Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/11/2024, 23:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe
-
Size
452KB
-
MD5
55aafb79b029db8c12cd5d5663eae23e
-
SHA1
b2b7064d25177f4aad984dcf457916d233171548
-
SHA256
7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb
-
SHA512
a7250f7106df55a40a4c43d33c420f29f9d47215d0068d2a2aa1363341747f80bc8d8fc2b679f05d1dbd9ccae071dce9a79cad28bcd74e054e635c9bc3d1a526
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/1292-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/656-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/292-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/552-654-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1660-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-636-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2340-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-404-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/304-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-313-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2320-272-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2576-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-191-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1444-182-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2776-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-112-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2176-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-863-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2820-870-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2660-908-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/3036-941-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2532-980-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2828-988-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1544-1009-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-1016-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3008 nthntb.exe 2400 nnhbhn.exe 1864 bbtnbh.exe 2304 xrxlrrr.exe 2820 bnttbb.exe 2752 pdvdd.exe 2796 jppvp.exe 2620 fflxrff.exe 2868 7nbnth.exe 2660 7pjvj.exe 2176 5lxlrlr.exe 656 nnhhbh.exe 292 jjjvd.exe 1296 bbntbh.exe 2776 1vvpd.exe 784 lllfxfr.exe 1752 hhbnht.exe 1444 5dpvd.exe 2228 rrflrrf.exe 1664 hbnttt.exe 1280 5tnbtb.exe 792 1dpvv.exe 1056 lllflxr.exe 2992 nhnbtn.exe 1620 dvjpp.exe 2572 1rllrrx.exe 2576 vjvdd.exe 2320 3ddjv.exe 1508 tbnhtb.exe 2328 pppdj.exe 2300 9vjjp.exe 1708 llxlrrf.exe 1920 1bnntb.exe 2932 5rlllrx.exe 2192 rrfrlxf.exe 2864 nhhhth.exe 2820 vjjvj.exe 2748 1fxlfxl.exe 2900 tbttnn.exe 2708 dpjpv.exe 2608 xrffrrl.exe 2084 frxfllx.exe 2660 hnbtth.exe 552 jpdvd.exe 304 lxfxxxf.exe 2928 3xllxrr.exe 908 bbbbhn.exe 2768 dvjpv.exe 536 9vddj.exe 2340 rrlrxxf.exe 1592 llrxrlr.exe 2024 tbthhh.exe 1088 vpdjp.exe 2404 ppdjv.exe 1400 9lfxlfr.exe 2108 nbtnnh.exe 2476 nhbbhn.exe 1984 dvjjj.exe 308 dpddj.exe 1056 fxlrlll.exe 2992 hnthtn.exe 1616 nhbbbh.exe 2032 vpjjv.exe 2204 5rfllll.exe -
