Analysis
-
max time kernel
35s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 14:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe
-
Size
455KB
-
MD5
19284ed11f96c554f8d5384c60e5f050
-
SHA1
ee195535422fff1bdb983ac8c01b9e09efac4e36
-
SHA256
329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027
-
SHA512
d10edff61f8d00a55a568d2ea090e07b5af79ac8665a4b3b35015ac066cd7c756ecc84cb45884fd0f5677732fe479a4b44f841bfcf2ced51a41d7dd7171e2afc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRn:q7Tc2NYHUrAwfMp3CDRn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2084-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-29-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2868-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-50-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2728-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-69-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2760-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1020-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-145-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1560-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-157-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2268-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1468-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/904-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-266-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2256-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-290-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2900-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/112-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-313-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2948-320-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2948-324-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2992-331-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2352-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-339-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2856-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-348-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2856-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-377-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2832-383-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1152-410-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1716-420-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2152-469-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2444-495-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/3064-562-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2336-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-645-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2768-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2372 ttttht.exe 3000 dvjpd.exe 2868 vjdjv.exe 2724 hntnht.exe 2728 lfxrrff.exe 2436 bnthnb.exe 2760 pjvpv.exe 1492 xrlxrxr.exe 2316 vpjpd.exe 1020 nnhhhb.exe 1384 jjvdp.exe 1924 3dvdj.exe 2416 ddvvj.exe 1560 rlrrlfl.exe 1656 dvdjp.exe 1352 9rfrflr.exe 2268 thtnnn.exe 2240 