Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 23:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe
-
Size
337KB
-
MD5
a3192e9f1b5dd3cfd8cd7255e8b5850a
-
SHA1
07021ab656ef98a8d5d39346050c4b5084d6c217
-
SHA256
714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087
-
SHA512
54ea232b7d04840298af2c5a1543ece6355f905cfc7042d89aaabe7de05bd2f1e2a036dbdf381fbf3008188431f21c7bad8c907cb00be1bc5ed4156ed98cc4f6
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhk:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/1940-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-98-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1620-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/268-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/268-113-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/268-111-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1524-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1988-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-190-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2412-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-201-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2136-236-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2216-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-271-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1152-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-308-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2772-350-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2536-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-496-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1812-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-523-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2992-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-596-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2812-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-748-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2800-865-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1760-879-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2756-890-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2400-1004-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2680-1166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-1194-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1040-1219-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2284 jdpvp.exe 2840 llxfrxf.exe 3036 nnbhnb.exe 2788 1ttbnn.exe 2676 7dppp.exe 2832 3frxllr.exe 2808 pjdjp.exe 2816 nhtbhn.exe 2620 pppvp.exe 2248 ppddj.exe 268 1rflfxf.exe 1620 vpdpv.exe 1996 jjjpv.exe 640 bthntn.exe 1524 9tnhnn.exe 324 vvjdj.exe 1988 rlfflrr.exe 2412 thbhhb.exe 1080 dpdjv.exe 1520 9lllxfr.exe 448 7bntbb.exe 2520 jdvvp.exe 1340 vjvpv.exe 2136 dpjjp.exe 1708 rrxllff.exe 2216 ttnnbt.exe 2080 ppjpd.exe 2488 bthnnn.exe 784 pjppd.exe 1152 tbbhtb.exe 2128 9bnnnt.exe 2636 rlfrxfl.exe 1608 1xfllrx.exe 2796 5jjpd.exe 2704 5pdvv.exe 2752 frfflrx.exe 2644 llflllx.exe 2772 tntbbb.exe 2680 vvjpv.exe 2740 jdvjv.exe 2536 xxxfrrf.exe 2616 lllxflx.exe 2620 3ttttb.exe 1684 nhbhnn.exe 2008 vpdpv.exe 1008 xrffflx.exe 1040 nhbhnn.exe 1416 nhtbnn.exe 1204 3pdjv.exe 2280 jjvpv.exe 332 9flfxxf.exe 768 tnnttb.exe 2384 bthtbn.exe 2212 3jpjd.exe 1896 jjjpd.exe 2372 xxrxffr.exe 1632 9tttbb.exe 1668 tnnthh.exe 952 vjpvv.exe 2408 3frlrxf.exe 2420 3rxfrlx.exe 1812 7bbnht.exe 1740 nnhnnt.exe 2220 7jdjv.exe -