resource yara_rule behavioral1/memory/1292-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/656-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-870-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2332-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-995-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1544-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-1017-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1btbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1292 wrote to memory of 3008 1292 7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe 30 PID 1292 wrote to memory of 3008 1292 7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe 30 PID 1292 wrote to memory of 3008 1292 7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe 30 PID 1292 wrote to memory of 3008 1292 7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe 30 PID 3008 wrote to memory of 2400 3008 nthntb.exe 31 PID 3008 wrote to memory of 2400 3008 nthntb.exe 31 PID 3008 wrote to memory of 2400 3008 nthntb.exe 31 PID 3008 wrote to memory of 2400 3008 nthntb.exe 31 PID 2400 wrote to memory of 1864 2400 nnhbhn.exe 32 PID 2400 wrote to memory of 1864 2400 nnhbhn.exe 32 PID 2400 wrote to memory of 1864 2400 nnhbhn.exe 32 PID 2400 wrote to memory of 1864 2400 nnhbhn.exe 32 PID 1864 wrote to memory of 2304 1864 bbtnbh.exe 33 PID 1864 wrote to memory of 2304 1864 bbtnbh.exe 33 PID 1864 wrote to memory of 2304 1864 bbtnbh.exe 33 PID 1864 wrote to memory of 2304 1864 bbtnbh.exe 33 PID 2304 wrote to memory of 2820 2304 xrxlrrr.exe 66 PID 2304 wrote to memory of 2820 2304 xrxlrrr.exe 66 PID 2304 wrote to memory of 2820 2304 xrxlrrr.exe 66 PID 2304 wrote to memory of 2820 2304 xrxlrrr.exe 66 PID 2820 wrote to memory of 2752 2820 bnttbb.exe 35 PID 2820 wrote to memory of 2752 2820 bnttbb.exe 35 PID 2820 wrote to memory of 2752 2820 bnttbb.exe 35 PID 2820 wrote to memory of 2752 2820 bnttbb.exe 35 PID 2752 wrote to memory of 2796 2752 pdvdd.exe 36 PID 2752 wrote to memory of 2796 2752 pdvdd.exe 36 PID 2752 wrote to memory of 2796 2752 pdvdd.exe 36 PID 2752 wrote to memory of 2796 2752 pdvdd.exe 36 PID 2796 wrote to memory of 2620 2796 jppvp.exe 37 PID 2796 wrote to memory of 2620 2796 jppvp.exe 37 PID 2796 wrote to memory of 2620 2796 jppvp.exe 37 PID 2796 wrote to memory of 2620 2796 jppvp.exe 37 PID 2620 wrote to memory of 2868 2620 fflxrff.exe 38 PID 2620 wrote to memory of 2868 2620 fflxrff.exe 38 PID 2620 wrote to memory of 2868 2620 fflxrff.exe 38 PID 2620 wrote to memory of 2868 2620 fflxrff.exe 38 PID 2868 wrote to memory of 2660 2868 7nbnth.exe 39 PID 2868 wrote to memory of 2660 2868 7nbnth.exe 39 PID 