Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 00:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe
-
Size
453KB
-
MD5
40c8bde846d9ee11883b0e5098d0473f
-
SHA1
efc765918ed5d2c78f0dcf0d7b59cad7d86f7337
-
SHA256
af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00
-
SHA512
f16d0d791938bf77e66b1f52417e83b809c22319d74f0ee465616734e7e521e2af6f684a015957bdec42e38cdc790ec281d606ae4ebccb91ced8252c5a663fff
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2236-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/828-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-283-0x00000000773D0000-0x00000000774EF000-memory.dmp family_blackmoon behavioral1/memory/2628-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-403-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1716-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/604-506-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2632-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-712-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2504-711-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2152-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-809-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1408-1039-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2376-1064-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2936-1066-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2216-1080-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-1092-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2768-1144-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1120-1166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2664 3tnthh.exe 2880 jjdvj.exe 2776 3frxrff.exe 2792 3btbht.exe 2772 dvjjp.exe 2520 rrxlxrf.exe 2336 hbntnt.exe 2208 vvpvj.exe 484 jjvvd.exe 756 lllflxr.exe 1856 nnntht.exe 2712 jjdpj.exe 2436 xxlrxll.exe 1192 5btbtb.exe 1520 vpjvj.exe 2500 3lxlrxf.exe 2380 1tnnnt.exe 2468 vvpdj.exe 1652 xrxflrf.exe 2700 3thtbn.exe 2320 pjdpd.exe 2396 llxrrfx.exe 3012 nnhnbh.exe 1852 ppjpj.exe 1276 7lrlxxf.exe 2128 hhhthn.exe 944 9xxrffr.exe 2988 bbtbtb.exe 1728 1vjjv.exe 828 lxrlrfl.exe 2844 5hbnht.exe 1564 jvpjd.exe 1600 nhthth.exe 2628 ppjpj.exe 2656 rlllrfr.exe 2852 hhtthh.exe 2772 jjddp.exe 2544 1rfflrx.exe 2548 nhbthn.exe 2768 pjvdp.exe 2952 rrffxfx.exe 776 bbthtb.exe 1120 jjvdj.exe 1844 jdjdv.exe 2624 llflxfx.exe 2704 bbbntb.exe 2280 jdpvj.exe 1700 lxrrxff.exe 1684 llrrfrf.exe 2000 hhhtnn.exe 1796 pvjpd.exe 2472 1fllllr.exe 1724 rrlxrff.exe 2012 7nttbb.exe 1540 3vjdd.exe 1928 xxrflrf.exe 1716 7lxlrll.exe 2332 3hnthb.exe 540 pjjpv.exe 2008 xlxxxff.exe 2152 bbnntt.exe 1532 hbbthn.exe 2016 vvpjd.exe 1008 1rlxlrl.exe -