resource yara_rule behavioral1/memory/1940-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-74-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2808-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-271-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1152-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-308-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2772-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-768-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-899-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-1060-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-1091-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-1122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-1166-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2784-1173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-1227-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxfxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2284 1940 714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe 31 PID 1940 wrote to memory of 2284 1940 714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe 31 PID 1940 wrote to memory of 2284 1940 714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe 31 PID 1940 wrote to memory of 2284 1940 714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe 31 PID 2284 wrote to memory of 2840 2284 jdpvp.exe 32 PID 2284 wrote to memory of 2840 2284 jdpvp.exe 32 PID 2284 wrote to memory of 2840 2284 jdpvp.exe 32 PID 2284 wrote to memory of 2840 2284 jdpvp.exe 32 PID 2840 wrote to memory of 3036 2840 llxfrxf.exe 33 PID 2840 wrote to memory of 3036 2840 llxfrxf.exe 33 PID 2840 wrote to memory of 3036 2840 llxfrxf.exe 33 PID 2840 wrote to memory of 3036 2840 llxfrxf.exe 33 PID 3036 wrote to memory of 2788 3036 nnbhnb.exe 34 PID 3036 wrote to memory of 2788 3036 nnbhnb.exe 34 PID 3036 wrote to memory of 2788 3036 nnbhnb.exe 34 PID 3036 wrote to memory of 2788 3036 nnbhnb.exe 34 PID 2788 wrote to memory of 2676 2788 1ttbnn.exe 35 PID 2788 wrote to memory of 2676 2788 1ttbnn.exe 35 PID 2788 wrote to memory of 2676 2788 1ttbnn.exe 35 PID 2788 wrote to memory of 2676 2788 1ttbnn.exe 35 PID 2676 wrote to memory of 2832 2676 7dppp.exe 36 PID 2676 wrote to memory of 2832 2676 7dppp.exe 36 PID 2676 wrote to memory of 2832 2676 7dppp.exe 36 PID 2676 wrote to memory of 2832 2676 7dppp.exe 36 PID 2832 wrote to memory of 2808 2832 3frxllr.exe 37 PID 2832 wrote to memory of 2808 2832 3frxllr.exe 37 PID 2832 wrote to memory of 2808 2832 3frxllr.exe 37 PID 2832 wrote to memory of 2808 2832 3frxllr.exe 