2868 wrote to memory of 2660 2868 7nbnth.exe 39 PID 2868 wrote to memory of 2660 2868 7nbnth.exe 39 PID 2660 wrote to memory of 2176 2660 7pjvj.exe 40 PID 2660 wrote to memory of 2176 2660 7pjvj.exe 40 PID 2660 wrote to memory of 2176 2660 7pjvj.exe 40 PID 2660 wrote to memory of 2176 2660 7pjvj.exe 40 PID 2176 wrote to memory of 656 2176 5lxlrlr.exe 41 PID 2176 wrote to memory of 656 2176 5lxlrlr.exe 41 PID 2176 wrote to memory of 656 2176 5lxlrlr.exe 41 PID 2176 wrote to memory of 656 2176 5lxlrlr.exe 41 PID 656 wrote to memory of 292 656 nnhhbh.exe 42 PID 656 wrote to memory of 292 656 nnhhbh.exe 42 PID 656 wrote to memory of 292 656 nnhhbh.exe 42 PID 656 wrote to memory of 292 656 nnhhbh.exe 42 PID 292 wrote to memory of 1296 292 jjjvd.exe 43 PID 292 wrote to memory of 1296 292 jjjvd.exe 43 PID 292 wrote to memory of 1296 292 jjjvd.exe 43 PID 292 wrote to memory of 1296 292 jjjvd.exe 43 PID 1296 wrote to memory of 2776 1296 bbntbh.exe 44 PID 1296 wrote to memory of 2776 1296 bbntbh.exe 44 PID 1296 wrote to memory of 2776 1296 bbntbh.exe 44 PID 1296 wrote to memory of 2776 1296 bbntbh.exe 44 PID 2776 wrote to memory of 784 2776 1vvpd.exe 45 PID 2776 wrote to memory of 784 2776 1vvpd.exe 45 PID 2776 wrote to memory of 784 2776 1vvpd.exe 45 PID 2776 wrote to memory of 784 2776 1vvpd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe"C:\Users\Admin\AppData\Local\Temp\7cedb0c54e38f53a37f98a1afc152880a2ae8e90de3da7b3da3f403f50d947cb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\nthntb.exec:\nthntb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\nnhbhn.exec:\nnhbhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\bbtnbh.exec:\bbtnbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\xrxlrrr.exec:\xrxlrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\bnttbb.exec:\bnttbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\pdvdd.exec:\pdvdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\jppvp.exec:\jppvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\fflxrff.exec:\fflxrff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\7nbnth.exec:\7nbnth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\7pjvj.exec:\7pjvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\5lxlrlr.exec:\5lxlrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\nnhhbh.exec:\nnhhbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
\??\c:\jjjvd.exec:\jjjvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:292 -
\??\c:\bbntbh.exec:\bbntbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\1vvpd.exec:\1vvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\lllfxfr.exec:\lllfxfr.exe17⤵
- Executes dropped EXE
PID:784 -
\??\c:\hhbnht.exec:\hhbnht.exe18⤵
- Executes dropped EXE
PID:1752 -
\??\c:\5dpvd.exec:\5dpvd.exe19⤵
- Executes dropped EXE
PID:1444 -
