Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 21:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe
-
Size
453KB
-
MD5
69d35afa0f8e66aef8d7de5d121e1f01
-
SHA1
95e2f0d62cf580a004e4458935e3469c434804ca
-
SHA256
40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f
-
SHA512
bd7861a3164dd892c9fd23457e68ef7418582f6965587998e32019b3f315cc070b2a82def4d75fa2d69cdce119263089e368198de920f08e957d6d2894eeca2b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetn:q7Tc2NYHUrAwfMp3CDtn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2240-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1580-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-52-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2768-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-54-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2644-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-73-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2888-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1072-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-182-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1948-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1000-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-204-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1772-229-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1772-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/924-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-242-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1728-240-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/716-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/716-260-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/716-262-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2988-281-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/2240-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1284-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-428-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2440-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/588-525-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-840-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2640-935-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1776-1072-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/844-1104-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2396-1136-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2936-1143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-1282-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2088-1294-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2400 dvjjd.exe 2052 hhbhnt.exe 2284 pdvjp.exe 1580 tnhnhn.exe 2828 jjdjv.exe 2768 ntttbh.exe 2160 nhhhnn.exe 2644 vpjpd.exe 2888 bthnbh.exe 2684 9thbhh.exe 3032 7bhnnh.exe 1660 vpjdp.exe 536 hhbhtb.exe 2372 jpppj.exe 1600 fxfxxfl.exe 1280 5rrrrrx.exe 1036 llflxxl.exe 1072 nbnnnb.exe 2056 ddpdp.exe 1948 fxllrxf.exe 448 xrflrrf.exe 1000 rlxfllf.exe 2272 xlxlxlx.exe 1772 9hhnbn.exe 1728 ffxxffr.exe 924 vdddv.exe 716 5frxffx.exe 1952 ttbhbh.exe 2988 jpjvj.exe 2540 xxrffrl.exe 3048 pjvdj.exe 2240 