Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 21:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe
-
Size
453KB
-
MD5
30af677f840dab1de3a5aa63e3f959e1
-
SHA1
70ee9544183d8c91d638921b675318c39f17d9e7
-
SHA256
5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707
-
SHA512
d0b66a7c0cad8e46f6d2d0f8d9e1db532ad6a3e58a87a8421952c422f62054773ab383b7984ef8147d1a397e98d271240ea87b339986436f34c15108a5fd47a6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeg:q7Tc2NYHUrAwfMp3CDg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2524-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-46-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2956-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1128-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-123-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1600-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1136-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1220-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-285-0x0000000077780000-0x000000007789F000-memory.dmp family_blackmoon behavioral1/memory/2776-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-386-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2568-488-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1840-496-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1840-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-647-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2924-713-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/904-781-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2148-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-834-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2512 jvvjd.exe 2680 bnthnh.exe 2692 7lffxfr.exe 2808 nnbhtb.exe 2956 tnhhtt.exe 2788 fxrfrrx.exe 2760 3hnhth.exe 2632 ffflrrf.exe 2856 bbnttb.exe 1128 hnbnnt.exe 2096 ffxflrf.exe 1316 7djvp.exe 1340 xrrxlxl.exe 1600 nnhnnb.exe 2940 3xlxxxl.exe 2904 pdjdj.exe 2628 rrfrffl.exe 2028 hhhntn.exe 1136 xxrxflf.exe 1240 jjppp.exe 1784 xxlxrfr.exe 2468 hbhttb.exe 2232 pjjpv.exe 2544 9tntnn.exe 1816 7frxxxf.exe 1220 nbhtnt.exe 276 rrxrrlf.exe 1456 bbhnbb.exe 2268 ffxllff.exe 864 7nbhnn.exe 3020 pjvjp.exe 2776 ppvpp.exe 2412 hhthnt.exe 2736 9jjjd.exe 2864 lrlrrxl.exe 2808 hnhtbt.exe 2748 ppjpv.exe 2612 xflflrr.exe 2788 bhtbtn.exe 2756 ddjpd.exe 2608 pjdjp.exe 3060 xlrxfrr.exe 1124 7nhtbh.exe 2000 ppvdj.exe 2352 jjjpp.exe 2456 frrfxrf.exe 1388 bbtbnn.exe 2888 vvpvp.exe 2648 ppdpd.exe 1088 xflxrfx.exe 2688 hntbhh.exe 2936 dvpdp.exe 2924 ffrflrl.exe 1892 nthhbt.exe 1592 vjdjp.exe 2036 ffrxlrf.exe 2568 xrxxffl.exe 2220 7hbthn.exe 1776 vvjvd.exe 936 9fflflx.exe 1840 bbnbhh.exe 2200 vvjjd.exe 960 7pvdp.exe 916 1fxrflx.exe -