resource yara_rule behavioral1/memory/2236-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/828-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-283-0x00000000773D0000-0x00000000774EF000-memory.dmp upx behavioral1/memory/2628-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-855-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1948-914-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-1004-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-1019-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1408-1039-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2216-1080-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-1094-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-1104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-1153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-1191-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2664 2236 af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe 30 PID 2236 wrote to memory of 2664 2236 af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe 30 PID 2236 wrote to memory of 2664 2236 af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe 30 PID 2236 wrote to memory of 2664 2236 af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe 30 PID 2664 wrote to memory of 2880 2664 3tnthh.exe 31 PID 2664 wrote to memory of 2880 2664 3tnthh.exe 31 PID 2664 wrote to memory of 2880 2664 3tnthh.exe 31 PID 2664 wrote to memory of 2880 2664 3tnthh.exe 31 PID 2880 wrote to memory of 2776 2880 jjdvj.exe 32 PID 2880 wrote to memory of 2776 2880 jjdvj.exe 32 PID 2880 wrote to memory of 2776 2880 jjdvj.exe 32 PID 2880 wrote to memory of 2776 2880 jjdvj.exe 32 PID 2776 wrote to memory of 2792 2776 3frxrff.exe 33 PID 2776 wrote to memory of 2792 2776 3frxrff.exe 33 PID 2776 wrote to memory of 2792 2776 3frxrff.exe 33 PID 2776 wrote to memory of 2792 2776 3frxrff.exe 33 PID 2792 wrote to memory of 2772 2792 3btbht.exe 34 PID 2792 wrote to memory of 2772 2792 3btbht.exe 34 PID 2792 wrote to memory of 2772 2792 3btbht.exe 34 PID 2792 wrote to memory of 2772 2792 3btbht.exe 34 PID 2772 wrote to memory of 2520 2772 dvjjp.exe 35 PID 2772 wrote to memory of 2520 2772 dvjjp.exe 35 PID 2772 wrote to memory of 2520 2772 dvjjp.exe 35 PID 2772 wrote to memory of 2520 2772 dvjjp.exe 35 PID 2520 wrote to memory of 2336 2520 rrxlxrf.exe 36 PID 2520 wrote to memory of 2336 2520 rrxlxrf.exe 36 PID 2520 wrote to memory of 2336 2520 rrxlxrf.exe 36 PID 2520 wrote to memory of 2336 2520 rrxlxrf.exe 36 PID 2336 wrote to memory of 2208 2336 hbntnt.exe 37 PID 2336 wrote to memory of 2208 2336 hbntnt.exe 37 PID 2336 wrote to memory of 2208 2336 hbntnt.exe 37 PID 2336 wrote to memory of 2208 2336 hbntnt.exe 37 PID 2208 wrote to memory of 484 2208 vvpvj.exe 38 PID 2208 wrote to memory of 484 2208 vvpvj.exe 38 PID 2208 wrote to memory of 484 2208 vvpvj.exe 38 PID 2208 wrote to memory of 484 2208 vvpvj.exe 38 PID 484 wrote to memory of 756 484 jjvvd.exe 39 PID 484 wrote to memory of 756 484 jjvvd.exe 