Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 00:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe
-
Size
453KB
-
MD5
12fad5f472dce1ce739d894bf33a4508
-
SHA1
49005eb30aee3c24bf8d887948f6da4f401732e0
-
SHA256
9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49
-
SHA512
e79ad33e02dbb27e8041fb6b99d3f568eba06cdafa5a8e1bedcd4292e608c3fa4cb1582f0b86a60bdb0193d15e789e29c7e5bd93788ed75127fe35bb7069f7e2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2356-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/824-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-115-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/3036-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/992-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-391-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1640-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-432-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1432-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1108-471-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2780-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-989-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-1008-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1924-1022-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1924-1021-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-1171-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1768-1193-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2656 jjdjv.exe 2320 tnhnbt.exe 3064 7xllrxx.exe 2148 nnbbnt.exe 824 rxflxxl.exe 2836 9btnnt.exe 2844 xrfxffr.exe 2852 nhnntt.exe 2708 7xxxllr.exe 2576 bhhthn.exe 2652 pjdvd.exe 3036 lfrrxfr.exe 2904 btnbhn.exe 1744 vpvvv.exe 2808 hbnhhb.exe 2564 pdppv.exe 1164 7xllrlx.exe 1312 bbnbhn.exe 2672 jjdvj.exe 2252 7lxrllr.exe 2264 dvjvd.exe 328 fxxrrrr.exe 1140 tthnbb.exe 640 7ddvp.exe 1832 rlrlrlr.exe 992 bnhbbb.exe 1520 dpdvv.exe 1512 rfrllll.exe 2380 1djdv.exe 2164 hthtbt.exe 1060 djdpp.exe 2320 fxfllxx.exe 1788 htbnnt.exe 2152 dpjpd.exe 2712 lxfffff.exe 2680 hbnhnt.exe 2764 3djdv.exe 2612 jpdpj.exe 2944 fxfffxf.exe 1252 1hnntt.exe 2624 hbhbhb.exe 2648 jpdvv.exe 2640 rllflfr.exe 2044 fxxrfrx.exe 1068 1htnnn.exe 2472 7vpjp.exe 1976 vjvpd.exe 1640 lfrfrrx.exe 2872 bthntt.exe 1936 3tntnn.exe 2892 djvvv.exe 1432 xxlflxx.exe 1428 5ttnhh.exe 2228 btbhnn.exe 2268 3pvvp.exe 2216 fxfrxxf.exe 1108 rlxlllf.exe 1760 nbnhhh.exe 632 htnhhb.exe 2556 vjdjv.exe 680 3xrlffl.exe 1320 bttbhn.exe 1672 1tbnnh.exe 2296 9vdvv.exe -