resource yara_rule behavioral1/memory/2524-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-44-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2956-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1128-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1220-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-285-0x0000000077780000-0x000000007789F000-memory.dmp upx behavioral1/memory/2776-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-734-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2568-740-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/2148-835-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2512 2524 5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe 29 PID 2524 wrote to memory of 2512 2524 5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe 29 PID 2524 wrote to memory of 2512 2524 5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe 29 PID 2524 wrote to memory of 2512 2524 5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe 29 PID 2512 wrote to memory of 2680 2512 jvvjd.exe 30 PID 2512 wrote to memory of 2680 2512 jvvjd.exe 30 PID 2512 wrote to memory of 2680 2512 jvvjd.exe 30 PID 2512 wrote to memory of 2680 2512 jvvjd.exe 30 PID 2680 wrote to memory of 2692 2680 bnthnh.exe 31 PID 2680 wrote to memory of 2692 2680 bnthnh.exe 31 PID 2680 wrote to memory of 2692 2680 bnthnh.exe 31 PID 2680 wrote to memory of 2692 2680 bnthnh.exe 31 PID 2692 wrote to memory of 2808 2692 7lffxfr.exe 32 PID 2692 wrote to memory of 2808 2692 7lffxfr.exe 32 PID 2692 wrote to memory of 2808 2692 7lffxfr.exe 32 PID 2692 wrote to memory of 2808 2692 7lffxfr.exe 32 PID 2808 wrote to memory of 2956 2808 nnbhtb.exe 33 PID 2808 wrote to memory of 2956 2808 nnbhtb.exe 33 PID 2808 wrote to memory of 2956 2808 nnbhtb.exe 33 PID 2808 wrote to memory of 2956 2808 nnbhtb.exe 33 PID 2956 wrote to memory of 2788 2956 tnhhtt.exe 34 PID 2956 wrote to memory of 2788 2956 tnhhtt.exe 34 PID 2956 wrote to memory of 2788 2956 tnhhtt.exe 34 PID 2956 wrote to memory of 2788 2956 tnhhtt.exe 34 PID 2788 wrote to memory of 2760 2788 fxrfrrx.exe 35 PID 2788 wrote to memory of 2760 2788 fxrfrrx.exe 35 PID 2788 wrote to memory of 2760 2788 fxrfrrx.exe 35 PID 2788 wrote to memory of 2760 2788 fxrfrrx.exe 35 PID 2760 wrote to memory of 2632 2760 3hnhth.exe 36 PID 2760 wrote to memory of 2632 2760 3hnhth.exe 36 PID 2760 wrote to memory of 2632 2760 3hnhth.exe 36 PID 2760 wrote to memory of 2632 2760 3hnhth.exe 36 PID 2632 wrote to memory of 2856 2632 ffflrrf.exe 37 PID 2632 wrote to memory of 2856 2632 ffflrrf.exe 37 PID 2632 wrote to memory of 2856 2632 ffflrrf.exe 37 PID 2632 wrote to memory of 2856 2632 ffflrrf.exe 37 PID 2856 wrote to memory of 1128 2856 bbnttb.exe 38 PID 2856 wrote to memory of 1128 2856 bbnttb.exe 38 PID 2856 wrote to memory of 1128 2856 bbnttb.exe 38 PID 2856 wrote to memory of 1128 2856 bbnttb.exe 38 