vjjpj.exe 1624 7rxrxrr.exe 2400 bhhtnt.exe 2300 9pvpv.exe 784 frllrxf.exe 2284 tnnntn.exe 2852 7ppvv.exe 2772 9vpdj.exe 2744 fxxxflx.exe 2780 5rfrrxf.exe 2708 nnhnth.exe 2784 jjpjd.exe 2792 1xrflrr.exe 892 tbhtnn.exe 1284 nhbntt.exe 2120 5vvdp.exe 1820 fxrfflx.exe 1320 rrflxxl.exe 2016 thbntt.exe 1780 vvvjd.exe 604 ffxlrff.exe 600 xrflrxl.exe 1712 hhttbh.exe 1688 thbnbh.exe 2440 pjvdp.exe 2088 3fxxxfl.exe 1684 nhhnbh.exe 2232 5jdpj.exe 2796 rlffflr.exe 1136 rlrxlrf.exe 1000 nbthnt.exe 1640 dvvvj.exe 1376 xxrxlrf.exe -
resource yara_rule behavioral1/memory/2240-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-182-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1948-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-202-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1000-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-204-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1772-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/924-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/716-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-795-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2488-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-859-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-896-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-903-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-967-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-1035-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-1104-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/2936-1143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-1224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-1249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-1297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-1304-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2400 2240 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 30 PID 2240 wrote to memory of 2400 2240 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 30 PID 2240 wrote to memory of 2400 2240 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 30 PID 2240 wrote to memory of 2400 2240 40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe 30 PID 2400 wrote to memory of 2052 2400 dvjjd.exe 31 PID 2400 wrote to memory of 2052 2400 dvjjd.exe 31 PID 2400 wrote to memory of 2052 2400 dvjjd.exe 31 PID 2400 wrote to memory of 2052 2400 dvjjd.exe 31 PID 2052 wrote to memory of 2284 2052 hhbhnt.exe 32 PID 2052 wrote to memory of 2284 2052 hhbhnt.exe 32 PID 2052 wrote to memory of 2284 2052 hhbhnt.exe 32 PID 2052 wrote to memory of 2284 2052 hhbhnt.exe 32 PID 2284 wrote to memory of 1580 2284 pdvjp.exe 33 PID 2284 wrote to memory of 1580 2284 pdvjp.exe 33 PID 2284 wrote to memory of 1580 2284 pdvjp.exe 33 PID 2284 wrote to memory of 1580 2284 pdvjp.exe 33 PID 1580 wrote to memory of 2828 1580 tnhnhn.exe 34 PID 1580 wrote to memory of 2828 1580 tnhnhn.exe 34 PID 1580 wrote to memory of 2828 1580 tnhnhn.exe 34 PID 1580 wrote to memory of 2828 1580 tnhnhn.exe 34 PID 2828 wrote to memory of 2768 2828 jjdjv.exe 35 PID 2828 wrote to memory of 2768 2828 jjdjv.exe 