Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f87173c4e311062c42855c09d935a60a79ed4544b819d1815b4acb4913455011N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f87173c4e311062c42855c09d935a60a79ed4544b819d1815b4acb4913455011N.exe
-
Size
454KB
-
MD5
e96aa6274dd1fcd9779b1c46a0165d60
-
SHA1
24cf6e4628b0aee9a3fb9740d37c0a2db68a738f
-
SHA256
f87173c4e311062c42855c09d935a60a79ed4544b819d1815b4acb4913455011
-
SHA512
c114f20298b494d9bb338b44ea8fd84f659346b6d7ea02f4695b9e404c0283ed57ff4a6b3134fb7fcfa7d10205f6013cb6867e02b59eab10f4d787245d1af4e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/3024-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-67-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2852-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-86-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2688-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-160-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1968-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/108-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-289-0x00000000771F0000-0x000000007730F000-memory.dmp family_blackmoon behavioral1/memory/1996-290-0x0000000077310000-0x000000007740A000-memory.dmp family_blackmoon behavioral1/memory/2268-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-312-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3008-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-534-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1656-570-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1584-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-640-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2972-659-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1664-690-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2608-729-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2400-735-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2868-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-803-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1576-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-868-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2480-875-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2572-940-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2388-977-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3020 vpjdj.exe 572 1flrxxf.exe 2156 nbnbht.exe 2660 lrllxfl.exe 2784 jdvdj.exe 2676 pjdjj.exe 2852 7btnbh.exe 2792 pdpjp.exe 2624 xrflflf.exe 2688 nnhnbb.exe 2980 lllrfrx.exe 1284 thbhnt.exe 2468 ffflffr.exe 1704 bnhtbt.exe 1040 rlflxxx.exe 2408 ththnh.exe 1968 pjvjp.exe 884 hbthhn.exe 380 vpvpp.exe 2248 bbnntb.exe 2200 vdvjd.exe 2052 lflllfr.exe 892 nnhnbh.exe 1364 jdvdp.exe 1964 7llfrxf.exe 108 vvpjj.exe 1728 lxrrflr.exe 580 9ttbbb.exe 2100 pjdpd.exe 1616 xrxfllx.exe 1996 9btttt.exe 2648 hnbtbb.exe 2268 3bbhhn.exe 1736 5vpdv.exe 2696 fflxrfr.exe 2776 1lxxlrf.exe 2812 nntbht.exe 2784 jppdp.exe 2720 dvjpv.exe 2888 fxflxfr.exe 3008 9rlfrrx.exe 2596 hhbnbh.exe 2572 jdpvd.exe 3012 vppvd.exe 2360 7rlxlrf.exe 2224 bbnttb.exe 2104 bthhnn.exe 2508 dpjvp.exe 596 3rrrlrx.exe 1632 5nhnhh.exe 1796 thbbnh.exe 1436 pjdpj.exe 2408 xlflllx.exe 1984 lrflxlx.exe 2044 thbbnn.exe 2012 3nhhnh.exe 2272 7dpvj.exe 2868 7rxrxxl.exe 2200 3lrrxxl.exe 584 bthhtb.exe 1504 hbhnbb.exe 1864 pvpjv.exe 648 xlflrlx.exe 2544 tnbntt.exe -