ffflxfl.exe 2216 pjvvp.exe 1620 bthtbh.exe 696 jdpdv.exe 3052 nhhbhn.exe 968 frxxxxl.exe 2664 tntntt.exe 1468 llffflf.exe 904 bbtbhn.exe 2256 nhbhhh.exe 2488 vjppv.exe 2280 pvppp.exe 112 ddvvd.exe 2900 bnnnnn.exe 1988 ddpjj.exe 2948 nhntnb.exe 2992 hbtbhh.exe 2352 xfxxllx.exe 2716 xxrflff.exe 2856 pdjpp.exe 2720 tbnnht.exe 2860 3jddj.exe 2612 rxflllx.exe 2832 pjvdj.exe 2972 ttnbnt.exe 1764 vdpjj.exe 1712 xfxlflx.exe 1152 bhbthb.exe 1636 xlxllfl.exe 1716 pdvdp.exe 2396 nntttt.exe 2416 lffrlrr.exe 1544 bbtbnn.exe 1916 hnhhnt.exe 1580 vpjpv.exe 2460 rfrxxlf.exe 2152 hnnthh.exe 812 rllflrx.exe 632 bnbbnt.exe 1828 dpjjp.exe 2444 bbbntb.exe 448 jvpdj.exe 696 httntb.exe 1204 rlxfxfr.exe 2636 hnhnhn.exe 2212 djjpv.exe 1224 rrfrrxf.exe -
resource yara_rule behavioral1/memory/2084-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-297-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2352-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/344-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-631-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2584-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-666-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbbh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2372 2084 329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe 30 PID 2084 wrote to memory of 2372 2084 329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe 30 PID 2084 wrote to memory of 2372 2084 329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe 30 PID 2084 wrote to memory of 2372 2084 329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe 30 PID 2372 wrote to memory of 3000 2372 ttttht.exe 31 PID 2372 wrote to memory of 3000 2372 ttttht.exe 31 PID 2372 wrote to memory of 3000 2372 ttttht.exe 31 PID 2372 wrote to memory of 3000 2372 ttttht.exe 31 PID 3000 wrote to memory of 2868 3000 dvjpd.exe 32 PID 3000 wrote to memory of 2868 3000 dvjpd.exe 32 PID 3000 wrote to memory of 2868 3000 dvjpd.exe 32 PID 3000 wrote to memory of 2868 3000 dvjpd.exe 32 PID 2868 wrote to memory of 2724 2868 vjdjv.exe 33 PID 2868 wrote to memory of 2724 2868 vjdjv.exe 33 PID 2868 wrote to memory of 2724 2868 vjdjv.exe 33 PID 2868 wrote to memory of 2724 2868 vjdjv.exe 33 PID 2724 wrote to memory of 2728 2724 hntnht.exe 34 PID 2724 wrote to memory of 2728 2724 hntnht.exe 34 PID 2724 wrote to memory of 2728 2724 hntnht.exe 34 PID 2724 wrote to memory of 2728 2724 hntnht.exe 34 PID 2728 wrote to memory of 2436 2728 lfxrrff.exe 35 PID 2728 wrote to memory of 2436 2728 lfxrrff.exe 35 PID 2728 wrote to memory of 2436 2728 lfxrrff.exe 35 PID 2728 wrote to memory of 2436 2728 lfxrrff.exe 35 PID 2436 wrote to memory of 2760 2436 bnthnb.exe 36 PID 2436 wrote to memory of 2760 2436 bnthnb.exe 36 PID 2436 wrote to memory of 2760 2436 bnthnb.exe 36 PID 2436 wrote to memory of 2760 2436 bnthnb.exe 36 PID 2760 wrote to memory of 1492 2760 pjvpv.exe 37 PID 2760 wrote to memory of 1492 2760 pjvpv.exe 37 PID 2760 wrote to memory of 1492 2760 pjvpv.exe 37 PID 2760 wrote to memory of 1492 2760 pjvpv.exe 37 PID 1492 wrote to memory of 2316 1492 