39 PID 484 wrote to memory of 756 484 jjvvd.exe 39 PID 484 wrote to memory of 756 484 jjvvd.exe 39 PID 756 wrote to memory of 1856 756 lllflxr.exe 40 PID 756 wrote to memory of 1856 756 lllflxr.exe 40 PID 756 wrote to memory of 1856 756 lllflxr.exe 40 PID 756 wrote to memory of 1856 756 lllflxr.exe 40 PID 1856 wrote to memory of 2712 1856 nnntht.exe 41 PID 1856 wrote to memory of 2712 1856 nnntht.exe 41 PID 1856 wrote to memory of 2712 1856 nnntht.exe 41 PID 1856 wrote to memory of 2712 1856 nnntht.exe 41 PID 2712 wrote to memory of 2436 2712 jjdpj.exe 42 PID 2712 wrote to memory of 2436 2712 jjdpj.exe 42 PID 2712 wrote to memory of 2436 2712 jjdpj.exe 42 PID 2712 wrote to memory of 2436 2712 jjdpj.exe 42 PID 2436 wrote to memory of 1192 2436 xxlrxll.exe 43 PID 2436 wrote to memory of 1192 2436 xxlrxll.exe 43 PID 2436 wrote to memory of 1192 2436 xxlrxll.exe 43 PID 2436 wrote to memory of 1192 2436 xxlrxll.exe 43 PID 1192 wrote to memory of 1520 1192 5btbtb.exe 44 PID 1192 wrote to memory of 1520 1192 5btbtb.exe 44 PID 1192 wrote to memory of 1520 1192 5btbtb.exe 44 PID 1192 wrote to memory of 1520 1192 5btbtb.exe 44 PID 1520 wrote to memory of 2500 1520 vpjvj.exe 45 PID 1520 wrote to memory of 2500 1520 vpjvj.exe 45 PID 1520 wrote to memory of 2500 1520 vpjvj.exe 45 PID 1520 wrote to memory of 2500 1520 vpjvj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe"C:\Users\Admin\AppData\Local\Temp\af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\3tnthh.exec:\3tnthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\jjdvj.exec:\jjdvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\3frxrff.exec:\3frxrff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\3btbht.exec:\3btbht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\dvjjp.exec:\dvjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\rrxlxrf.exec:\rrxlxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\hbntnt.exec:\hbntnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\vvpvj.exec:\vvpvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\jjvvd.exec:\jjvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
\??\c:\lllflxr.exec:\lllflxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\nnntht.exec:\nnntht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\jjdpj.exec:\jjdpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\xxlrxll.exec:\xxlrxll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\5btbtb.exec:\5btbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\vpjvj.exec:\vpjvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\3lxlrxf.exec:\3lxlrxf.exe17⤵
- Executes dropped EXE
PID:2500 -
\??\c:\1tnnnt.exec:\1tnnnt.exe18⤵
- Executes dropped EXE
PID:2380 -
\??\c:\vvpdj.exec:\vvpdj.exe19⤵
- Executes dropped EXE
PID:2468 -
\??\c:\xrxflrf.exec:\xrxflrf.exe20⤵
- Executes dropped EXE
PID:1652 -