resource yara_rule behavioral1/memory/3024-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-795-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/780-803-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2152-810-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1576-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-868-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2480-875-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/2836-882-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2388-977-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 3020 3024 f87173c4e311062c42855c09d935a60a79ed4544b819d1815b4acb4913455011N.exe 31 PID 3024 wrote to memory of 3020 3024 f87173c4e311062c42855c09d935a60a79ed4544b819d1815b4acb4913455011N.exe 31 PID 3024 wrote to memory of 3020 3024 f87173c4e311062c42855c09d935a60a79ed4544b819d1815b4acb4913455011N.exe 31 PID 3024 wrote to memory of 3020 3024 f87173c4e311062c42855c09d935a60a79ed4544b819d1815b4acb4913455011N.exe 31 PID 3020 wrote to memory of 572 3020 vpjdj.exe 32 PID 3020 wrote to memory of 572 3020 vpjdj.exe 32 PID 3020 wrote to memory of 572 3020 vpjdj.exe 32 PID 3020 wrote to memory of 572 3020 vpjdj.exe 32 PID 572 wrote to memory of 2156 572 1flrxxf.exe 33 PID 572 wrote to memory of 2156 572 1flrxxf.exe 33 PID 572 wrote to memory of 2156 572 1flrxxf.exe 33 PID 572 wrote to memory of 2156 572 1flrxxf.exe 33 PID 2156 wrote to memory of 2660 2156 nbnbht.exe 34 PID 2156 wrote to memory of 2660 2156 nbnbht.exe 34 PID 2156 wrote to memory of 2660 2156 nbnbht.exe 34 PID 2156 wrote to memory of 2660 2156 nbnbht.exe 34 PID 2660 wrote to memory of 2784 2660 lrllxfl.exe 35 PID 2660 wrote to memory of 2784 2660 lrllxfl.exe 35 PID 2660 wrote to memory of 2784 2660 lrllxfl.exe 35 PID 2660 wrote to memory of 2784 2660 lrllxfl.exe 35 PID 2784 wrote to memory of 2676 2784 jdvdj.exe 36 PID 2784 wrote to memory of 2676 2784 jdvdj.exe 36 PID 2784 wrote to memory of 2676 2784 jdvdj.exe 36 PID 2784 wrote to memory of 2676 2784 jdvdj.exe 36 PID 2676 wrote to memory of 2852 2676 pjdjj.exe 37 PID 2676 wrote to memory of 2852 2676 pjdjj.exe 37 PID 2676 wrote to memory of 2852 2676 pjdjj.exe 37 PID 2676 wrote to memory of 2852 2676 pjdjj.exe 37 PID 2852 wrote to memory of 2792 2852 7btnbh.exe 38 PID 2852 wrote to memory of 2792 2852 7btnbh.exe 38 PID 2852 wrote to memory of 2792 2852 7btnbh.exe 38 PID 2852 wrote to memory of 2792 2852 7btnbh.exe 38 PID 2792 wrote to memory of 2624 2792 pdpjp.exe 39 PID 2792 wrote to memory of 2624 2792 