resource yara_rule behavioral1/memory/2356-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/824-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1068-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-856-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-989-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-1008-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1924-1022-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1924-1021-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-1066-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-1091-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-1152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-1193-0x0000000000320000-0x000000000034A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2656 2356 9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe 30 PID 2356 wrote to memory of 2656 2356 9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe 30 PID 2356 wrote to memory of 2656 2356 9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe 30 PID 2356 wrote to memory of 2656 2356 9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe 30 PID 2656 wrote to memory of 2320 2656 jjdjv.exe 31 PID 2656 wrote to memory of 2320 2656 jjdjv.exe 31 PID 2656 wrote to memory of 2320 2656 jjdjv.exe 31 PID 2656 wrote to memory of 2320 2656 jjdjv.exe 31 PID 2320 wrote to memory of 3064 2320 tnhnbt.exe 32 PID 2320 wrote to memory of 3064 2320 tnhnbt.exe 32 PID 2320 wrote to memory of 3064 2320 tnhnbt.exe 32 PID 2320 wrote to memory of 3064 2320 tnhnbt.exe 32 PID 3064 wrote to memory of 2148 3064 7xllrxx.exe 33 PID 3064 wrote to memory of 2148 3064 7xllrxx.exe 33 PID 3064 wrote to memory of 2148 3064 7xllrxx.exe 33 PID 3064 wrote to memory of 2148 3064 7xllrxx.exe 33 PID 2148 wrote to memory of 824 2148 nnbbnt.exe 34 PID 2148 wrote to memory of 824 2148 nnbbnt.exe 34 PID 2148 wrote to memory of 824 2148 nnbbnt.exe 34 PID 2148 wrote to memory of 824 2148 nnbbnt.exe 34 PID 824 wrote to memory of 2836 824 rxflxxl.exe 35 PID 824 wrote to memory of 2836 824 rxflxxl.exe 35 PID 824 wrote to memory of 2836 824 rxflxxl.exe 35 PID 824 wrote to memory of 2836 824 rxflxxl.exe 35 PID 2836 wrote to memory of 2844 2836 9btnnt.exe 36 PID 2836 wrote to memory of 2844 2836 9btnnt.exe 36 PID 2836 wrote to memory of 2844 2836 9btnnt.exe 36 PID 2836 wrote to memory of 2844 2836 9btnnt.exe 36 PID 2844 wrote to memory of 2852 2844 xrfxffr.exe 37 PID 2844 wrote to memory of 2852 2844 xrfxffr.exe 37 PID 2844 wrote to memory of 2852 2844 xrfxffr.exe 37 PID 2844 wrote to memory of 2852 2844 xrfxffr.exe 37 PID 2852 wrote to memory of 2708 2852 nhnntt.exe 38 PID 2852 wrote to memory of 2708 2852 nhnntt.exe 38 PID 2852 wrote to memory of 2708 2852 nhnntt.exe 38 PID 2852 wrote to memory of 2708 2852 nhnntt.exe 38 PID 2708 wrote to memory of 2576 2708 7xxxllr.exe 39 PID 2708 wrote to memory of 2576 2708 7xxxllr.exe 39 PID 2708 wrote to memory of 2576 2708 7xxxllr.exe 39 PID 2708 wrote to memory of 2576 2708 7xxxllr.exe 39 PID 2576 wrote to memory of 2652 2576 bhhthn.exe 40 PID 2576 wrote to memory of 2652 2576 