\??\c:\3thtbn.exec:\3thtbn.exe21⤵
- Executes dropped EXE
PID:2700 -
\??\c:\pjdpd.exec:\pjdpd.exe22⤵
- Executes dropped EXE
PID:2320 -
\??\c:\llxrrfx.exec:\llxrrfx.exe23⤵
- Executes dropped EXE
PID:2396 -
\??\c:\nnhnbh.exec:\nnhnbh.exe24⤵
- Executes dropped EXE
PID:3012 -
\??\c:\ppjpj.exec:\ppjpj.exe25⤵
- Executes dropped EXE
PID:1852 -
\??\c:\7lrlxxf.exec:\7lrlxxf.exe26⤵
- Executes dropped EXE
PID:1276 -
\??\c:\hhhthn.exec:\hhhthn.exe27⤵
- Executes dropped EXE
PID:2128 -
\??\c:\9xxrffr.exec:\9xxrffr.exe28⤵
- Executes dropped EXE
PID:944 -
\??\c:\bbtbtb.exec:\bbtbtb.exe29⤵
- Executes dropped EXE
PID:2988 -
\??\c:\1vjjv.exec:\1vjjv.exe30⤵
- Executes dropped EXE
PID:1728 -
\??\c:\lxrlrfl.exec:\lxrlrfl.exe31⤵
- Executes dropped EXE
PID:828 -
\??\c:\5hbnht.exec:\5hbnht.exe32⤵
- Executes dropped EXE
PID:2844 -
\??\c:\jvpjd.exec:\jvpjd.exe33⤵
- Executes dropped EXE
PID:1564 -
\??\c:\bbttbb.exec:\bbttbb.exe34⤵PID:2680
-
\??\c:\nhthth.exec:\nhthth.exe35⤵
- Executes dropped EXE
PID:1600 -
\??\c:\ppjpj.exec:\ppjpj.exe36⤵
- Executes dropped EXE
PID:2628 -
\??\c:\rlllrfr.exec:\rlllrfr.exe37⤵
- Executes dropped EXE
PID:2656 -
\??\c:\hhtthh.exec:\hhtthh.exe38⤵
- Executes dropped EXE
PID:2852 -
\??\c:\jjddp.exec:\jjddp.exe39⤵
- Executes dropped EXE
PID:2772 -
\??\c:\1rfflrx.exec:\1rfflrx.exe40⤵
- Executes dropped EXE
PID:2544 -
\??\c:\nhbthn.exec:\nhbthn.exe41⤵
- Executes dropped EXE
PID:2548 -
\??\c:\pjvdp.exec:\pjvdp.exe42⤵
- Executes dropped EXE
PID:2768 -
\??\c:\rrffxfx.exec:\rrffxfx.exe43⤵
- Executes dropped EXE
PID:2952 -
\??\c:\bbthtb.exec:\bbthtb.exe44⤵
- Executes dropped EXE
PID:776 -
\??\c:\jjvdj.exec:\jjvdj.exe45⤵
- Executes dropped EXE
PID:1120 -
\??\c:\jdjdv.exec:\jdjdv.exe46⤵
- Executes dropped EXE
PID:1844 -
\??\c:\llflxfx.exec:\llflxfx.exe47⤵
- Executes dropped EXE
PID:2624 -
\??\c:\bbbntb.exec:\bbbntb.exe48⤵
- Executes dropped EXE
PID:2704 -
\??\c:\jdpvj.exec:\jdpvj.exe49⤵
- Executes dropped EXE
PID:2280 -
\??\c:\lxrrxff.exec:\lxrrxff.exe50⤵
- Executes dropped EXE
PID:1700 -
\??\c:\llrrfrf.exec:\llrrfrf.exe51⤵
- Executes dropped EXE
PID:1684 -
\??\c:\hhhtnn.exec:\hhhtnn.exe52⤵
- Executes dropped EXE
PID:2000 -
\??\c:\pvjpd.exec:\pvjpd.exe53⤵
- Executes dropped EXE
PID:1796 -
\??\c:\1fllllr.exec:\1fllllr.exe54⤵
- Executes dropped EXE
PID:2472 -
\??\c:\rrlxrff.exec:\rrlxrff.exe55⤵
- Executes dropped EXE
PID:1724 -
\??\c:\7nttbb.exec:\7nttbb.exe56⤵
- Executes dropped EXE
PID:2012 -
\??\c:\3vjdd.exec:\3vjdd.exe57⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xxrflrf.exec:\xxrflrf.exe58⤵
- Executes dropped EXE
PID:1928 -
\??\c:\7lxlrll.exec:\7lxlrll.exe59⤵
- Executes dropped EXE
PID:1716 -
\??\c:\3hnthb.exec:\3hnthb.exe60⤵
- Executes dropped EXE
PID:2332 -
\??\c:\pjjpv.exec:\pjjpv.exe61⤵
- Executes dropped EXE
PID:540 -
\??\c:\xlxxxff.exec:\xlxxxff.exe62⤵
- Executes dropped EXE