\??\c:\rrflrrf.exec:\rrflrrf.exe20⤵
- Executes dropped EXE
PID:2228 -
\??\c:\hbnttt.exec:\hbnttt.exe21⤵
- Executes dropped EXE
PID:1664 -
\??\c:\5tnbtb.exec:\5tnbtb.exe22⤵
- Executes dropped EXE
PID:1280 -
\??\c:\1dpvv.exec:\1dpvv.exe23⤵
- Executes dropped EXE
PID:792 -
\??\c:\lllflxr.exec:\lllflxr.exe24⤵
- Executes dropped EXE
PID:1056 -
\??\c:\nhnbtn.exec:\nhnbtn.exe25⤵
- Executes dropped EXE
PID:2992 -
\??\c:\dvjpp.exec:\dvjpp.exe26⤵
- Executes dropped EXE
PID:1620 -
\??\c:\1rllrrx.exec:\1rllrrx.exe27⤵
- Executes dropped EXE
PID:2572 -
\??\c:\vjvdd.exec:\vjvdd.exe28⤵
- Executes dropped EXE
PID:2576 -
\??\c:\3ddjv.exec:\3ddjv.exe29⤵
- Executes dropped EXE
PID:2320 -
\??\c:\tbnhtb.exec:\tbnhtb.exe30⤵
- Executes dropped EXE
PID:1508 -
\??\c:\pppdj.exec:\pppdj.exe31⤵
- Executes dropped EXE
PID:2328 -
\??\c:\9vjjp.exec:\9vjjp.exe32⤵
- Executes dropped EXE
PID:2300 -
\??\c:\llxlrrf.exec:\llxlrrf.exe33⤵
- Executes dropped EXE
PID:1708 -
\??\c:\1bnntb.exec:\1bnntb.exe34⤵
- Executes dropped EXE
PID:1920 -
\??\c:\5rlllrx.exec:\5rlllrx.exe35⤵
- Executes dropped EXE
PID:2932 -
\??\c:\rrfrlxf.exec:\rrfrlxf.exe36⤵
- Executes dropped EXE
PID:2192 -
\??\c:\nhhhth.exec:\nhhhth.exe37⤵
- Executes dropped EXE
PID:2864 -
\??\c:\vjjvj.exec:\vjjvj.exe38⤵
- Executes dropped EXE
PID:2820 -
\??\c:\1fxlfxl.exec:\1fxlfxl.exe39⤵
- Executes dropped EXE
PID:2748 -
\??\c:\tbttnn.exec:\tbttnn.exe40⤵
- Executes dropped EXE
PID:2900 -
\??\c:\dpjpv.exec:\dpjpv.exe41⤵
- Executes dropped EXE
PID:2708 -
\??\c:\xrffrrl.exec:\xrffrrl.exe42⤵
- Executes dropped EXE
PID:2608 -
\??\c:\frxfllx.exec:\frxfllx.exe43⤵
- Executes dropped EXE
PID:2084 -
\??\c:\hnbtth.exec:\hnbtth.exe44⤵
- Executes dropped EXE
PID:2660 -
\??\c:\jpdvd.exec:\jpdvd.exe45⤵
- Executes dropped EXE
PID:552 -
\??\c:\lxfxxxf.exec:\lxfxxxf.exe46⤵
- Executes dropped EXE
PID:304 -
\??\c:\3xllxrr.exec:\3xllxrr.exe47⤵
- Executes dropped EXE
PID:2928 -
\??\c:\bbbbhn.exec:\bbbbhn.exe48⤵
- Executes dropped EXE
PID:908 -
\??\c:\dvjpv.exec:\dvjpv.exe49⤵
- Executes dropped EXE
PID:2768 -
\??\c:\9vddj.exec:\9vddj.exe50⤵
- Executes dropped EXE
PID:536 -
\??\c:\rrlrxxf.exec:\rrlrxxf.exe51⤵
- Executes dropped EXE
PID:2340 -
\??\c:\llrxrlr.exec:\llrxrlr.exe52⤵
- Executes dropped EXE
PID:1592 -
\??\c:\tbthhh.exec:\tbthhh.exe53⤵
- Executes dropped EXE
PID:2024 -
\??\c:\vpdjp.exec:\vpdjp.exe54⤵
- Executes dropped EXE
PID:1088 -
\??\c:\ppdjv.exec:\ppdjv.exe55⤵
- Executes dropped EXE
PID:2404 -
\??\c:\9lfxlfr.exec:\9lfxlfr.exe56⤵
- Executes dropped EXE
PID:1400 -
\??\c:\nbtnnh.exec:\nbtnnh.exe57⤵
- Executes dropped EXE
PID:2108 -
\??\c:\nhbbhn.exec:\nhbbhn.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476 -
\??\c:\dvjjj.exec:\dvjjj.exe59⤵
- Executes dropped EXE
PID:1984 -
\??\c:\dpddj.exec:\dpddj.exe60⤵
- Executes dropped EXE
PID:308 -
\??\c:\fxlrlll.exec:\fxlrlll.exe61⤵