xrlxrxr.exe 38 PID 1492 wrote to memory of 2316 1492 xrlxrxr.exe 38 PID 1492 wrote to memory of 2316 1492 xrlxrxr.exe 38 PID 1492 wrote to memory of 2316 1492 xrlxrxr.exe 38 PID 2316 wrote to memory of 1020 2316 vpjpd.exe 39 PID 2316 wrote to memory of 1020 2316 vpjpd.exe 39 PID 2316 wrote to memory of 1020 2316 vpjpd.exe 39 PID 2316 wrote to memory of 1020 2316 vpjpd.exe 39 PID 1020 wrote to memory of 1384 1020 nnhhhb.exe 40 PID 1020 wrote to memory of 1384 1020 nnhhhb.exe 40 PID 1020 wrote to memory of 1384 1020 nnhhhb.exe 40 PID 1020 wrote to memory of 1384 1020 nnhhhb.exe 40 PID 1384 wrote to memory of 1924 1384 jjvdp.exe 41 PID 1384 wrote to memory of 1924 1384 jjvdp.exe 41 PID 1384 wrote to memory of 1924 1384 jjvdp.exe 41 PID 1384 wrote to memory of 1924 1384 jjvdp.exe 41 PID 1924 wrote to memory of 2416 1924 3dvdj.exe 42 PID 1924 wrote to memory of 2416 1924 3dvdj.exe 42 PID 1924 wrote to memory of 2416 1924 3dvdj.exe 42 PID 1924 wrote to memory of 2416 1924 3dvdj.exe 42 PID 2416 wrote to memory of 1560 2416 ddvvj.exe 43 PID 2416 wrote to memory of 1560 2416 ddvvj.exe 43 PID 2416 wrote to memory of 1560 2416 ddvvj.exe 43 PID 2416 wrote to memory of 1560 2416 ddvvj.exe 43 PID 1560 wrote to memory of 1656 1560 rlrrlfl.exe 44 PID 1560 wrote to memory of 1656 1560 rlrrlfl.exe 44 PID 1560 wrote to memory of 1656 1560 rlrrlfl.exe 44 PID 1560 wrote to memory of 1656 1560 rlrrlfl.exe 44 PID 1656 wrote to memory of 1352 1656 dvdjp.exe 45 PID 1656 wrote to memory of 1352 1656 dvdjp.exe 45 PID 1656 wrote to memory of 1352 1656 dvdjp.exe 45 PID 1656 wrote to memory of 1352 1656 dvdjp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe"C:\Users\Admin\AppData\Local\Temp\329b4a1b5deeba756dd936f44e8d78ba91e218afc73f74653283ec025949a027N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\ttttht.exec:\ttttht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\dvjpd.exec:\dvjpd.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\vjdjv.exec:\vjdjv.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\hntnht.exec:\hntnht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\lfxrrff.exec:\lfxrrff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\bnthnb.exec:\bnthnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\pjvpv.exec:\pjvpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\xrlxrxr.exec:\xrlxrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\vpjpd.exec:\vpjpd.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\nnhhhb.exec:\nnhhhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\jjvdp.exec:\jjvdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\3dvdj.exec:\3dvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\ddvvj.exec:\ddvvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\rlrrlfl.exec:\rlrrlfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\dvdjp.exec:\dvdjp.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\9rfrflr.exec:\9rfrflr.exe17⤵
- Executes dropped EXE
PID:1352 -
\??\c:\thtnnn.exec:\thtnnn.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
\??\c:\ffflxfl.exec:\ffflxfl.exe19⤵
- Executes dropped EXE