PID:2008 -
\??\c:\bbnntt.exec:\bbnntt.exe63⤵
- Executes dropped EXE
PID:2152 -
\??\c:\hbbthn.exec:\hbbthn.exe64⤵
- Executes dropped EXE
PID:1532 -
\??\c:\vvpjd.exec:\vvpjd.exe65⤵
- Executes dropped EXE
PID:2016 -
\??\c:\1rlxlrl.exec:\1rlxlrl.exe66⤵
- Executes dropped EXE
PID:1008 -
\??\c:\5hhnbh.exec:\5hhnbh.exe67⤵PID:604
-
\??\c:\1btbtb.exec:\1btbtb.exe68⤵PID:344
-
\??\c:\1vddj.exec:\1vddj.exe69⤵PID:1100
-
\??\c:\lfrfrrl.exec:\lfrfrrl.exe70⤵PID:2424
-
\??\c:\fxllfxl.exec:\fxllfxl.exe71⤵PID:2080
-
\??\c:\nhnthh.exec:\nhnthh.exe72⤵PID:1640
-
\??\c:\pjddp.exec:\pjddp.exe73⤵PID:796
-
\??\c:\jdvvp.exec:\jdvvp.exe74⤵PID:2632
-
\??\c:\7xrlrrf.exec:\7xrlrrf.exe75⤵PID:3004
-
\??\c:\tttbth.exec:\tttbth.exe76⤵PID:1164
-
\??\c:\tbtbhh.exec:\tbtbhh.exe77⤵PID:2796
-
\??\c:\5jvdd.exec:\5jvdd.exe78⤵PID:2628
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe79⤵PID:2552
-
\??\c:\9lflrff.exec:\9lflrff.exe80⤵PID:2684
-
\??\c:\tthntb.exec:\tthntb.exe81⤵PID:2660
-
\??\c:\pjdjp.exec:\pjdjp.exe82⤵PID:2336
-
\??\c:\xxrxfxf.exec:\xxrxfxf.exe83⤵PID:2812
-
\??\c:\ffrrxxf.exec:\ffrrxxf.exe84⤵PID:1092
-
\??\c:\nnhhnt.exec:\nnhhnt.exe85⤵PID:2528
-
\??\c:\jjjjv.exec:\jjjjv.exe86⤵PID:484
-
\??\c:\vvppv.exec:\vvppv.exe87⤵PID:1120
-
\??\c:\fxrrlrl.exec:\fxrrlrl.exe88⤵PID:1844
-
\??\c:\hntbnn.exec:\hntbnn.exe89⤵PID:2816
-
\??\c:\bthntt.exec:\bthntt.exe90⤵PID:1912
-
\??\c:\vpjvj.exec:\vpjvj.exe91⤵PID:496
-
\??\c:\1lrrflr.exec:\1lrrflr.exe92⤵PID:1520
-
\??\c:\9lflxfr.exec:\9lflxfr.exe93⤵PID:2364
-
\??\c:\1nbtnb.exec:\1nbtnb.exe94⤵PID:1792
-
\??\c:\dvppd.exec:\dvppd.exe95⤵PID:1864
-
\??\c:\vpjvp.exec:\vpjvp.exe96⤵PID:2148
-
\??\c:\fxxxlxl.exec:\fxxxlxl.exe97⤵PID:2440
-
\??\c:\1nbttb.exec:\1nbttb.exe98⤵PID:1088
-
\??\c:\ttbbtb.exec:\ttbbtb.exe99⤵PID:2504
-
\??\c:\jjddp.exec:\jjddp.exe100⤵PID:2096
-
\??\c:\ffxflrf.exec:\ffxflrf.exe101⤵PID:2276
-
\??\c:\nhnthn.exec:\nhnthn.exe102⤵PID:1636
-
\??\c:\dvvdd.exec:\dvvdd.exe103⤵PID:540
-
\??\c:\ddvpv.exec:\ddvpv.exe104⤵PID:1484
-
\??\c:\9xxxxfl.exec:\9xxxxfl.exe105⤵PID:2152
-
\??\c:\ntthth.exec:\ntthth.exe106⤵PID:1216
-
\??\c:\nhtbbb.exec:\nhtbbb.exe107⤵PID:2016
-
\??\c:\pvppd.exec:\pvppd.exe108⤵PID:2116
-
\??\c:\rrrxxfr.exec:\rrrxxfr.exe109⤵PID:2300
-
\??\c:\xxrxxfx.exec:\xxrxxfx.exe110⤵PID:2252
-
\??\c:\hnbnbb.exec:\hnbnbb.exe111⤵PID:568
-
\??\c:\vvvpj.exec:\vvvpj.exe112⤵PID:352
-
\??\c:\pjdjj.exec:\pjdjj.exe113⤵PID:2080
-
\??\c:\fffrfff.exec:\fffrfff.exe114⤵PID:2904
-
\??\c:\hhbbnh.exec:\hhbbnh.exe115⤵PID:796
-
\??\c:\bhbntb.exec:\bhbntb.exe116⤵PID:2632
-
\??\c:\vjdjp.exec:\vjdjp.exe117⤵PID:1564
-
\??\c:\ffllrlr.exec:\ffllrlr.exe118⤵PID:2880
-
\??\c:\rlffxfx.exec:\rlffxfx.exe119⤵PID:3036
-
\??\c:\1hnbtt.exec:\1hnbtt.exe120⤵PID:2780
-
\??\c:\vvdjv.exec:\vvdjv.exe121⤵PID:1908
-
\??\c:\1rllfxf.exec:\1rllfxf.exe122⤵PID:2540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-