bhhthn.exe 40 PID 2576 wrote to memory of 2652 2576 bhhthn.exe 40 PID 2576 wrote to memory of 2652 2576 bhhthn.exe 40 PID 2652 wrote to memory of 3036 2652 pjdvd.exe 41 PID 2652 wrote to memory of 3036 2652 pjdvd.exe 41 PID 2652 wrote to memory of 3036 2652 pjdvd.exe 41 PID 2652 wrote to memory of 3036 2652 pjdvd.exe 41 PID 3036 wrote to memory of 2904 3036 lfrrxfr.exe 42 PID 3036 wrote to memory of 2904 3036 lfrrxfr.exe 42 PID 3036 wrote to memory of 2904 3036 lfrrxfr.exe 42 PID 3036 wrote to memory of 2904 3036 lfrrxfr.exe 42 PID 2904 wrote to memory of 1744 2904 btnbhn.exe 43 PID 2904 wrote to memory of 1744 2904 btnbhn.exe 43 PID 2904 wrote to memory of 1744 2904 btnbhn.exe 43 PID 2904 wrote to memory of 1744 2904 btnbhn.exe 43 PID 1744 wrote to memory of 2808 1744 vpvvv.exe 44 PID 1744 wrote to memory of 2808 1744 vpvvv.exe 44 PID 1744 wrote to memory of 2808 1744 vpvvv.exe 44 PID 1744 wrote to memory of 2808 1744 vpvvv.exe 44 PID 2808 wrote to memory of 2564 2808 hbnhhb.exe 45 PID 2808 wrote to memory of 2564 2808 hbnhhb.exe 45 PID 2808 wrote to memory of 2564 2808 hbnhhb.exe 45 PID 2808 wrote to memory of 2564 2808 hbnhhb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe"C:\Users\Admin\AppData\Local\Temp\9c3e898b75c2fda2eedf128adbcd891a40d16b2af46cd96c4ac62cf56ce15c49.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\jjdjv.exec:\jjdjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\tnhnbt.exec:\tnhnbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\7xllrxx.exec:\7xllrxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\nnbbnt.exec:\nnbbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\rxflxxl.exec:\rxflxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\9btnnt.exec:\9btnnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\xrfxffr.exec:\xrfxffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\nhnntt.exec:\nhnntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\7xxxllr.exec:\7xxxllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\bhhthn.exec:\bhhthn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\pjdvd.exec:\pjdvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\lfrrxfr.exec:\lfrrxfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\btnbhn.exec:\btnbhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\vpvvv.exec:\vpvvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\hbnhhb.exec:\hbnhhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\pdppv.exec:\pdppv.exe17⤵
- Executes dropped EXE
PID:2564 -
\??\c:\7xllrlx.exec:\7xllrlx.exe18⤵
- Executes dropped EXE
PID:1164 -
\??\c:\bbnbhn.exec:\bbnbhn.exe19⤵
- Executes dropped EXE
PID:1312 -
\??\c:\jjdvj.exec:\jjdvj.exe20⤵
- Executes dropped EXE
PID:2672 -
\??\c:\7lxrllr.exec:\7lxrllr.exe21⤵
- Executes dropped EXE
PID:2252 -
\??\c:\dvjvd.exec:\dvjvd.exe22⤵