37 PID 2808 wrote to memory of 2816 2808 pjdjp.exe 38 PID 2808 wrote to memory of 2816 2808 pjdjp.exe 38 PID 2808 wrote to memory of 2816 2808 pjdjp.exe 38 PID 2808 wrote to memory of 2816 2808 pjdjp.exe 38 PID 2816 wrote to memory of 2620 2816 nhtbhn.exe 39 PID 2816 wrote to memory of 2620 2816 nhtbhn.exe 39 PID 2816 wrote to memory of 2620 2816 nhtbhn.exe 39 PID 2816 wrote to memory of 2620 2816 nhtbhn.exe 39 PID 2620 wrote to memory of 2248 2620 pppvp.exe 40 PID 2620 wrote to memory of 2248 2620 pppvp.exe 40 PID 2620 wrote to memory of 2248 2620 pppvp.exe 40 PID 2620 wrote to memory of 2248 2620 pppvp.exe 40 PID 2248 wrote to memory of 268 2248 ppddj.exe 41 PID 2248 wrote to memory of 268 2248 ppddj.exe 41 PID 2248 wrote to memory of 268 2248 ppddj.exe 41 PID 2248 wrote to memory of 268 2248 ppddj.exe 41 PID 268 wrote to memory of 1620 268 1rflfxf.exe 42 PID 268 wrote to memory of 1620 268 1rflfxf.exe 42 PID 268 wrote to memory of 1620 268 1rflfxf.exe 42 PID 268 wrote to memory of 1620 268 1rflfxf.exe 42 PID 1620 wrote to memory of 1996 1620 vpdpv.exe 43 PID 1620 wrote to memory of 1996 1620 vpdpv.exe 43 PID 1620 wrote to memory of 1996 1620 vpdpv.exe 43 PID 1620 wrote to memory of 1996 1620 vpdpv.exe 43 PID 1996 wrote to memory of 640 1996 jjjpv.exe 44 PID 1996 wrote to memory of 640 1996 jjjpv.exe 44 PID 1996 wrote to memory of 640 1996 jjjpv.exe 44 PID 1996 wrote to memory of 640 1996 jjjpv.exe 44 PID 640 wrote to memory of 1524 640 bthntn.exe 45 PID 640 wrote to memory of 1524 640 bthntn.exe 45 PID 640 wrote to memory of 1524 640 bthntn.exe 45 PID 640 wrote to memory of 1524 640 bthntn.exe 45 PID 1524 wrote to memory of 324 1524 9tnhnn.exe 46 PID 1524 wrote to memory of 324 1524 9tnhnn.exe 46 PID 1524 wrote to memory of 324 1524 9tnhnn.exe 46 PID 1524 wrote to memory of 324 1524 9tnhnn.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe"C:\Users\Admin\AppData\Local\Temp\714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\jdpvp.exec:\jdpvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\llxfrxf.exec:\llxfrxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\nnbhnb.exec:\nnbhnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\1ttbnn.exec:\1ttbnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\7dppp.exec:\7dppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\3frxllr.exec:\3frxllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\pjdjp.exec:\pjdjp.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\nhtbhn.exec:\nhtbhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\pppvp.exec:\pppvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\ppddj.exec:\ppddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\1rflfxf.exec:\1rflfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:268 -
\??\c:\vpdpv.exec:\vpdpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\jjjpv.exec:\jjjpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\bthntn.exec:\bthntn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\9tnhnn.exec:\9tnhnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\vvjdj.exec:\vvjdj.exe17⤵