pdpjp.exe 39 PID 2792 wrote to memory of 2624 2792 pdpjp.exe 39 PID 2792 wrote to memory of 2624 2792 pdpjp.exe 39 PID 2624 wrote to memory of 2688 2624 xrflflf.exe 40 PID 2624 wrote to memory of 2688 2624 xrflflf.exe 40 PID 2624 wrote to memory of 2688 2624 xrflflf.exe 40 PID 2624 wrote to memory of 2688 2624 xrflflf.exe 40 PID 2688 wrote to memory of 2980 2688 nnhnbb.exe 41 PID 2688 wrote to memory of 2980 2688 nnhnbb.exe 41 PID 2688 wrote to memory of 2980 2688 nnhnbb.exe 41 PID 2688 wrote to memory of 2980 2688 nnhnbb.exe 41 PID 2980 wrote to memory of 1284 2980 lllrfrx.exe 42 PID 2980 wrote to memory of 1284 2980 lllrfrx.exe 42 PID 2980 wrote to memory of 1284 2980 lllrfrx.exe 42 PID 2980 wrote to memory of 1284 2980 lllrfrx.exe 42 PID 1284 wrote to memory of 2468 1284 thbhnt.exe 43 PID 1284 wrote to memory of 2468 1284 thbhnt.exe 43 PID 1284 wrote to memory of 2468 1284 thbhnt.exe 43 PID 1284 wrote to memory of 2468 1284 thbhnt.exe 43 PID 2468 wrote to memory of 1704 2468 ffflffr.exe 44 PID 2468 wrote to memory of 1704 2468 ffflffr.exe 44 PID 2468 wrote to memory of 1704 2468 ffflffr.exe 44 PID 2468 wrote to memory of 1704 2468 ffflffr.exe 44 PID 1704 wrote to memory of 1040 1704 bnhtbt.exe 45 PID 1704 wrote to memory of 1040 1704 bnhtbt.exe 45 PID 1704 wrote to memory of 1040 1704 bnhtbt.exe 45 PID 1704 wrote to memory of 1040 1704 bnhtbt.exe 45 PID 1040 wrote to memory of 2408 1040 rlflxxx.exe 46 PID 1040 wrote to memory of 2408 1040 rlflxxx.exe 46 PID 1040 wrote to memory of 2408 1040 rlflxxx.exe 46 PID 1040 wrote to memory of 2408 1040 rlflxxx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\f87173c4e311062c42855c09d935a60a79ed4544b819d1815b4acb4913455011N.exe"C:\Users\Admin\AppData\Local\Temp\f87173c4e311062c42855c09d935a60a79ed4544b819d1815b4acb4913455011N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\vpjdj.exec:\vpjdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\1flrxxf.exec:\1flrxxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\nbnbht.exec:\nbnbht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\lrllxfl.exec:\lrllxfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\jdvdj.exec:\jdvdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\pjdjj.exec:\pjdjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\7btnbh.exec:\7btnbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\pdpjp.exec:\pdpjp.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\xrflflf.exec:\xrflflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\nnhnbb.exec:\nnhnbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\lllrfrx.exec:\lllrfrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\thbhnt.exec:\thbhnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\ffflffr.exec:\ffflffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\bnhtbt.exec:\bnhtbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\rlflxxx.exec:\rlflxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\ththnh.exec:\ththnh.exe17⤵