- Executes dropped EXE
PID:2264 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe23⤵
- Executes dropped EXE
PID:328 -
\??\c:\tthnbb.exec:\tthnbb.exe24⤵
- Executes dropped EXE
PID:1140 -
\??\c:\7ddvp.exec:\7ddvp.exe25⤵
- Executes dropped EXE
PID:640 -
\??\c:\rlrlrlr.exec:\rlrlrlr.exe26⤵
- Executes dropped EXE
PID:1832 -
\??\c:\bnhbbb.exec:\bnhbbb.exe27⤵
- Executes dropped EXE
PID:992 -
\??\c:\dpdvv.exec:\dpdvv.exe28⤵
- Executes dropped EXE
PID:1520 -
\??\c:\rfrllll.exec:\rfrllll.exe29⤵
- Executes dropped EXE
PID:1512 -
\??\c:\1djdv.exec:\1djdv.exe30⤵
- Executes dropped EXE
PID:2380 -
\??\c:\hthtbt.exec:\hthtbt.exe31⤵
- Executes dropped EXE
PID:2164 -
\??\c:\djdpp.exec:\djdpp.exe32⤵
- Executes dropped EXE
PID:1060 -
\??\c:\fxfllxx.exec:\fxfllxx.exe33⤵
- Executes dropped EXE
PID:2320 -
\??\c:\htbnnt.exec:\htbnnt.exe34⤵
- Executes dropped EXE
PID:1788 -
\??\c:\dpjpd.exec:\dpjpd.exe35⤵
- Executes dropped EXE
PID:2152 -
\??\c:\lxfffff.exec:\lxfffff.exe36⤵
- Executes dropped EXE
PID:2712 -
\??\c:\hbnhnt.exec:\hbnhnt.exe37⤵
- Executes dropped EXE
PID:2680 -
\??\c:\3djdv.exec:\3djdv.exe38⤵
- Executes dropped EXE
PID:2764 -
\??\c:\jpdpj.exec:\jpdpj.exe39⤵
- Executes dropped EXE
PID:2612 -
\??\c:\fxfffxf.exec:\fxfffxf.exe40⤵
- Executes dropped EXE
PID:2944 -
\??\c:\1hnntt.exec:\1hnntt.exe41⤵
- Executes dropped EXE
PID:1252 -
\??\c:\hbhbhb.exec:\hbhbhb.exe42⤵
- Executes dropped EXE
PID:2624 -
\??\c:\jpdvv.exec:\jpdvv.exe43⤵
- Executes dropped EXE
PID:2648 -
\??\c:\rllflfr.exec:\rllflfr.exe44⤵
- Executes dropped EXE
PID:2640 -
\??\c:\fxxrfrx.exec:\fxxrfrx.exe45⤵
- Executes dropped EXE
PID:2044 -
\??\c:\1htnnn.exec:\1htnnn.exe46⤵
- Executes dropped EXE
PID:1068 -
\??\c:\7vpjp.exec:\7vpjp.exe47⤵
- Executes dropped EXE
PID:2472 -
\??\c:\vjvpd.exec:\vjvpd.exe48⤵
- Executes dropped EXE
PID:1976 -
\??\c:\lfrfrrx.exec:\lfrfrrx.exe49⤵
- Executes dropped EXE
PID:1640 -
\??\c:\bthntt.exec:\bthntt.exe50⤵
- Executes dropped EXE
PID:2872 -
\??\c:\3tntnn.exec:\3tntnn.exe51⤵
- Executes dropped EXE
PID:1936 -
\??\c:\djvvv.exec:\djvvv.exe52⤵
- Executes dropped EXE
PID:2892 -
\??\c:\xxlflxx.exec:\xxlflxx.exe53⤵
- Executes dropped EXE
PID:1432 -
\??\c:\5ttnhh.exec:\5ttnhh.exe54⤵
- Executes dropped EXE
PID:1428 -
\??\c:\btbhnn.exec:\btbhnn.exe55⤵
- Executes dropped EXE
PID:2228 -
\??\c:\3pvvp.exec:\3pvvp.exe56⤵
- Executes dropped EXE
PID:2268 -
\??\c:\fxfrxxf.exec:\fxfrxxf.exe57⤵
- Executes dropped EXE
PID:2216 -
\??\c:\rlxlllf.exec:\rlxlllf.exe58⤵
- Executes dropped EXE
PID:1108 -
\??\c:\nbnhhh.exec:\nbnhhh.exe59⤵
- Executes dropped EXE
PID:1760 -
\??\c:\htnhhb.exec:\htnhhb.exe60⤵
- Executes dropped EXE
PID:632 -
\??\c:\vjdjv.exec:\vjdjv.exe61⤵
- Executes dropped EXE
PID:2556 -
\??\c:\3xrlffl.exec:\3xrlffl.exe62⤵
- Executes dropped EXE
PID:680 -
\??\c:\bttbhn.exec:\bttbhn.exe63⤵