- Executes dropped EXE
PID:1056 -
\??\c:\hnthtn.exec:\hnthtn.exe62⤵
- Executes dropped EXE
PID:2992 -
\??\c:\nhbbbh.exec:\nhbbbh.exe63⤵
- Executes dropped EXE
PID:1616 -
\??\c:\vpjjv.exec:\vpjjv.exe64⤵
- Executes dropped EXE
PID:2032 -
\??\c:\5rfllll.exec:\5rfllll.exe65⤵
- Executes dropped EXE
PID:2204 -
\??\c:\fflxrlr.exec:\fflxrlr.exe66⤵PID:1588
-
\??\c:\3nthbh.exec:\3nthbh.exe67⤵PID:1940
-
\??\c:\hbbtbb.exec:\hbbtbb.exe68⤵PID:1512
-
\??\c:\5djpp.exec:\5djpp.exe69⤵PID:2368
-
\??\c:\jdddd.exec:\jdddd.exe70⤵PID:2076
-
\??\c:\7lrxrlf.exec:\7lrxrlf.exe71⤵PID:2384
-
\??\c:\9tnhnn.exec:\9tnhnn.exe72⤵PID:2508
-
\??\c:\bnhbbh.exec:\bnhbbh.exe73⤵PID:1920
-
\??\c:\ddppv.exec:\ddppv.exe74⤵PID:2932
-
\??\c:\jvjpd.exec:\jvjpd.exe75⤵PID:2844
-
\??\c:\xrffrrr.exec:\xrffrrr.exe76⤵PID:2284
-
\??\c:\hhbhnn.exec:\hhbhnn.exe77⤵PID:2852
-
\??\c:\nbhnnh.exec:\nbhnnh.exe78⤵PID:2820
-
\??\c:\pjvdj.exec:\pjvdj.exe79⤵PID:2440
-
\??\c:\vdpvp.exec:\vdpvp.exe80⤵PID:1944
-
\??\c:\flxfrrf.exec:\flxfrrf.exe81⤵PID:2596
-
\??\c:\btntbh.exec:\btntbh.exe82⤵PID:2668
-
\??\c:\thhtht.exec:\thhtht.exe83⤵PID:2604
-
\??\c:\dvjvp.exec:\dvjvp.exe84⤵PID:3056
-
\??\c:\ppppv.exec:\ppppv.exe85⤵PID:2784
-
\??\c:\xrlrflr.exec:\xrlrflr.exe86⤵PID:1488
-
\??\c:\bhhnnh.exec:\bhhnnh.exe87⤵PID:552
-
\??\c:\hnntnt.exec:\hnntnt.exe88⤵PID:2872
-
\??\c:\jvjjv.exec:\jvjjv.exe89⤵PID:2928
-
\??\c:\rrxxffr.exec:\rrxxffr.exe90⤵PID:1648
-
\??\c:\rrfrffl.exec:\rrfrffl.exe91⤵PID:2788
-
\??\c:\1bhhtb.exec:\1bhhtb.exe92⤵PID:468
-
\??\c:\1pppd.exec:\1pppd.exe93⤵PID:2656
-
\??\c:\vvvvd.exec:\vvvvd.exe94⤵PID:2664
-
\??\c:\rrlffll.exec:\rrlffll.exe95⤵PID:2532
-
\??\c:\ntthth.exec:\ntthth.exe96⤵PID:2552
-
\??\c:\nhtbtn.exec:\nhtbtn.exe97⤵PID:2228
-
\??\c:\vpdjp.exec:\vpdjp.exe98⤵PID:560
-
\??\c:\jddpp.exec:\jddpp.exe99⤵PID:1400
-
\??\c:\xrrxffr.exec:\xrrxffr.exe100⤵PID:1788
-
\??\c:\hthnhh.exec:\hthnhh.exe101⤵PID:2208
-
\??\c:\btnnnt.exec:\btnnnt.exe102⤵PID:1984
-
\??\c:\ddppj.exec:\ddppj.exe103⤵PID:308
-
\??\c:\vvpvj.exec:\vvpvj.exe104⤵PID:2696
-
\??\c:\rlfxfxx.exec:\rlfxfxx.exe105⤵PID:2512
-
\??\c:\rxlrffl.exec:\rxlrffl.exe106⤵PID:572
-
\??\c:\tbnhbh.exec:\tbnhbh.exe107⤵PID:2364
-
\??\c:\1vpvj.exec:\1vpvj.exe108⤵PID:1896
-
\??\c:\vpjpv.exec:\vpjpv.exe109⤵PID:1660
-
\??\c:\fxffllr.exec:\fxffllr.exe110⤵PID:1632
-
\??\c:\9hnttn.exec:\9hnttn.exe111⤵PID:2516
-
\??\c:\vvdvv.exec:\vvdvv.exe112⤵PID:2692
-
\??\c:\rllrrrx.exec:\rllrrrx.exe113⤵PID:2248
-
\??\c:\bthnnn.exec:\bthnnn.exe114⤵PID:2316
-
\??\c:\djppv.exec:\djppv.exe115⤵PID:1384
-
\??\c:\rrlrxxx.exec:\rrlrxxx.exe116⤵PID:2792
-
\??\c:\vjvvv.exec:\vjvvv.exe117⤵PID:2192
-
\??\c:\9xrlxxx.exec:\9xrlxxx.exe118⤵PID:2808
-
\??\c:\jjvdd.exec:\jjvdd.exe119⤵PID:2284
-
\??\c:\5lxxffl.exec:\5lxxffl.exe120⤵PID:2852
-
\??\c:\tnthht.exec:\tnthht.exe121⤵PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-