Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 22:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe
-
Size
453KB
-
MD5
6970d935b0d800e8d0a00d30cf021eb0
-
SHA1
1ddaac56e6874df4aac106ab5340b50bb51b95af
-
SHA256
75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98ee
-
SHA512
a0ac5bbc37903378763adfc4fd77785e6292cbf7969ba1734b66e3e6f570af972c5ca7a8bb6964bc16791649efb2c4ad8974a303c15ce0da23c4acec5e656ae9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 58 IoCs
resource yara_rule behavioral1/memory/2112-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-17-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2176-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-44-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2736-55-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2956-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-91-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2640-109-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2860-118-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1920-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-144-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1916-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-155-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1856-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-174-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1964-176-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1964-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-195-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2208-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-205-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1520-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-214-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1496-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-235-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1496-232-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/908-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/292-270-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1364-289-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1592-296-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1592-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-347-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2780-361-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1100-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/344-507-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1480-521-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2356-528-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1648-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-611-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2648-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-658-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/1648-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-846-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2776-950-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2112 thnnhb.exe 2176 5ffxrxx.exe 2500 vvvdd.exe 1488 xfllxfl.exe 2736 htnntt.exe 2956 jjvjp.exe 2944 9hnbnt.exe 2940 vpjpd.exe 2924 3lxfxxf.exe 1908 btnnbn.exe 2640 3rxxxfl.exe 2860 ttnhbh.exe 1792 5jdjp.exe 1920 nbtthn.exe 1916 jjpjd.exe 1856 frllflf.exe 2696 bnhhbt.exe 1964 dpdjv.exe 2168 xlrrrrx.exe 2208 5tnbbt.exe 2084 pdppv.exe 1520 thnbbb.exe 448 1dvjp.exe 1496 rlffllr.exe 908 hbtbnn.exe 2460 3dpvd.exe 2356 nhbnbb.exe 292 vvpvj.exe 1744 9nbhhh.exe 1364 btnbtt.exe 1592 jjddp.exe 2112 lfxfllr.exe 2364 dvvjj.exe 2372 dvvpv.exe 2360 rllxlrx.exe 2292 tttthh.exe 2472 3jpvd.exe 2820 ffxfxxf.exe 2852 xrlrflx.exe 2780 7nhbnh.exe 2632 7htntt.exe 2732 jdvvj.exe 1908 lfrrxfl.exe 2640 tbtbnt.exe 3052 nnbnbb.exe 1712 vvpvp.exe 1956 xlrrllr.exe 1432 1bbtht.exe 2312 htthbh.exe 2776 dpddp.exe 2476 rxrxxxr.exe 1252 hhtnbt.exe 1612 3nbttb.exe 3068 1pdvp.exe 2212 5lxflrx.exe 2448 nhttbb.exe 2132 ddpvv.exe 1100 dppvj.exe 1128 lllrxxl.exe 1276 nhnnhn.exe 2528 ppdjv.exe 1480 vpjpv.exe 344 lxlrxxl.exe 304 nhhhtb.exe -
resource yara_rule behavioral1/memory/2112-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-109-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1916-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-155-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1856-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-270-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1364-290-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1592-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-347-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2780-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-701-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2080-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-910-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-950-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xffrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2112 2148 75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe 30 PID 2148 wrote to memory of 2112 2148 75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe 30 PID 2148 wrote to memory of 2112 2148 75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe 30 PID 2148 wrote to memory of 2112 2148 75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe 30 PID 2112 wrote to memory of 2176 2112 thnnhb.exe 31 PID 2112 wrote to memory of 2176 2112 thnnhb.exe 31 PID 2112 wrote to memory of 2176 2112 thnnhb.exe 31 PID 2112 wrote to memory of 2176 2112 thnnhb.exe 31 PID 2176 wrote to memory of 2500 2176 5ffxrxx.exe 32 PID 2176 wrote to memory of 2500 2176 5ffxrxx.exe 32 PID 2176 wrote to memory of 2500 2176 5ffxrxx.exe 32 PID 2176 wrote to memory of 2500 2176 5ffxrxx.exe 32 PID 2500 wrote to memory of 1488 2500 vvvdd.exe 33 PID 2500 wrote to memory of 1488 2500 vvvdd.exe 33 PID 2500 wrote to memory of 1488 2500 vvvdd.exe 33 PID 2500 wrote to memory of 1488 2500 vvvdd.exe 33 PID 1488 wrote to memory of 2736 1488 xfllxfl.exe 34 PID 1488 wrote to memory of 2736 1488 xfllxfl.exe 34 PID 1488 wrote to memory of 2736 1488 xfllxfl.exe 34 PID 1488 wrote to memory of 2736 1488 xfllxfl.exe 34 PID 2736 wrote to memory of 2956 2736 htnntt.exe 35 PID 2736 wrote to memory of 2956 2736 htnntt.exe 35 