35 PID 2828 wrote to memory of 2768 2828 jjdjv.exe 35 PID 2828 wrote to memory of 2768 2828 jjdjv.exe 35 PID 2768 wrote to memory of 2160 2768 ntttbh.exe 36 PID 2768 wrote to memory of 2160 2768 ntttbh.exe 36 PID 2768 wrote to memory of 2160 2768 ntttbh.exe 36 PID 2768 wrote to memory of 2160 2768 ntttbh.exe 36 PID 2160 wrote to memory of 2644 2160 nhhhnn.exe 37 PID 2160 wrote to memory of 2644 2160 nhhhnn.exe 37 PID 2160 wrote to memory of 2644 2160 nhhhnn.exe 37 PID 2160 wrote to memory of 2644 2160 nhhhnn.exe 37 PID 2644 wrote to memory of 2888 2644 vpjpd.exe 38 PID 2644 wrote to memory of 2888 2644 vpjpd.exe 38 PID 2644 wrote to memory of 2888 2644 vpjpd.exe 38 PID 2644 wrote to memory of 2888 2644 vpjpd.exe 38 PID 2888 wrote to memory of 2684 2888 bthnbh.exe 39 PID 2888 wrote to memory of 2684 2888 bthnbh.exe 39 PID 2888 wrote to memory of 2684 2888 bthnbh.exe 39 PID 2888 wrote to memory of 2684 2888 bthnbh.exe 39 PID 2684 wrote to memory of 3032 2684 9thbhh.exe 40 PID 2684 wrote to memory of 3032 2684 9thbhh.exe 40 PID 2684 wrote to memory of 3032 2684 9thbhh.exe 40 PID 2684 wrote to memory of 3032 2684 9thbhh.exe 40 PID 3032 wrote to memory of 1660 3032 7bhnnh.exe 41 PID 3032 wrote to memory of 1660 3032 7bhnnh.exe 41 PID 3032 wrote to memory of 1660 3032 7bhnnh.exe 41 PID 3032 wrote to memory of 1660 3032 7bhnnh.exe 41 PID 1660 wrote to memory of 536 1660 vpjdp.exe 42 PID 1660 wrote to memory of 536 1660 vpjdp.exe 42 PID 1660 wrote to memory of 536 1660 vpjdp.exe 42 PID 1660 wrote to memory of 536 1660 vpjdp.exe 42 PID 536 wrote to memory of 2372 536 hhbhtb.exe 43 PID 536 wrote to memory of 2372 536 hhbhtb.exe 43 PID 536 wrote to memory of 2372 536 hhbhtb.exe 43 PID 536 wrote to memory of 2372 536 hhbhtb.exe 43 PID 2372 wrote to memory of 1600 2372 jpppj.exe 44 PID 2372 wrote to memory of 1600 2372 jpppj.exe 44 PID 2372 wrote to memory of 1600 2372 jpppj.exe 44 PID 2372 wrote to memory of 1600 2372 jpppj.exe 44 PID 1600 wrote to memory of 1280 1600 fxfxxfl.exe 45 PID 1600 wrote to memory of 1280 1600 fxfxxfl.exe 45 PID 1600 wrote to memory of 1280 1600 fxfxxfl.exe 45 PID 1600 wrote to memory of 1280 1600 fxfxxfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe"C:\Users\Admin\AppData\Local\Temp\40f87ef613ada78db62dec1bd7326161a7a8b943c7f7e4b0adc1b02cc79bdf2f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\dvjjd.exec:\dvjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\hhbhnt.exec:\hhbhnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\pdvjp.exec:\pdvjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\tnhnhn.exec:\tnhnhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\jjdjv.exec:\jjdjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\ntttbh.exec:\ntttbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\nhhhnn.exec:\nhhhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\vpjpd.exec:\vpjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\bthnbh.exec:\bthnbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\9thbhh.exec:\9thbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\7bhnnh.exec:\7bhnnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\vpjdp.exec:\vpjdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\hhbhtb.exec:\hhbhtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\jpppj.exec:\jpppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\fxfxxfl.exec:\fxfxxfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\5rrrrrx.exec:\5rrrrrx.exe17⤵