- Executes dropped EXE
PID:1320 -
\??\c:\1tbnnh.exec:\1tbnnh.exe64⤵
- Executes dropped EXE
PID:1672 -
\??\c:\9vdvv.exec:\9vdvv.exe65⤵
- Executes dropped EXE
PID:2296 -
\??\c:\xrlxxfl.exec:\xrlxxfl.exe66⤵
- System Location Discovery: System Language Discovery
PID:1508 -
\??\c:\bthhtt.exec:\bthhtt.exe67⤵PID:884
-
\??\c:\hthnnn.exec:\hthnnn.exe68⤵PID:2356
-
\??\c:\pjpvd.exec:\pjpvd.exe69⤵PID:592
-
\??\c:\9xllfff.exec:\9xllfff.exe70⤵PID:2996
-
\??\c:\lfffflr.exec:\lfffflr.exe71⤵PID:3012
-
\??\c:\3nnhhb.exec:\3nnhhb.exe72⤵PID:2860
-
\??\c:\vjddj.exec:\vjddj.exe73⤵PID:3052
-
\??\c:\5vvpv.exec:\5vvpv.exe74⤵PID:1056
-
\??\c:\frlfffr.exec:\frlfffr.exe75⤵PID:2720
-
\??\c:\nhbnbb.exec:\nhbnbb.exe76⤵PID:2780
-
\??\c:\5nnnnn.exec:\5nnnnn.exe77⤵PID:2676
-
\??\c:\jvdvv.exec:\jvdvv.exe78⤵PID:2960
-
\??\c:\pjvpj.exec:\pjvpj.exe79⤵PID:2920
-
\??\c:\rrlxlfr.exec:\rrlxlfr.exe80⤵PID:2852
-
\??\c:\nhnttt.exec:\nhnttt.exe81⤵PID:2792
-
\??\c:\nbhhnh.exec:\nbhhnh.exe82⤵PID:2596
-
\??\c:\9jdjd.exec:\9jdjd.exe83⤵PID:3060
-
\??\c:\llrrxxx.exec:\llrrxxx.exe84⤵PID:1440
-
\??\c:\nhtbhh.exec:\nhtbhh.exe85⤵
- System Location Discovery: System Language Discovery
PID:3028 -
\??\c:\3bhhhh.exec:\3bhhhh.exe86⤵PID:868
-
\??\c:\jvjvj.exec:\jvjvj.exe87⤵PID:1540
-
\??\c:\rflfrrr.exec:\rflfrrr.exe88⤵PID:1144
-
\??\c:\fxllrxl.exec:\fxllrxl.exe89⤵PID:888
-
\??\c:\9httnn.exec:\9httnn.exe90⤵PID:2080
-
\??\c:\ppjdp.exec:\ppjdp.exe91⤵PID:2564
-
\??\c:\ppjpv.exec:\ppjpv.exe92⤵PID:1768
-
\??\c:\rlxfllr.exec:\rlxfllr.exe93⤵PID:2012
-
\??\c:\nhthnn.exec:\nhthnn.exe94⤵PID:2528
-
\??\c:\nhbhth.exec:\nhbhth.exe95⤵PID:1312
-
\??\c:\5pddj.exec:\5pddj.exe96⤵PID:2228
-
\??\c:\rrxxllr.exec:\rrxxllr.exe97⤵PID:2400
-
\??\c:\rlfrxxl.exec:\rlfrxxl.exe98⤵PID:2264
-
\??\c:\nnhbnb.exec:\nnhbnb.exe99⤵PID:1872
-
\??\c:\1pdjj.exec:\1pdjj.exe100⤵PID:2288
-
\??\c:\jdvvd.exec:\jdvvd.exe101⤵PID:1776
-
\??\c:\rllrrxl.exec:\rllrrxl.exe102⤵PID:988
-
\??\c:\tthnbb.exec:\tthnbb.exe103⤵PID:352
-
\??\c:\hbhnbt.exec:\hbhnbt.exe104⤵PID:1320
-
\??\c:\vppdj.exec:\vppdj.exe105⤵PID:2312
-
\??\c:\rrllrrr.exec:\rrllrrr.exe106⤵PID:744
-
\??\c:\nnbhnt.exec:\nnbhnt.exe107⤵PID:896
-
\??\c:\thhbhh.exec:\thhbhh.exe108⤵PID:2108
-
\??\c:\jddpv.exec:\jddpv.exe109⤵PID:1608
-
\??\c:\lfrxllr.exec:\lfrxllr.exe110⤵PID:592
-
\??\c:\5xlxrxl.exec:\5xlxrxl.exe111⤵PID:2656
-
\??\c:\btbhtt.exec:\btbhtt.exe112⤵PID:2016
-
\??\c:\7dvvd.exec:\7dvvd.exe113⤵PID:2196
-
\??\c:\xfrfxff.exec:\xfrfxff.exe114⤵PID:1156
-
\??\c:\rlxflrr.exec:\rlxflrr.exe115⤵PID:2768
-
\??\c:\nnbnbb.exec:\nnbnbb.exe116⤵PID:2404
-
\??\c:\vjdjp.exec:\vjdjp.exe117⤵PID:2728
-
\??\c:\ddppv.exec:\ddppv.exe118⤵PID:2716
-
\??\c:\xfflrrf.exec:\xfflrrf.exe119⤵PID:2732
-
\??\c:\ththhb.exec:\ththhb.exe120⤵PID:3056
-
\??\c:\dvvjv.exec:\dvvjv.exe121⤵PID:2684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-