- Executes dropped EXE
PID:2408 -
\??\c:\pjvjp.exec:\pjvjp.exe18⤵
- Executes dropped EXE
PID:1968 -
\??\c:\hbthhn.exec:\hbthhn.exe19⤵
- Executes dropped EXE
PID:884 -
\??\c:\vpvpp.exec:\vpvpp.exe20⤵
- Executes dropped EXE
PID:380 -
\??\c:\bbnntb.exec:\bbnntb.exe21⤵
- Executes dropped EXE
PID:2248 -
\??\c:\vdvjd.exec:\vdvjd.exe22⤵
- Executes dropped EXE
PID:2200 -
\??\c:\lflllfr.exec:\lflllfr.exe23⤵
- Executes dropped EXE
PID:2052 -
\??\c:\nnhnbh.exec:\nnhnbh.exe24⤵
- Executes dropped EXE
PID:892 -
\??\c:\jdvdp.exec:\jdvdp.exe25⤵
- Executes dropped EXE
PID:1364 -
\??\c:\7llfrxf.exec:\7llfrxf.exe26⤵
- Executes dropped EXE
PID:1964 -
\??\c:\vvpjj.exec:\vvpjj.exe27⤵
- Executes dropped EXE
PID:108 -
\??\c:\lxrrflr.exec:\lxrrflr.exe28⤵
- Executes dropped EXE
PID:1728 -
\??\c:\9ttbbb.exec:\9ttbbb.exe29⤵
- Executes dropped EXE
PID:580 -
\??\c:\pjdpd.exec:\pjdpd.exe30⤵
- Executes dropped EXE
PID:2100 -
\??\c:\xrxfllx.exec:\xrxfllx.exe31⤵
- Executes dropped EXE
PID:1616 -
\??\c:\9btttt.exec:\9btttt.exe32⤵
- Executes dropped EXE
PID:1996 -
\??\c:\3vpvv.exec:\3vpvv.exe33⤵PID:1588
-
\??\c:\hnbtbb.exec:\hnbtbb.exe34⤵
- Executes dropped EXE
PID:2648 -
\??\c:\3bbhhn.exec:\3bbhhn.exe35⤵
- Executes dropped EXE
PID:2268 -
\??\c:\5vpdv.exec:\5vpdv.exe36⤵
- Executes dropped EXE
PID:1736 -
\??\c:\fflxrfr.exec:\fflxrfr.exe37⤵
- Executes dropped EXE
PID:2696 -
\??\c:\1lxxlrf.exec:\1lxxlrf.exe38⤵
- Executes dropped EXE
PID:2776 -
\??\c:\nntbht.exec:\nntbht.exe39⤵
- Executes dropped EXE
PID:2812 -
\??\c:\jppdp.exec:\jppdp.exe40⤵
- Executes dropped EXE
PID:2784 -
\??\c:\dvjpv.exec:\dvjpv.exe41⤵
- Executes dropped EXE
PID:2720 -
\??\c:\fxflxfr.exec:\fxflxfr.exe42⤵
- Executes dropped EXE
PID:2888 -
\??\c:\9rlfrrx.exec:\9rlfrrx.exe43⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hhbnbh.exec:\hhbnbh.exe44⤵
- Executes dropped EXE
PID:2596 -
\??\c:\jdpvd.exec:\jdpvd.exe45⤵
- Executes dropped EXE
PID:2572 -
\??\c:\vppvd.exec:\vppvd.exe46⤵
- Executes dropped EXE
PID:3012 -
\??\c:\7rlxlrf.exec:\7rlxlrf.exe47⤵
- Executes dropped EXE
PID:2360 -
\??\c:\bbnttb.exec:\bbnttb.exe48⤵
- Executes dropped EXE
PID:2224 -
\??\c:\bthhnn.exec:\bthhnn.exe49⤵
- Executes dropped EXE
PID:2104 -
\??\c:\dpjvp.exec:\dpjvp.exe50⤵
- Executes dropped EXE
PID:2508 -
\??\c:\3rrrlrx.exec:\3rrrlrx.exe51⤵
- Executes dropped EXE
PID:596 -
\??\c:\5nhnhh.exec:\5nhnhh.exe52⤵
- Executes dropped EXE
PID:1632 -
\??\c:\thbbnh.exec:\thbbnh.exe53⤵
- Executes dropped EXE
PID:1796 -
\??\c:\pjdpj.exec:\pjdpj.exe54⤵
- Executes dropped EXE
PID:1436 -
\??\c:\xlflllx.exec:\xlflllx.exe55⤵
- Executes dropped EXE
PID:2408 -
\??\c:\lrflxlx.exec:\lrflxlx.exe56⤵
- Executes dropped EXE
PID:1984 -
\??\c:\thbbnn.exec:\thbbnn.exe57⤵
- Executes dropped EXE
PID:2044 -
\??\c:\3nhhnh.exec:\3nhhnh.exe58⤵
- Executes dropped EXE
PID:2012 -
\??\c:\7dpvj.exec:\7dpvj.exe59⤵
- Executes dropped EXE
PID:2272 -
\??\c:\7rxrxxl.exec:\7rxrxxl.exe60⤵