PID:2240 -
\??\c:\pjvvp.exec:\pjvvp.exe20⤵
- Executes dropped EXE
PID:2216 -
\??\c:\bthtbh.exec:\bthtbh.exe21⤵
- Executes dropped EXE
PID:1620 -
\??\c:\jdpdv.exec:\jdpdv.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:696 -
\??\c:\nhhbhn.exec:\nhhbhn.exe23⤵
- Executes dropped EXE
PID:3052 -
\??\c:\frxxxxl.exec:\frxxxxl.exe24⤵
- Executes dropped EXE
PID:968 -
\??\c:\tntntt.exec:\tntntt.exe25⤵
- Executes dropped EXE
PID:2664 -
\??\c:\llffflf.exec:\llffflf.exe26⤵
- Executes dropped EXE
PID:1468 -
\??\c:\bbtbhn.exec:\bbtbhn.exe27⤵
- Executes dropped EXE
PID:904 -
\??\c:\nhbhhh.exec:\nhbhhh.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2256 -
\??\c:\vjppv.exec:\vjppv.exe29⤵
- Executes dropped EXE
PID:2488 -
\??\c:\pvppp.exec:\pvppp.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\ddvvd.exec:\ddvvd.exe31⤵
- Executes dropped EXE
PID:112 -
\??\c:\bnnnnn.exec:\bnnnnn.exe32⤵
- Executes dropped EXE
PID:2900 -
\??\c:\ddpjj.exec:\ddpjj.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
\??\c:\nhntnb.exec:\nhntnb.exe34⤵
- Executes dropped EXE
PID:2948 -
\??\c:\hbtbhh.exec:\hbtbhh.exe35⤵
- Executes dropped EXE
PID:2992 -
\??\c:\xfxxllx.exec:\xfxxllx.exe36⤵
- Executes dropped EXE
PID:2352 -
\??\c:\xxrflff.exec:\xxrflff.exe37⤵
- Executes dropped EXE
PID:2716 -
\??\c:\pdjpp.exec:\pdjpp.exe38⤵
- Executes dropped EXE
PID:2856 -
\??\c:\tbnnht.exec:\tbnnht.exe39⤵
- Executes dropped EXE
PID:2720 -
\??\c:\3jddj.exec:\3jddj.exe40⤵
- Executes dropped EXE
PID:2860 -
\??\c:\rxflllx.exec:\rxflllx.exe41⤵
- Executes dropped EXE
PID:2612 -
\??\c:\pjvdj.exec:\pjvdj.exe42⤵
- Executes dropped EXE
PID:2832 -
\??\c:\ttnbnt.exec:\ttnbnt.exe43⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vdpjj.exec:\vdpjj.exe44⤵
- Executes dropped EXE
PID:1764 -
\??\c:\xfxlflx.exec:\xfxlflx.exe45⤵
- Executes dropped EXE
PID:1712 -
\??\c:\bhbthb.exec:\bhbthb.exe46⤵
- Executes dropped EXE
PID:1152 -
\??\c:\xlxllfl.exec:\xlxllfl.exe47⤵
- Executes dropped EXE
PID:1636 -
\??\c:\pdvdp.exec:\pdvdp.exe48⤵
- Executes dropped EXE
PID:1716 -
\??\c:\nntttt.exec:\nntttt.exe49⤵
- Executes dropped EXE
PID:2396 -
\??\c:\lffrlrr.exec:\lffrlrr.exe50⤵
- Executes dropped EXE
PID:2416 -
\??\c:\bbtbnn.exec:\bbtbnn.exe51⤵
- Executes dropped EXE
PID:1544 -
\??\c:\hnhhnt.exec:\hnhhnt.exe52⤵
- Executes dropped EXE
PID:1916 -
\??\c:\vpjpv.exec:\vpjpv.exe53⤵
- Executes dropped EXE
PID:1580 -
\??\c:\rfrxxlf.exec:\rfrxxlf.exe54⤵
- Executes dropped EXE
PID:2460 -
\??\c:\hnnthh.exec:\hnnthh.exe55⤵
- Executes dropped EXE
PID:2152 -
\??\c:\rllflrx.exec:\rllflrx.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:812 -
\??\c:\bnbbnt.exec:\bnbbnt.exe57⤵
- Executes dropped EXE
PID:632 -
\??\c:\dpjjp.exec:\dpjjp.exe58⤵
- Executes dropped EXE
PID:1828 -
\??\c:\bbbntb.exec:\bbbntb.exe59⤵
- Executes dropped EXE
PID:2444 -
\??\c:\jvpdj.exec:\jvpdj.exe60⤵
- Executes dropped EXE
PID:448 -
\??\c:\httntb.exec:\httntb.exe61⤵
- Executes dropped EXE
PID:696 -
\??\c:\rlxfxfr.exec:\rlxfxfr.exe62⤵
- Executes dropped EXE
PID:1204 -
\??\c:\hnhnhn.exec:\hnhnhn.exe63⤵
- Executes dropped EXE
PID:2636 -