PID 2736 wrote to memory of 2956 2736 htnntt.exe 35 PID 2736 wrote to memory of 2956 2736 htnntt.exe 35 PID 2956 wrote to memory of 2944 2956 jjvjp.exe 36 PID 2956 wrote to memory of 2944 2956 jjvjp.exe 36 PID 2956 wrote to memory of 2944 2956 jjvjp.exe 36 PID 2956 wrote to memory of 2944 2956 jjvjp.exe 36 PID 2944 wrote to memory of 2940 2944 9hnbnt.exe 37 PID 2944 wrote to memory of 2940 2944 9hnbnt.exe 37 PID 2944 wrote to memory of 2940 2944 9hnbnt.exe 37 PID 2944 wrote to memory of 2940 2944 9hnbnt.exe 37 PID 2940 wrote to memory of 2924 2940 vpjpd.exe 38 PID 2940 wrote to memory of 2924 2940 vpjpd.exe 38 PID 2940 wrote to memory of 2924 2940 vpjpd.exe 38 PID 2940 wrote to memory of 2924 2940 vpjpd.exe 38 PID 2924 wrote to memory of 1908 2924 3lxfxxf.exe 39 PID 2924 wrote to memory of 1908 2924 3lxfxxf.exe 39 PID 2924 wrote to memory of 1908 2924 3lxfxxf.exe 39 PID 2924 wrote to memory of 1908 2924 3lxfxxf.exe 39 PID 1908 wrote to memory of 2640 1908 btnnbn.exe 40 PID 1908 wrote to memory of 2640 1908 btnnbn.exe 40 PID 1908 wrote to memory of 2640 1908 btnnbn.exe 40 PID 1908 wrote to memory of 2640 1908 btnnbn.exe 40 PID 2640 wrote to memory of 2860 2640 3rxxxfl.exe 41 PID 2640 wrote to memory of 2860 2640 3rxxxfl.exe 41 PID 2640 wrote to memory of 2860 2640 3rxxxfl.exe 41 PID 2640 wrote to memory of 2860 2640 3rxxxfl.exe 41 PID 2860 wrote to memory of 1792 2860 ttnhbh.exe 42 PID 2860 wrote to memory of 1792 2860 ttnhbh.exe 42 PID 2860 wrote to memory of 1792 2860 ttnhbh.exe 42 PID 2860 wrote to memory of 1792 2860 ttnhbh.exe 42 PID 1792 wrote to memory of 1920 1792 5jdjp.exe 43 PID 1792 wrote to memory of 1920 1792 5jdjp.exe 43 PID 1792 wrote to memory of 1920 1792 5jdjp.exe 43 PID 1792 wrote to memory of 1920 1792 5jdjp.exe 43 PID 1920 wrote to memory of 1916 1920 nbtthn.exe 44 PID 1920 wrote to memory of 1916 1920 nbtthn.exe 44 PID 1920 wrote to memory of 1916 1920 nbtthn.exe 44 PID 1920 wrote to memory of 1916 1920 nbtthn.exe 44 PID 1916 wrote to memory of 1856 1916 jjpjd.exe 45 PID 1916 wrote to memory of 1856 1916 jjpjd.exe 45 PID 1916 wrote to memory of 1856 1916 jjpjd.exe 45 PID 1916 wrote to memory of 1856 1916 jjpjd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe"C:\Users\Admin\AppData\Local\Temp\75c9849deaf86ef1d8c115941d784a726bf516e969bf39c298093c64781d98eeN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\thnnhb.exec:\thnnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\5ffxrxx.exec:\5ffxrxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\vvvdd.exec:\vvvdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\xfllxfl.exec:\xfllxfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\htnntt.exec:\htnntt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\jjvjp.exec:\jjvjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\9hnbnt.exec:\9hnbnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\vpjpd.exec:\vpjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\3lxfxxf.exec:\3lxfxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\btnnbn.exec:\btnnbn.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\3rxxxfl.exec:\3rxxxfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\ttnhbh.exec:\ttnhbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\5jdjp.exec:\5jdjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\nbtthn.exec:\nbtthn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\jjpjd.exec:\jjpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\frllflf.exec:\frllflf.exe17⤵