PID 1128 wrote to memory of 2096 1128 hnbnnt.exe 39 PID 1128 wrote to memory of 2096 1128 hnbnnt.exe 39 PID 1128 wrote to memory of 2096 1128 hnbnnt.exe 39 PID 1128 wrote to memory of 2096 1128 hnbnnt.exe 39 PID 2096 wrote to memory of 1316 2096 ffxflrf.exe 40 PID 2096 wrote to memory of 1316 2096 ffxflrf.exe 40 PID 2096 wrote to memory of 1316 2096 ffxflrf.exe 40 PID 2096 wrote to memory of 1316 2096 ffxflrf.exe 40 PID 1316 wrote to memory of 1340 1316 7djvp.exe 41 PID 1316 wrote to memory of 1340 1316 7djvp.exe 41 PID 1316 wrote to memory of 1340 1316 7djvp.exe 41 PID 1316 wrote to memory of 1340 1316 7djvp.exe 41 PID 1340 wrote to memory of 1600 1340 xrrxlxl.exe 42 PID 1340 wrote to memory of 1600 1340 xrrxlxl.exe 42 PID 1340 wrote to memory of 1600 1340 xrrxlxl.exe 42 PID 1340 wrote to memory of 1600 1340 xrrxlxl.exe 42 PID 1600 wrote to memory of 2940 1600 nnhnnb.exe 43 PID 1600 wrote to memory of 2940 1600 nnhnnb.exe 43 PID 1600 wrote to memory of 2940 1600 nnhnnb.exe 43 PID 1600 wrote to memory of 2940 1600 nnhnnb.exe 43 PID 2940 wrote to memory of 2904 2940 3xlxxxl.exe 44 PID 2940 wrote to memory of 2904 2940 3xlxxxl.exe 44 PID 2940 wrote to memory of 2904 2940 3xlxxxl.exe 44 PID 2940 wrote to memory of 2904 2940 3xlxxxl.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe"C:\Users\Admin\AppData\Local\Temp\5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\jvvjd.exec:\jvvjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\bnthnh.exec:\bnthnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\7lffxfr.exec:\7lffxfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\nnbhtb.exec:\nnbhtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\tnhhtt.exec:\tnhhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\fxrfrrx.exec:\fxrfrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\3hnhth.exec:\3hnhth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\ffflrrf.exec:\ffflrrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\bbnttb.exec:\bbnttb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\hnbnnt.exec:\hnbnnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\ffxflrf.exec:\ffxflrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\7djvp.exec:\7djvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\xrrxlxl.exec:\xrrxlxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\nnhnnb.exec:\nnhnnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\3xlxxxl.exec:\3xlxxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\pdjdj.exec:\pdjdj.exe17⤵
- Executes dropped EXE
PID:2904 -
\??\c:\rrfrffl.exec:\rrfrffl.exe18⤵
- Executes dropped EXE
PID:2628 -
\??\c:\hhhntn.exec:\hhhntn.exe19⤵
- Executes dropped EXE
PID:2028 -
\??\c:\xxrxflf.exec:\xxrxflf.exe20⤵
- Executes dropped EXE
PID:1136 -
\??\c:\jjppp.exec:\jjppp.exe21⤵
- Executes dropped EXE