- Executes dropped EXE
PID:1280 -
\??\c:\llflxxl.exec:\llflxxl.exe18⤵
- Executes dropped EXE
PID:1036 -
\??\c:\nbnnnb.exec:\nbnnnb.exe19⤵
- Executes dropped EXE
PID:1072 -
\??\c:\ddpdp.exec:\ddpdp.exe20⤵
- Executes dropped EXE
PID:2056 -
\??\c:\fxllrxf.exec:\fxllrxf.exe21⤵
- Executes dropped EXE
PID:1948 -
\??\c:\xrflrrf.exec:\xrflrrf.exe22⤵
- Executes dropped EXE
PID:448 -
\??\c:\rlxfllf.exec:\rlxfllf.exe23⤵
- Executes dropped EXE
PID:1000 -
\??\c:\xlxlxlx.exec:\xlxlxlx.exe24⤵
- Executes dropped EXE
PID:2272 -
\??\c:\9hhnbn.exec:\9hhnbn.exe25⤵
- Executes dropped EXE
PID:1772 -
\??\c:\ffxxffr.exec:\ffxxffr.exe26⤵
- Executes dropped EXE
PID:1728 -
\??\c:\vdddv.exec:\vdddv.exe27⤵
- Executes dropped EXE
PID:924 -
\??\c:\5frxffx.exec:\5frxffx.exe28⤵
- Executes dropped EXE
PID:716 -
\??\c:\ttbhbh.exec:\ttbhbh.exe29⤵
- Executes dropped EXE
PID:1952 -
\??\c:\jpjvj.exec:\jpjvj.exe30⤵
- Executes dropped EXE
PID:2988 -
\??\c:\xxrffrl.exec:\xxrffrl.exe31⤵
- Executes dropped EXE
PID:2540 -
\??\c:\pjvdj.exec:\pjvdj.exe32⤵
- Executes dropped EXE
PID:3048 -
\??\c:\vjjpj.exec:\vjjpj.exe33⤵
- Executes dropped EXE
PID:2240 -
\??\c:\7rxrxrr.exec:\7rxrxrr.exe34⤵
- Executes dropped EXE
PID:1624 -
\??\c:\bhhtnt.exec:\bhhtnt.exe35⤵
- Executes dropped EXE
PID:2400 -
\??\c:\9pvpv.exec:\9pvpv.exe36⤵
- Executes dropped EXE
PID:2300 -
\??\c:\frllrxf.exec:\frllrxf.exe37⤵
- Executes dropped EXE
PID:784 -
\??\c:\tnnntn.exec:\tnnntn.exe38⤵
- Executes dropped EXE
PID:2284 -
\??\c:\7ppvv.exec:\7ppvv.exe39⤵
- Executes dropped EXE
PID:2852 -
\??\c:\9vpdj.exec:\9vpdj.exe40⤵
- Executes dropped EXE
PID:2772 -
\??\c:\fxxxflx.exec:\fxxxflx.exe41⤵
- Executes dropped EXE
PID:2744 -
\??\c:\5rfrrxf.exec:\5rfrrxf.exe42⤵
- Executes dropped EXE
PID:2780 -
\??\c:\nnhnth.exec:\nnhnth.exe43⤵
- Executes dropped EXE
PID:2708 -
\??\c:\jjpjd.exec:\jjpjd.exe44⤵
- Executes dropped EXE
PID:2784 -
\??\c:\1xrflrr.exec:\1xrflrr.exe45⤵
- Executes dropped EXE
PID:2792 -
\??\c:\tbhtnn.exec:\tbhtnn.exe46⤵
- Executes dropped EXE
PID:892 -
\??\c:\nhbntt.exec:\nhbntt.exe47⤵
- Executes dropped EXE
PID:1284 -
\??\c:\5vvdp.exec:\5vvdp.exe48⤵
- Executes dropped EXE
PID:2120 -
\??\c:\fxrfflx.exec:\fxrfflx.exe49⤵
- Executes dropped EXE
PID:1820 -
\??\c:\rrflxxl.exec:\rrflxxl.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1320 -
\??\c:\thbntt.exec:\thbntt.exe51⤵
- Executes dropped EXE
PID:2016 -
\??\c:\vvvjd.exec:\vvvjd.exe52⤵
- Executes dropped EXE
PID:1780 -
\??\c:\ffxlrff.exec:\ffxlrff.exe53⤵
- Executes dropped EXE
PID:604 -
\??\c:\xrflrxl.exec:\xrflrxl.exe54⤵
- Executes dropped EXE
PID:600 -
\??\c:\hhttbh.exec:\hhttbh.exe55⤵
- Executes dropped EXE
PID:1712 -
\??\c:\thbnbh.exec:\thbnbh.exe56⤵
- Executes dropped EXE
PID:1688 -
\??\c:\pjvdp.exec:\pjvdp.exe57⤵
- Executes dropped EXE
PID:2440 -