- Executes dropped EXE
PID:324 -
\??\c:\rlfflrr.exec:\rlfflrr.exe18⤵
- Executes dropped EXE
PID:1988 -
\??\c:\thbhhb.exec:\thbhhb.exe19⤵
- Executes dropped EXE
PID:2412 -
\??\c:\dpdjv.exec:\dpdjv.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080 -
\??\c:\9lllxfr.exec:\9lllxfr.exe21⤵
- Executes dropped EXE
PID:1520 -
\??\c:\7bntbb.exec:\7bntbb.exe22⤵
- Executes dropped EXE
PID:448 -
\??\c:\jdvvp.exec:\jdvvp.exe23⤵
- Executes dropped EXE
PID:2520 -
\??\c:\vjvpv.exec:\vjvpv.exe24⤵
- Executes dropped EXE
PID:1340 -
\??\c:\dpjjp.exec:\dpjjp.exe25⤵
- Executes dropped EXE
PID:2136 -
\??\c:\rrxllff.exec:\rrxllff.exe26⤵
- Executes dropped EXE
PID:1708 -
\??\c:\ttnnbt.exec:\ttnnbt.exe27⤵
- Executes dropped EXE
PID:2216 -
\??\c:\ppjpd.exec:\ppjpd.exe28⤵
- Executes dropped EXE
PID:2080 -
\??\c:\bthnnn.exec:\bthnnn.exe29⤵
- Executes dropped EXE
PID:2488 -
\??\c:\pjppd.exec:\pjppd.exe30⤵
- Executes dropped EXE
PID:784 -
\??\c:\tbbhtb.exec:\tbbhtb.exe31⤵
- Executes dropped EXE
PID:1152 -
\??\c:\9bnnnt.exec:\9bnnnt.exe32⤵
- Executes dropped EXE
PID:2128 -
\??\c:\rlfrxfl.exec:\rlfrxfl.exe33⤵
- Executes dropped EXE
PID:2636 -
\??\c:\1xfllrx.exec:\1xfllrx.exe34⤵
- Executes dropped EXE
PID:1608 -
\??\c:\5jjpd.exec:\5jjpd.exe35⤵
- Executes dropped EXE
PID:2796 -
\??\c:\5pdvv.exec:\5pdvv.exe36⤵
- Executes dropped EXE
PID:2704 -
\??\c:\frfflrx.exec:\frfflrx.exe37⤵
- Executes dropped EXE
PID:2752 -
\??\c:\llflllx.exec:\llflllx.exe38⤵
- Executes dropped EXE
PID:2644 -
\??\c:\tntbbb.exec:\tntbbb.exe39⤵
- Executes dropped EXE
PID:2772 -
\??\c:\vvjpv.exec:\vvjpv.exe40⤵
- Executes dropped EXE
PID:2680 -
\??\c:\jdvjv.exec:\jdvjv.exe41⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xxxfrrf.exec:\xxxfrrf.exe42⤵
- Executes dropped EXE
PID:2536 -
\??\c:\lllxflx.exec:\lllxflx.exe43⤵
- Executes dropped EXE
PID:2616 -
\??\c:\3ttttb.exec:\3ttttb.exe44⤵
- Executes dropped EXE
PID:2620 -
\??\c:\nhbhnn.exec:\nhbhnn.exe45⤵
- Executes dropped EXE
PID:1684 -
\??\c:\vpdpv.exec:\vpdpv.exe46⤵
- Executes dropped EXE
PID:2008 -
\??\c:\xrffflx.exec:\xrffflx.exe47⤵
- Executes dropped EXE
PID:1008 -
\??\c:\nhbhnn.exec:\nhbhnn.exe48⤵
- Executes dropped EXE
PID:1040 -
\??\c:\nhtbnn.exec:\nhtbnn.exe49⤵
- Executes dropped EXE
PID:1416 -
\??\c:\3pdjv.exec:\3pdjv.exe50⤵
- Executes dropped EXE
PID:1204 -
\??\c:\jjvpv.exec:\jjvpv.exe51⤵
- Executes dropped EXE
PID:2280 -
\??\c:\9flfxxf.exec:\9flfxxf.exe52⤵
- Executes dropped EXE
PID:332 -
\??\c:\tnnttb.exec:\tnnttb.exe53⤵
- Executes dropped EXE
PID:768 -
\??\c:\bthtbn.exec:\bthtbn.exe54⤵
- Executes dropped EXE
PID:2384 -
\??\c:\3jpjd.exec:\3jpjd.exe55⤵
- Executes dropped EXE
PID:2212 -
\??\c:\jjjpd.exec:\jjjpd.exe56⤵
- Executes dropped EXE
PID:1896 -
\??\c:\xxrxffr.exec:\xxrxffr.exe57⤵
- Executes dropped EXE
PID:2372 -
\??\c:\9tttbb.exec:\9tttbb.exe58⤵
- Executes dropped EXE
PID:1632 -
\??\c:\tnnthh.exec:\tnnthh.exe59⤵
- Executes dropped EXE
PID:1668 -
\??\c:\vjpvv.exec:\vjpvv.exe60⤵