- Executes dropped EXE
PID:1856 -
\??\c:\bnhhbt.exec:\bnhhbt.exe18⤵
- Executes dropped EXE
PID:2696 -
\??\c:\dpdjv.exec:\dpdjv.exe19⤵
- Executes dropped EXE
PID:1964 -
\??\c:\xlrrrrx.exec:\xlrrrrx.exe20⤵
- Executes dropped EXE
PID:2168 -
\??\c:\5tnbbt.exec:\5tnbbt.exe21⤵
- Executes dropped EXE
PID:2208 -
\??\c:\pdppv.exec:\pdppv.exe22⤵
- Executes dropped EXE
PID:2084 -
\??\c:\thnbbb.exec:\thnbbb.exe23⤵
- Executes dropped EXE
PID:1520 -
\??\c:\1dvjp.exec:\1dvjp.exe24⤵
- Executes dropped EXE
PID:448 -
\??\c:\rlffllr.exec:\rlffllr.exe25⤵
- Executes dropped EXE
PID:1496 -
\??\c:\hbtbnn.exec:\hbtbnn.exe26⤵
- Executes dropped EXE
PID:908 -
\??\c:\3dpvd.exec:\3dpvd.exe27⤵
- Executes dropped EXE
PID:2460 -
\??\c:\nhbnbb.exec:\nhbnbb.exe28⤵
- Executes dropped EXE
PID:2356 -
\??\c:\vvpvj.exec:\vvpvj.exe29⤵
- Executes dropped EXE
PID:292 -
\??\c:\9nbhhh.exec:\9nbhhh.exe30⤵
- Executes dropped EXE
PID:1744 -
\??\c:\btnbtt.exec:\btnbtt.exe31⤵
- Executes dropped EXE
PID:1364 -
\??\c:\jjddp.exec:\jjddp.exe32⤵
- Executes dropped EXE
PID:1592 -
\??\c:\lfxfllr.exec:\lfxfllr.exe33⤵
- Executes dropped EXE
PID:2112 -
\??\c:\dvvjj.exec:\dvvjj.exe34⤵
- Executes dropped EXE
PID:2364 -
\??\c:\dvvpv.exec:\dvvpv.exe35⤵
- Executes dropped EXE
PID:2372 -
\??\c:\rllxlrx.exec:\rllxlrx.exe36⤵
- Executes dropped EXE
PID:2360 -
\??\c:\tttthh.exec:\tttthh.exe37⤵
- Executes dropped EXE
PID:2292 -
\??\c:\3jpvd.exec:\3jpvd.exe38⤵
- Executes dropped EXE
PID:2472 -
\??\c:\ffxfxxf.exec:\ffxfxxf.exe39⤵
- Executes dropped EXE
PID:2820 -
\??\c:\xrlrflx.exec:\xrlrflx.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2852 -
\??\c:\7nhbnh.exec:\7nhbnh.exe41⤵
- Executes dropped EXE
PID:2780 -
\??\c:\7htntt.exec:\7htntt.exe42⤵
- Executes dropped EXE
PID:2632 -
\??\c:\jdvvj.exec:\jdvvj.exe43⤵
- Executes dropped EXE
PID:2732 -
\??\c:\lfrrxfl.exec:\lfrrxfl.exe44⤵
- Executes dropped EXE
PID:1908 -
\??\c:\tbtbnt.exec:\tbtbnt.exe45⤵
- Executes dropped EXE
PID:2640 -
\??\c:\nnbnbb.exec:\nnbnbb.exe46⤵
- Executes dropped EXE
PID:3052 -
\??\c:\vvpvp.exec:\vvpvp.exe47⤵
- Executes dropped EXE
PID:1712 -
\??\c:\xlrrllr.exec:\xlrrllr.exe48⤵
- Executes dropped EXE
PID:1956 -
\??\c:\1bbtht.exec:\1bbtht.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1432 -
\??\c:\htthbh.exec:\htthbh.exe50⤵
- Executes dropped EXE
PID:2312 -
\??\c:\dpddp.exec:\dpddp.exe51⤵
- Executes dropped EXE
PID:2776 -
\??\c:\rxrxxxr.exec:\rxrxxxr.exe52⤵
- Executes dropped EXE
PID:2476 -
\??\c:\hhtnbt.exec:\hhtnbt.exe53⤵
- Executes dropped EXE
PID:1252 -
\??\c:\3nbttb.exec:\3nbttb.exe54⤵
- Executes dropped EXE
PID:1612 -
\??\c:\1pdvp.exec:\1pdvp.exe55⤵
- Executes dropped EXE
PID:3068 -
\??\c:\5lxflrx.exec:\5lxflrx.exe56⤵
- Executes dropped EXE
PID:2212 -
\??\c:\nhttbb.exec:\nhttbb.exe57⤵
- Executes dropped EXE
PID:2448 -
\??\c:\ddpvv.exec:\ddpvv.exe58⤵