- Executes dropped EXE
PID:2868 -
\??\c:\3lrrxxl.exec:\3lrrxxl.exe61⤵
- Executes dropped EXE
PID:2200 -
\??\c:\bthhtb.exec:\bthhtb.exe62⤵
- Executes dropped EXE
PID:584 -
\??\c:\hbhnbb.exec:\hbhnbb.exe63⤵
- Executes dropped EXE
PID:1504 -
\??\c:\pvpjv.exec:\pvpjv.exe64⤵
- Executes dropped EXE
PID:1864 -
\??\c:\xlflrlx.exec:\xlflrlx.exe65⤵
- Executes dropped EXE
PID:648 -
\??\c:\tnbntt.exec:\tnbntt.exe66⤵
- Executes dropped EXE
PID:2544 -
\??\c:\btbttt.exec:\btbttt.exe67⤵PID:1800
-
\??\c:\1dpvj.exec:\1dpvj.exe68⤵PID:1812
-
\??\c:\xrlrfrf.exec:\xrlrfrf.exe69⤵PID:2068
-
\??\c:\rlfrlrr.exec:\rlfrlrr.exe70⤵PID:2128
-
\??\c:\hbhhbb.exec:\hbhhbb.exe71⤵PID:1656
-
\??\c:\jdpvd.exec:\jdpvd.exe72⤵PID:1960
-
\??\c:\7fxxffx.exec:\7fxxffx.exe73⤵PID:936
-
\??\c:\tnbbhh.exec:\tnbbhh.exe74⤵PID:1584
-
\??\c:\9bnhnn.exec:\9bnhnn.exe75⤵PID:1512
-
\??\c:\dvvvj.exec:\dvvvj.exe76⤵PID:2480
-
\??\c:\1dpdj.exec:\1dpdj.exe77⤵PID:2000
-
\??\c:\rfrllll.exec:\rfrllll.exe78⤵PID:2120
-
\??\c:\lfxxxxf.exec:\lfxxxxf.exe79⤵PID:2696
-
\??\c:\tnhntt.exec:\tnhntt.exe80⤵PID:2712
-
\??\c:\7pvjp.exec:\7pvjp.exe81⤵PID:2708
-
\??\c:\jdjjp.exec:\jdjjp.exe82⤵PID:2700
-
\??\c:\5rfxxff.exec:\5rfxxff.exe83⤵PID:2716
-
\??\c:\lxxfxxf.exec:\lxxfxxf.exe84⤵PID:2732
-
\??\c:\5tthbh.exec:\5tthbh.exe85⤵PID:2592
-
\??\c:\3btthn.exec:\3btthn.exe86⤵PID:2832
-
\??\c:\jdjjp.exec:\jdjjp.exe87⤵PID:1992
-
\??\c:\fxllxxf.exec:\fxllxxf.exe88⤵PID:2972
-
\??\c:\7rlrxxx.exec:\7rlrxxx.exe89⤵PID:2360
-
\??\c:\tnbhht.exec:\tnbhht.exe90⤵PID:1684
-
\??\c:\9nntnn.exec:\9nntnn.exe91⤵PID:2104
-
\??\c:\3vjjp.exec:\3vjjp.exe92⤵PID:2508
-
\??\c:\pvvjp.exec:\pvvjp.exe93⤵PID:1664
-
\??\c:\xxrxllf.exec:\xxrxllf.exe94⤵PID:1556
-
\??\c:\5lxffxf.exec:\5lxffxf.exe95⤵PID:1408
-
\??\c:\tnbhhh.exec:\tnbhhh.exe96⤵PID:1296
-
\??\c:\tnnntn.exec:\tnnntn.exe97⤵PID:1608
-
\??\c:\3jppv.exec:\3jppv.exe98⤵PID:1144
-
\??\c:\5flflxx.exec:\5flflxx.exe99⤵PID:2608
-
\??\c:\lfrxxxl.exec:\lfrxxxl.exe100⤵PID:2400
-
\??\c:\nbnntt.exec:\nbnntt.exe101⤵PID:2092
-
\??\c:\vpvjv.exec:\vpvjv.exe102⤵PID:2868
-
\??\c:\pjvvv.exec:\pjvvv.exe103⤵PID:2200
-
\??\c:\frllrrf.exec:\frllrrf.exe104⤵PID:1560
-
\??\c:\7rlllll.exec:\7rlllll.exe105⤵PID:1720
-
\??\c:\nnhhtt.exec:\nnhhtt.exe106⤵PID:3036
-
\??\c:\jvjvv.exec:\jvjvv.exe107⤵PID:2072
-
\??\c:\vdvpv.exec:\vdvpv.exe108⤵PID:2076
-
\??\c:\5rrrrxx.exec:\5rrrrxx.exe109⤵PID:1028
-
\??\c:\tthnbb.exec:\tthnbb.exe110⤵PID:780
-
\??\c:\9nhtbt.exec:\9nhtbt.exe111⤵PID:2152
-
\??\c:\7lxrxxf.exec:\7lxrxxf.exe112⤵PID:2884
-
\??\c:\bnhnbn.exec:\bnhnbn.exe113⤵PID:896
-
\??\c:\ttntbb.exec:\ttntbb.exe114⤵PID:1844
-
\??\c:\jvppd.exec:\jvppd.exe115⤵PID:1576
-
\??\c:\nbthnn.exec:\nbthnn.exe116⤵PID:1552
-
\??\c:\dddpd.exec:\dddpd.exe117⤵PID:1580
-
\??\c:\lflrxlr.exec:\lflrxlr.exe118⤵PID:2480
-
\??\c:\bnbbhn.exec:\bnbbhn.exe119⤵PID:572
-
\??\c:\vjdvv.exec:\vjdvv.exe120⤵PID:2844
-
\??\c:\frrxrxl.exec:\frrxrxl.exe121⤵PID:2156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-