- Executes dropped EXE
PID:952 -
\??\c:\3frlrxf.exec:\3frlrxf.exe61⤵
- Executes dropped EXE
PID:2408 -
\??\c:\3rxfrlx.exec:\3rxfrlx.exe62⤵
- Executes dropped EXE
PID:2420 -
\??\c:\7bbnht.exec:\7bbnht.exe63⤵
- Executes dropped EXE
PID:1812 -
\??\c:\nnhnnt.exec:\nnhnnt.exe64⤵
- Executes dropped EXE
PID:1740 -
\??\c:\7jdjv.exec:\7jdjv.exe65⤵
- Executes dropped EXE
PID:2220 -
\??\c:\xxrxllx.exec:\xxrxllx.exe66⤵PID:1752
-
\??\c:\rxlrffl.exec:\rxlrffl.exe67⤵PID:1512
-
\??\c:\3ttthh.exec:\3ttthh.exe68⤵PID:708
-
\??\c:\htnntt.exec:\htnntt.exe69⤵PID:2080
-
\??\c:\jdppv.exec:\jdppv.exe70⤵PID:296
-
\??\c:\xrflrxf.exec:\xrflrxf.exe71⤵PID:868
-
\??\c:\lxlllrf.exec:\lxlllrf.exe72⤵PID:2188
-
\??\c:\hbtthh.exec:\hbtthh.exe73⤵PID:1940
-
\??\c:\nbnhhb.exec:\nbnhhb.exe74⤵PID:2500
-
\??\c:\1jdpv.exec:\1jdpv.exe75⤵
- System Location Discovery: System Language Discovery
PID:2128 -
\??\c:\3lfxffl.exec:\3lfxffl.exe76⤵PID:2992
-
\??\c:\lfxxrrf.exec:\lfxxrrf.exe77⤵PID:1652
-
\??\c:\bthhth.exec:\bthhth.exe78⤵PID:1596
-
\??\c:\5vjjp.exec:\5vjjp.exe79⤵PID:2776
-
\??\c:\5ppvj.exec:\5ppvj.exe80⤵PID:3016
-
\??\c:\fxrxlrr.exec:\fxrxlrr.exe81⤵PID:2812
-
\??\c:\hbnnbb.exec:\hbnnbb.exe82⤵PID:2836
-
\??\c:\hbnntt.exec:\hbnntt.exe83⤵PID:2784
-
\??\c:\pjvvj.exec:\pjvvj.exe84⤵PID:2808
-
\??\c:\9llrfll.exec:\9llrfll.exe85⤵PID:2324
-
\??\c:\xxllrlr.exec:\xxllrlr.exe86⤵PID:2584
-
\??\c:\hbhhnh.exec:\hbhhnh.exe87⤵PID:2592
-
\??\c:\5jjdp.exec:\5jjdp.exe88⤵PID:2432
-
\??\c:\vpjpv.exec:\vpjpv.exe89⤵PID:1556
-
\??\c:\1rrxfff.exec:\1rrxfff.exe90⤵PID:1680
-
\??\c:\btbtbb.exec:\btbtbb.exe91⤵PID:2736
-
\??\c:\hbbthb.exec:\hbbthb.exe92⤵PID:2012
-
\??\c:\9dpjp.exec:\9dpjp.exe93⤵PID:2028
-
\??\c:\lfffxfx.exec:\lfffxfx.exe94⤵PID:2052
-
\??\c:\xrlflxf.exec:\xrlflxf.exe95⤵PID:532
-
\??\c:\bntttt.exec:\bntttt.exe96⤵PID:1960
-
\??\c:\3pppp.exec:\3pppp.exe97⤵PID:2000
-
\??\c:\pjvdp.exec:\pjvdp.exe98⤵PID:2580
-
\??\c:\xxffffr.exec:\xxffffr.exe99⤵PID:1308
-
\??\c:\lllrrxl.exec:\lllrrxl.exe100⤵PID:972
-
\??\c:\thbhnn.exec:\thbhnn.exe101⤵PID:2352
-
\??\c:\1nhhtb.exec:\1nhhtb.exe102⤵
- System Location Discovery: System Language Discovery
PID:2872 -
\??\c:\vpjpv.exec:\vpjpv.exe103⤵PID:2332
-
\??\c:\lfxfllr.exec:\lfxfllr.exe104⤵PID:816
-
\??\c:\1rllxfl.exec:\1rllxfl.exe105⤵PID:2244
-
\??\c:\bnhbbb.exec:\bnhbbb.exe106⤵PID:2148
-
\??\c:\pjdjv.exec:\pjdjv.exe107⤵PID:1944
-
\??\c:\vpdjj.exec:\vpdjj.exe108⤵PID:3028
-
\??\c:\rxrxrfl.exec:\rxrxrfl.exe109⤵PID:2404
-
\??\c:\9bbhhn.exec:\9bbhhn.exe110⤵PID:2296
-
\??\c:\jddpp.exec:\jddpp.exe111⤵PID:1876
-
\??\c:\9jvvv.exec:\9jvvv.exe112⤵PID:2300
-
\??\c:\llxfrrl.exec:\llxfrrl.exe113⤵PID:2488
-
\??\c:\nhthnn.exec:\nhthnn.exe114⤵PID:2104
-
\??\c:\hbtttb.exec:\hbtttb.exe115⤵PID:2952
-
\??\c:\jdddp.exec:\jdddp.exe116⤵PID:1152
-
\??\c:\ppjdj.exec:\ppjdj.exe117⤵PID:2728
-
\??\c:\rlfrflr.exec:\rlfrflr.exe118⤵PID:2688
-
\??\c:\nnbntt.exec:\nnbntt.exe119⤵PID:2116
-
\??\c:\7tntbh.exec:\7tntbh.exe120⤵PID:2792
-
\??\c:\ddpvd.exec:\ddpvd.exe121⤵PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-