- Executes dropped EXE
PID:2132 -
\??\c:\dppvj.exec:\dppvj.exe59⤵
- Executes dropped EXE
PID:1100 -
\??\c:\lllrxxl.exec:\lllrxxl.exe60⤵
- Executes dropped EXE
PID:1128 -
\??\c:\nhnnhn.exec:\nhnnhn.exe61⤵
- Executes dropped EXE
PID:1276 -
\??\c:\ppdjv.exec:\ppdjv.exe62⤵
- Executes dropped EXE
PID:2528 -
\??\c:\vpjpv.exec:\vpjpv.exe63⤵
- Executes dropped EXE
PID:1480 -
\??\c:\lxlrxxl.exec:\lxlrxxl.exe64⤵
- Executes dropped EXE
PID:344 -
\??\c:\nhhhtb.exec:\nhhhtb.exe65⤵
- Executes dropped EXE
PID:304 -
\??\c:\nhtbth.exec:\nhtbth.exe66⤵PID:1800
-
\??\c:\1vjpd.exec:\1vjpd.exe67⤵PID:2356
-
\??\c:\rfrrxff.exec:\rfrrxff.exe68⤵PID:2344
-
\??\c:\hnntbn.exec:\hnntbn.exe69⤵PID:600
-
\??\c:\pdvdp.exec:\pdvdp.exe70⤵PID:2488
-
\??\c:\jdppp.exec:\jdppp.exe71⤵PID:332
-
\??\c:\xffrxxr.exec:\xffrxxr.exe72⤵
- System Location Discovery: System Language Discovery
PID:1584 -
\??\c:\htttbt.exec:\htttbt.exe73⤵PID:996
-
\??\c:\jjjjv.exec:\jjjjv.exe74⤵PID:1984
-
\??\c:\3fllllx.exec:\3fllllx.exe75⤵PID:1648
-
\??\c:\7fxfxxl.exec:\7fxfxxl.exe76⤵PID:2688
-
\??\c:\nbnhnb.exec:\nbnhnb.exe77⤵PID:2360
-
\??\c:\vvpvv.exec:\vvpvv.exe78⤵PID:2736
-
\??\c:\flxxlfx.exec:\flxxlfx.exe79⤵PID:2724
-
\??\c:\bnbnhn.exec:\bnbnhn.exe80⤵PID:2796
-
\??\c:\ttnbht.exec:\ttnbht.exe81⤵PID:2332
-
\??\c:\pjjdd.exec:\pjjdd.exe82⤵PID:2764
-
\??\c:\ddvvp.exec:\ddvvp.exe83⤵
- System Location Discovery: System Language Discovery
PID:2592 -
\??\c:\lxfrxxf.exec:\lxfrxxf.exe84⤵PID:2644
-
\??\c:\9bttnn.exec:\9bttnn.exe85⤵PID:2648
-
\??\c:\7pjpd.exec:\7pjpd.exe86⤵PID:636
-
\??\c:\ppvdd.exec:\ppvdd.exe87⤵PID:1324
-
\??\c:\rlflflr.exec:\rlflflr.exe88⤵PID:2468
-
\??\c:\nnhhnt.exec:\nnhhnt.exe89⤵PID:1956
-
\??\c:\bntntb.exec:\bntntb.exe90⤵PID:2664
-
\??\c:\vddpd.exec:\vddpd.exe91⤵PID:2312
-
\??\c:\5fxrrrf.exec:\5fxrrrf.exe92⤵PID:1620
-
\??\c:\llrrflr.exec:\llrrflr.exe93⤵PID:2036
-
\??\c:\hthnbb.exec:\hthnbb.exe94⤵PID:2144
-
\??\c:\5pjdj.exec:\5pjdj.exe95⤵PID:2128
-
\??\c:\jvjvj.exec:\jvjvj.exe96⤵PID:2260
-
\??\c:\rllflxl.exec:\rllflxl.exe97⤵PID:2208
-
\??\c:\7btntt.exec:\7btntt.exe98⤵PID:1704
-
\??\c:\jjdjv.exec:\jjdjv.exe99⤵PID:2556
-
\??\c:\3jpjv.exec:\3jpjv.exe100⤵PID:2136
-
\??\c:\ffxlxxf.exec:\ffxlxxf.exe101⤵PID:2080
-
\??\c:\ntbbbh.exec:\ntbbbh.exe102⤵PID:284
-
\??\c:\bnhbhb.exec:\bnhbhb.exe103⤵PID:1944
-
\??\c:\9jpdd.exec:\9jpdd.exe104⤵PID:1480
-
\??\c:\llflrfr.exec:\llflrfr.exe105⤵PID:1576
-
\??\c:\nhtthb.exec:\nhtthb.exe106⤵PID:2324
-
\??\c:\nttnbh.exec:\nttnbh.exe107⤵PID:1484
-
\??\c:\vdvpd.exec:\vdvpd.exe108⤵PID:2016
-
\??\c:\xxrxrxl.exec:\xxrxrxl.exe109⤵PID:2344
-
\??\c:\bbbhtt.exec:\bbbhtt.exe110⤵PID:2244
-
\??\c:\tnntht.exec:\tnntht.exe111⤵PID:596
-
\??\c:\5vpvj.exec:\5vpvj.exe112⤵PID:2088
-
\??\c:\xffflxl.exec:\xffflxl.exe113⤵PID:1688
-
\??\c:\3xlrlrx.exec:\3xlrlrx.exe114⤵PID:2056
-
\??\c:\1hbnnt.exec:\1hbnnt.exe115⤵PID:2912
-
\??\c:\dpjpv.exec:\dpjpv.exe116⤵PID:1648
-
\??\c:\7llrxxl.exec:\7llrxxl.exe117⤵PID:1488
-
\??\c:\hbnbhh.exec:\hbnbhh.exe118⤵PID:2720
-
\??\c:\jdppp.exec:\jdppp.exe119⤵PID:2728
-
\??\c:\jdvdj.exec:\jdvdj.exe120⤵PID:1632
-
\??\c:\lfrxffr.exec:\lfrxffr.exe121⤵PID:2440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-