec:\rrxxxxf.exe88⤵PID:2200
-
\??\c:\tnbhnn.exec:\tnbhnn.exe89⤵PID:2072
-
\??\c:\jpdjv.exec:\jpdjv.exe90⤵PID:684
-
\??\c:\lxrfxrl.exec:\lxrfxrl.exe91⤵PID:1520
-
\??\c:\hhhthh.exec:\hhhthh.exe92⤵PID:2148
-
\??\c:\pvpjv.exec:\pvpjv.exe93⤵PID:2432
-
\??\c:\lllrlrr.exec:\lllrlrr.exe94⤵
- System Location Discovery: System Language Discovery
PID:1652 -
\??\c:\bbthtb.exec:\bbthtb.exe95⤵PID:2028
-
\??\c:\5pjjj.exec:\5pjjj.exe96⤵PID:1764
-
\??\c:\frxfxfx.exec:\frxfxfx.exe97⤵
- System Location Discovery: System Language Discovery
PID:2876 -
\??\c:\bbtbht.exec:\bbtbht.exe98⤵PID:1488
-
\??\c:\lllfxrl.exec:\lllfxrl.exe99⤵PID:576
-
\??\c:\tbbtnt.exec:\tbbtnt.exe100⤵PID:1612
-
\??\c:\vdpjj.exec:\vdpjj.exe101⤵PID:1436
-
\??\c:\9rllrrf.exec:\9rllrrf.exe102⤵PID:3004
-
\??\c:\hbhhnn.exec:\hbhhnn.exe103⤵PID:1332
-
\??\c:\vjdpd.exec:\vjdpd.exe104⤵PID:2956
-
\??\c:\rfrlxxf.exec:\rfrlxxf.exe105⤵PID:856
-
\??\c:\hhtnnb.exec:\hhtnnb.exe106⤵
- System Location Discovery: System Language Discovery
PID:2464 -
\??\c:\jppvd.exec:\jppvd.exe107⤵PID:2448
-
\??\c:\5rfllfr.exec:\5rfllfr.exe108⤵PID:2816
-
\??\c:\nnthnn.exec:\nnthnn.exe109⤵PID:2532
-
\??\c:\ppvjd.exec:\ppvjd.exe110⤵PID:1252
-
\??\c:\rrlrlrx.exec:\rrlrlrx.exe111⤵PID:2440
-
\??\c:\bnbhtb.exec:\bnbhtb.exe112⤵PID:1848
-
\??\c:\7djdd.exec:\7djdd.exe113⤵PID:2360
-
\??\c:\frfxllx.exec:\frfxllx.exe114⤵PID:3016
-
\??\c:\nbthtb.exec:\nbthtb.exe115⤵PID:2204
-
\??\c:\lfxxffr.exec:\lfxxffr.exe116⤵PID:3032
-
\??\c:\bthntt.exec:\bthntt.exe117⤵PID:2368
-
\??\c:\pppvd.exec:\pppvd.exe118⤵PID:1672
-
\??\c:\xflfrxf.exec:\xflfrxf.exe119⤵PID:1504
-
\??\c:\tnbntt.exec:\tnbntt.exe120⤵PID:1496
-
\??\c:\vdpvd.exec:\vdpvd.exe121⤵PID:2896
-
\??\c:\xlxfffl.exec:\xlxfffl.exe122⤵PID:2220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-