PID:1240 -
\??\c:\xxlxrfr.exec:\xxlxrfr.exe22⤵
- Executes dropped EXE
PID:1784 -
\??\c:\hbhttb.exec:\hbhttb.exe23⤵
- Executes dropped EXE
PID:2468 -
\??\c:\pjjpv.exec:\pjjpv.exe24⤵
- Executes dropped EXE
PID:2232 -
\??\c:\9tntnn.exec:\9tntnn.exe25⤵
- Executes dropped EXE
PID:2544 -
\??\c:\7frxxxf.exec:\7frxxxf.exe26⤵
- Executes dropped EXE
PID:1816 -
\??\c:\nbhtnt.exec:\nbhtnt.exe27⤵
- Executes dropped EXE
PID:1220 -
\??\c:\rrxrrlf.exec:\rrxrrlf.exe28⤵
- Executes dropped EXE
PID:276 -
\??\c:\bbhnbb.exec:\bbhnbb.exe29⤵
- Executes dropped EXE
PID:1456 -
\??\c:\ffxllff.exec:\ffxllff.exe30⤵
- Executes dropped EXE
PID:2268 -
\??\c:\7nbhnn.exec:\7nbhnn.exe31⤵
- Executes dropped EXE
PID:864 -
\??\c:\pjvjp.exec:\pjvjp.exe32⤵
- Executes dropped EXE
PID:3020 -
\??\c:\rrflffr.exec:\rrflffr.exe33⤵PID:1708
-
\??\c:\ppvpp.exec:\ppvpp.exe34⤵
- Executes dropped EXE
PID:2776 -
\??\c:\hhthnt.exec:\hhthnt.exe35⤵
- Executes dropped EXE
PID:2412 -
\??\c:\9jjjd.exec:\9jjjd.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736 -
\??\c:\lrlrrxl.exec:\lrlrrxl.exe37⤵
- Executes dropped EXE
PID:2864 -
\??\c:\hnhtbt.exec:\hnhtbt.exe38⤵
- Executes dropped EXE
PID:2808 -
\??\c:\ppjpv.exec:\ppjpv.exe39⤵
- Executes dropped EXE
PID:2748 -
\??\c:\xflflrr.exec:\xflflrr.exe40⤵
- Executes dropped EXE
PID:2612 -
\??\c:\bhtbtn.exec:\bhtbtn.exe41⤵
- Executes dropped EXE
PID:2788 -
\??\c:\ddjpd.exec:\ddjpd.exe42⤵
- Executes dropped EXE
PID:2756 -
\??\c:\pjdjp.exec:\pjdjp.exe43⤵
- Executes dropped EXE
PID:2608 -
\??\c:\xlrxfrr.exec:\xlrxfrr.exe44⤵
- Executes dropped EXE
PID:3060 -
\??\c:\7nhtbh.exec:\7nhtbh.exe45⤵
- Executes dropped EXE
PID:1124 -
\??\c:\ppvdj.exec:\ppvdj.exe46⤵
- Executes dropped EXE
PID:2000 -
\??\c:\jjjpp.exec:\jjjpp.exe47⤵
- Executes dropped EXE
PID:2352 -
\??\c:\frrfxrf.exec:\frrfxrf.exe48⤵
- Executes dropped EXE
PID:2456 -
\??\c:\bbtbnn.exec:\bbtbnn.exe49⤵
- Executes dropped EXE
PID:1388 -
\??\c:\vvpvp.exec:\vvpvp.exe50⤵
- Executes dropped EXE
PID:2888 -
\??\c:\ppdpd.exec:\ppdpd.exe51⤵
- Executes dropped EXE
PID:2648 -
\??\c:\xflxrfx.exec:\xflxrfx.exe52⤵
- Executes dropped EXE
PID:1088 -
\??\c:\hntbhh.exec:\hntbhh.exe53⤵
- Executes dropped EXE
PID:2688 -
\??\c:\dvpdp.exec:\dvpdp.exe54⤵
- Executes dropped EXE
PID:2936 -
\??\c:\ffrflrl.exec:\ffrflrl.exe55⤵
- Executes dropped EXE
PID:2924 -
\??\c:\nthhbt.exec:\nthhbt.exe56⤵
- Executes dropped EXE
PID:1892 -
\??\c:\vjdjp.exec:\vjdjp.exe57⤵
- Executes dropped EXE
PID:1592 -
\??\c:\ffrxlrf.exec:\ffrxlrf.exe58⤵
- Executes dropped EXE
PID:2036 -
\??\c:\xrxxffl.exec:\xrxxffl.exe59⤵
- Executes dropped EXE
PID:2568 -
\??\c:\7hbthn.exec:\7hbthn.exe60⤵
- Executes dropped EXE
PID:2220 -
\??\c:\vvjvd.exec:\vvjvd.exe61⤵
- Executes dropped EXE
PID:1776 -
\??\c:\9fflflx.exec:\9fflflx.exe62⤵
- Executes dropped EXE
PID:936 -