\??\c:\djjpv.exec:\djjpv.exe64⤵
- Executes dropped EXE
PID:2212 -
\??\c:\rrfrrxf.exec:\rrfrrxf.exe65⤵
- Executes dropped EXE
PID:1224 -
\??\c:\jddvd.exec:\jddvd.exe66⤵PID:1596
-
\??\c:\nntbnn.exec:\nntbnn.exe67⤵PID:736
-
\??\c:\7pjpd.exec:\7pjpd.exe68⤵PID:1400
-
\??\c:\hbtthh.exec:\hbtthh.exe69⤵PID:2336
-
\??\c:\vdjpv.exec:\vdjpv.exe70⤵PID:3064
-
\??\c:\hbhtht.exec:\hbhtht.exe71⤵PID:344
-
\??\c:\xfffrrf.exec:\xfffrrf.exe72⤵PID:1412
-
\??\c:\tbhtnt.exec:\tbhtnt.exe73⤵PID:2284
-
\??\c:\lxrlxrl.exec:\lxrlxrl.exe74⤵PID:2264
-
\??\c:\jvdjd.exec:\jvdjd.exe75⤵PID:1628
-
\??\c:\nnbhbh.exec:\nnbhbh.exe76⤵PID:2996
-
\??\c:\frxfllx.exec:\frxfllx.exe77⤵PID:2884
-
\??\c:\tbbnbb.exec:\tbbnbb.exe78⤵PID:2756
-
\??\c:\xrlfxff.exec:\xrlfxff.exe79⤵
- System Location Discovery: System Language Discovery
PID:1488 -
\??\c:\pjvdv.exec:\pjvdv.exe80⤵
- System Location Discovery: System Language Discovery
PID:2868 -
\??\c:\rxxlfrl.exec:\rxxlfrl.exe81⤵PID:2276
-
\??\c:\vppvp.exec:\vppvp.exe82⤵PID:2708
-
\??\c:\bbntnn.exec:\bbntnn.exe83⤵PID:2584
-
\??\c:\frxflfr.exec:\frxflfr.exe84⤵PID:2988
-
\??\c:\tnhnbb.exec:\tnhnbb.exe85⤵PID:2768
-
\??\c:\rxlllll.exec:\rxlllll.exe86⤵PID:2628
-
\??\c:\jdvvd.exec:\jdvvd.exe87⤵PID:2292
-
\??\c:\9lflrff.exec:\9lflrff.exe88⤵PID:2980
-
\??\c:\rxllxfx.exec:\rxllxfx.exe89⤵
- System Location Discovery: System Language Discovery
PID:1836 -
\??\c:\pdvvj.exec:\pdvvj.exe90⤵PID:1824
-
\??\c:\tnbbbb.exec:\tnbbbb.exe91⤵PID:2400
-
\??\c:\dvpvd.exec:\dvpvd.exe92⤵PID:1648
-
\??\c:\thtbhn.exec:\thtbhn.exe93⤵PID:2020
-
\??\c:\fflfflr.exec:\fflfflr.exe94⤵PID:2416
-
\??\c:\dddjd.exec:\dddjd.exe95⤵PID:1544
-
\??\c:\hbthtt.exec:\hbthtt.exe96⤵PID:2504
-
\??\c:\jdpdp.exec:\jdpdp.exe97⤵
- System Location Discovery: System Language Discovery
PID:1192 -
\??\c:\hnnnhh.exec:\hnnnhh.exe98⤵PID:2224
-
\??\c:\9rfffll.exec:\9rfffll.exe99⤵PID:2616
-
\??\c:\jdjjj.exec:\jdjjj.exe100⤵PID:964
-
\??\c:\lllxfll.exec:\lllxfll.exe101⤵PID:1696
-
\??\c:\tntbhh.exec:\tntbhh.exe102⤵PID:1260
-
\??\c:\vjvdj.exec:\vjvdj.exe103⤵PID:280
-
\??\c:\rrrflrl.exec:\rrrflrl.exe104⤵PID:3024
-
\??\c:\vjvdv.exec:\vjvdv.exe105⤵
- System Location Discovery: System Language Discovery
PID:1524 -
\??\c:\frflfrx.exec:\frflfrx.exe106⤵PID:1280
-
\??\c:\hhhnbb.exec:\hhhnbb.exe107⤵PID:2664
-
\??\c:\vdvpj.exec:\vdvpj.exe108⤵PID:1896
-
\??\c:\nthbtn.exec:\nthbtn.exe109⤵PID:680
-
\??\c:\jpdpd.exec:\jpdpd.exe110⤵PID:936
-
\??\c:\ffrrlrr.exec:\ffrrlrr.exe111⤵PID:2408
-
\??\c:\tbhnhn.exec:\tbhnhn.exe112⤵PID:2376
-
\??\c:\fxxrrrf.exec:\fxxrrrf.exe113⤵
- System Location Discovery: System Language Discovery
PID:316 -
\??\c:\pdjvv.exec:\pdjvv.exe114⤵PID:2280
-
\??\c:\lxrlxfr.exec:\lxrlxfr.exe115⤵PID:1780
-
\??\c:\vjjdv.exec:\vjjdv.exe116⤵PID:1432
-
\??\c:\dvdvv.exec:\dvdvv.exe117⤵PID:2940
-
\??\c:\httnnn.exec:\httnnn.exe118⤵PID:2264
-
\??\c:\pjddp.exec:\pjddp.exe119⤵PID:1628
-
\??\c:\bthhbh.exec:\bthhbh.exe120⤵
- System Location Discovery: System Language Discovery
PID:3032 -
\??\c:\ddvvj.exec:\ddvvj.exe121⤵PID:3028
-
\??\c:\bnthnn.exec:\bnthnn.exe122⤵PID:3060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-