\??\c:\3fxxxfl.exec:\3fxxxfl.exe58⤵
- Executes dropped EXE
PID:2088 -
\??\c:\nhhnbh.exec:\nhhnbh.exe59⤵
- Executes dropped EXE
PID:1684 -
\??\c:\5jdpj.exec:\5jdpj.exe60⤵
- Executes dropped EXE
PID:2232 -
\??\c:\rlffflr.exec:\rlffflr.exe61⤵
- Executes dropped EXE
PID:2796 -
\??\c:\rlrxlrf.exec:\rlrxlrf.exe62⤵
- Executes dropped EXE
PID:1136 -
\??\c:\nbthnt.exec:\nbthnt.exe63⤵
- Executes dropped EXE
PID:1000 -
\??\c:\dvvvj.exec:\dvvvj.exe64⤵
- Executes dropped EXE
PID:1640 -
\??\c:\xxrxlrf.exec:\xxrxlrf.exe65⤵
- Executes dropped EXE
PID:1376 -
\??\c:\rrlrxxr.exec:\rrlrxxr.exe66⤵PID:316
-
\??\c:\5htntt.exec:\5htntt.exe67⤵PID:588
-
\??\c:\1vdvd.exec:\1vdvd.exe68⤵PID:2912
-
\??\c:\rfxxllr.exec:\rfxxllr.exe69⤵PID:1168
-
\??\c:\5lrrrxl.exec:\5lrrrxl.exe70⤵PID:2100
-
\??\c:\htttbt.exec:\htttbt.exe71⤵PID:1188
-
\??\c:\5jpjj.exec:\5jpjj.exe72⤵PID:2472
-
\??\c:\jdvdp.exec:\jdvdp.exe73⤵PID:1636
-
\??\c:\xxflflx.exec:\xxflflx.exe74⤵PID:856
-
\??\c:\nbthht.exec:\nbthht.exe75⤵PID:1956
-
\??\c:\bntbtn.exec:\bntbtn.exe76⤵PID:2240
-
\??\c:\jjjdp.exec:\jjjdp.exe77⤵PID:1628
-
\??\c:\9lflrxl.exec:\9lflrxl.exe78⤵PID:2316
-
\??\c:\lfllrrx.exec:\lfllrrx.exe79⤵PID:2116
-
\??\c:\nhtbhn.exec:\nhtbhn.exe80⤵PID:2292
-
\??\c:\3pppp.exec:\3pppp.exe81⤵PID:2304
-
\??\c:\pppdd.exec:\pppdd.exe82⤵PID:2844
-
\??\c:\lxlfffr.exec:\lxlfffr.exe83⤵PID:2820
-
\??\c:\nnhttb.exec:\nnhttb.exe84⤵PID:2724
-
\??\c:\jjdjd.exec:\jjdjd.exe85⤵PID:2880
-
\??\c:\9pddj.exec:\9pddj.exe86⤵PID:2872
-
\??\c:\rfrrrlx.exec:\rfrrrlx.exe87⤵PID:2916
-
\??\c:\btnttb.exec:\btnttb.exe88⤵PID:2624
-
\??\c:\9bhhhn.exec:\9bhhhn.exe89⤵PID:2652
-
\??\c:\dvdvd.exec:\dvdvd.exe90⤵PID:3020
-
\??\c:\xlflllx.exec:\xlflllx.exe91⤵PID:3068
-
\??\c:\1xxffll.exec:\1xxffll.exe92⤵PID:688
-
\??\c:\9nntbb.exec:\9nntbb.exe93⤵PID:332
-
\??\c:\pjvdp.exec:\pjvdp.exe94⤵PID:2040
-
\??\c:\xlxxxxf.exec:\xlxxxxf.exe95⤵PID:860
-
\??\c:\llxfrfx.exec:\llxfrfx.exe96⤵PID:768
-
\??\c:\1htnhh.exec:\1htnhh.exe97⤵PID:444
-
\??\c:\jdpdv.exec:\jdpdv.exe98⤵PID:1004
-
\??\c:\dpddd.exec:\dpddd.exe99⤵PID:1012
-
\??\c:\frffffr.exec:\frffffr.exe100⤵PID:1972
-
\??\c:\tthnnh.exec:\tthnnh.exe101⤵PID:1068
-
\??\c:\bnntbh.exec:\bnntbh.exe102⤵PID:2140
-
\??\c:\ddvdj.exec:\ddvdj.exe103⤵PID:2264
-
\??\c:\xlfflrx.exec:\xlfflrx.exe104⤵PID:2224
-
\??\c:\xfxfrrl.exec:\xfxfrrl.exe105⤵PID:2968
-
\??\c:\thtttb.exec:\thtttb.exe106⤵PID:2720
-
\??\c:\dvddd.exec:\dvddd.exe107⤵PID:1092
-
\??\c:\7dppp.exec:\7dppp.exe108⤵PID:448
-
\??\c:\1ffllff.exec:\1ffllff.exe109⤵PID:2272
-
\??\c:\nhtbnn.exec:\nhtbnn.exe110⤵PID:1560
-
\??\c:\thbhbb.exec:\thbhbb.exe111⤵PID:1800
-
\??\c:\vvjpv.exec:\vvjpv.exe112⤵PID:2000
-
\??\c:\rrrxrff.exec:\rrrxrff.exe113⤵PID:2488
-
\??\c:\lxfrfrr.exec:\lxfrfrr.exe114⤵
- System Location Discovery: System Language Discovery
PID:2444 -
\??\c:\hhbntn.exec:\hhbntn.exe115⤵PID:2900
-
\??\c:\jvpjd.exec:\jvpjd.exe116⤵PID:1952
-
\??\c:\lfxlxlf.exec:\lfxlxlf.exe117⤵PID:1796
-
\??\c:\xlfrxfr.exec:\xlfrxfr.exe118⤵PID:2416
-
\??\c:\5hnntb.exec:\5hnntb.exe119⤵PID:1432
-
\??\c:\jpjpd.exec:\jpjpd.exe120⤵PID:1936
-
\??\c:\7btbnt.exec:\7btbnt.exe121⤵PID:2552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-