\??\c:\bbnbhh.exec:\bbnbhh.exe63⤵
- Executes dropped EXE
PID:1840 -
\??\c:\vvjjd.exec:\vvjjd.exe64⤵
- Executes dropped EXE
PID:2200 -
\??\c:\7pvdp.exec:\7pvdp.exe65⤵
- Executes dropped EXE
PID:960 -
\??\c:\1fxrflx.exec:\1fxrflx.exe66⤵
- Executes dropped EXE
PID:916 -
\??\c:\tbnbhn.exec:\tbnbhn.exe67⤵PID:3000
-
\??\c:\3vdpj.exec:\3vdpj.exe68⤵PID:276
-
\??\c:\ffrxflf.exec:\ffrxflf.exe69⤵PID:1104
-
\??\c:\nbbbhb.exec:\nbbbhb.exe70⤵PID:1752
-
\??\c:\1tbtbh.exec:\1tbtbh.exe71⤵PID:1628
-
\??\c:\jjvdj.exec:\jjvdj.exe72⤵PID:2524
-
\??\c:\xxlxlxf.exec:\xxlxlxf.exe73⤵
- System Location Discovery: System Language Discovery
PID:3020 -
\??\c:\nnhbnn.exec:\nnhbnn.exe74⤵PID:1568
-
\??\c:\bhbnbn.exec:\bhbnbn.exe75⤵PID:2368
-
\??\c:\jjdjj.exec:\jjdjj.exe76⤵PID:2696
-
\??\c:\rxlxllf.exec:\rxlxllf.exe77⤵PID:2408
-
\??\c:\nnbntt.exec:\nnbntt.exe78⤵PID:2712
-
\??\c:\bhtthh.exec:\bhtthh.exe79⤵PID:2836
-
\??\c:\9ppdp.exec:\9ppdp.exe80⤵PID:2780
-
\??\c:\rrllxfr.exec:\rrllxfr.exe81⤵PID:2676
-
\??\c:\nbnthb.exec:\nbnthb.exe82⤵PID:2784
-
\??\c:\jvjpj.exec:\jvjpj.exe83⤵PID:2660
-
\??\c:\jjpdp.exec:\jjpdp.exe84⤵PID:2604
-
\??\c:\llflxfx.exec:\llflxfx.exe85⤵PID:1792
-
\??\c:\ntbnhn.exec:\ntbnhn.exe86⤵PID:2896
-
\??\c:\dpvdv.exec:\dpvdv.exe87⤵PID:1956
-
\??\c:\jjjjv.exec:\jjjjv.exe88⤵PID:2104
-
\??\c:\xfxlrfx.exec:\xfxlrfx.exe89⤵PID:2684
-
\??\c:\bhhntb.exec:\bhhntb.exe90⤵PID:1228
-
\??\c:\5jjvj.exec:\5jjvj.exe91⤵PID:744
-
\??\c:\3jvvj.exec:\3jvvj.exe92⤵PID:3044
-
\??\c:\frflflf.exec:\frflflf.exe93⤵PID:2648
-
\??\c:\nhthhh.exec:\nhthhh.exe94⤵PID:1740
-
\??\c:\vvpjd.exec:\vvpjd.exe95⤵PID:396
-
\??\c:\rflrxlx.exec:\rflrxlx.exe96⤵PID:2488
-
\??\c:\xrffrrf.exec:\xrffrrf.exe97⤵PID:2924
-
\??\c:\hhtthh.exec:\hhtthh.exe98⤵PID:2360
-
\??\c:\dvddp.exec:\dvddp.exe99⤵PID:2976
-
\??\c:\ppppv.exec:\ppppv.exe100⤵PID:2036
-
\??\c:\9lfrxll.exec:\9lfrxll.exe101⤵PID:2568
-
\??\c:\nhbhnn.exec:\nhbhnn.exe102⤵PID:2216
-
\??\c:\jvpjd.exec:\jvpjd.exe103⤵PID:596
-
\??\c:\xlfxxlf.exec:\xlfxxlf.exe104⤵PID:2480
-
\??\c:\frlfxll.exec:\frlfxll.exe105⤵PID:1692
-
\??\c:\nnttnb.exec:\nnttnb.exe106⤵PID:2200
-
\??\c:\ddjjv.exec:\ddjjv.exe107⤵PID:904
-
\??\c:\1rxrlxl.exec:\1rxrlxl.exe108⤵PID:2108
-
\??\c:\tbhhth.exec:\tbhhth.exe109⤵PID:2092
-
\??\c:\ppjpp.exec:\ppjpp.exe110⤵PID:852
-
\??\c:\5rllrrx.exec:\5rllrrx.exe111⤵PID:2400
-
\??\c:\tthntb.exec:\tthntb.exe112⤵PID:2168
-
\??\c:\bhnntb.exec:\bhnntb.exe113⤵PID:2288
-
\??\c:\jjppd.exec:\jjppd.exe114⤵PID:860
-
\??\c:\rfrxlrx.exec:\rfrxlrx.exe115⤵PID:2148
-
\??\c:\9hbntb.exec:\9hbntb.exe116⤵PID:1624
-
\??\c:\3nhnhn.exec:\3nhnhn.exe117⤵PID:2692
-
\??\c:\vdjdv.exec:\vdjdv.exe118⤵PID:2736
-
\??\c:\xxfxffr.exec:\xxfxffr.exe119⤵PID:2868
-
\??\c:\hhnhbh.exec:\hhnhbh.exe120⤵PID:2832
-
\??\c:\nhhhhb.exec:\nhhhhb.exe121⤵PID:1748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-