Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 01:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dd7d5b2aa1fccd3b9d5a05806a9e91cd1554143edcf4dea4e2eaf338ff25db2f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
dd7d5b2aa1fccd3b9d5a05806a9e91cd1554143edcf4dea4e2eaf338ff25db2f.exe
-
Size
456KB
-
MD5
656dc348691e88993ace2835252d4ac1
-
SHA1
481a28d2dbedaf72d434cfae0c5406fbb9836160
-
SHA256
dd7d5b2aa1fccd3b9d5a05806a9e91cd1554143edcf4dea4e2eaf338ff25db2f
-
SHA512
a1323ae911c9546573b5ccb7c08ca36e3ad6c2d2c252b0d983e5d319ab4850d6b7fbb970861d5911945b117c1ec42b98c144005e0180581201dde2b4f64fab05
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeLe:q7Tc2NYHUrAwfMp3CDLe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2012-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-109-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1780-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-307-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1596-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-370-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2772-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-382-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-520-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1300-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-627-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2744-653-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2728-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-673-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2280-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-761-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1996-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-1273-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2980 3nnthh.exe 2328 dppvv.exe 2444 xxlxxlx.exe 2696 ntnbnb.exe 2852 pjjjv.exe 2732 bhhhbn.exe 2988 hhbhtb.exe 2968 xxxlfrf.exe 2720 7bbnhh.exe 2636 rfxrlxx.exe 2916 ntthht.exe 572 fxrfrxx.exe 2840 ttnhtn.exe 536 lxxlxfr.exe 596 nhbhtb.exe 1780 vdpvp.exe 2644 3hnhbn.exe 2944 1lflxll.exe 2108 nnthhn.exe 2364 llfrfrr.exe 1672 lrrlrll.exe 3008 7xrxlxl.exe 696 9tbhbh.exe 1600 hhbhbn.exe 1312 ppdjv.exe 1688 ffrlxxr.exe 760 3jpdp.exe 2232 ntthbn.exe 1936 3jjvj.exe 1480 ntnnbb.exe 2340 jvdpj.exe 876 tttbnt.exe 1720 vjpjj.exe 2996 dddpj.exe 1596 xxxlfrr.exe 2436 5nntnn.exe 2476 dddpd.exe 1976 dddjv.exe 2060 rllrfrf.exe 2992 nbtnbb.exe 2876 hnhbtb.exe 2892 pvpdv.exe 2756 lrxlxfx.exe 2628 3lflxfr.exe 2772 9bthbh.exe 2780 pvvpd.exe 2680 xrlrflx.exe 1920 7hbbnt.exe 1472 nnhtbh.exe 2884 pjjpp.exe 1664 dvjvj.exe 2840 7xxfrlf.exe 588 7nhnhn.exe 1084 ttthnt.exe 236 7dvjv.exe 2132 rxfrfxl.exe 2964 llrlfrl.exe 2280 nnnnth.exe 2700 vpjpd.exe 2108 jpvjv.exe 3028 xrlrflr.exe 2584 9nntbn.exe 2588 nnntnt.exe 1572 1vjdp.exe -
resource yara_rule behavioral1/memory/2980-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-307-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1596-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-653-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2728-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-977-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-1026-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-1101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-1273-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2456-1302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-1358-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3httbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2980 2012 dd7d5b2aa1fccd3b9d5a05806a9e91cd1554143edcf4dea4e2eaf338ff25db2f.exe 30 PID 2012 wrote to memory of 2980 2012 dd7d5b2aa1fccd3b9d5a05806a9e91cd1554143edcf4dea4e2eaf338ff25db2f.exe 30 PID 2012 wrote to memory of 2980 2012 dd7d5b2aa1fccd3b9d5a05806a9e91cd1554143edcf4dea4e2eaf338ff25db2f.exe 30 PID 2012 wrote to memory of 2980 2012 dd7d5b2aa1fccd3b9d5a05806a9e91cd1554143edcf4dea4e2eaf338ff25db2f.exe 30 PID 2980 wrote to memory of 2328 2980 3nnthh.exe 31 PID 2980 wrote to memory of 2328 2980 3nnthh.exe 31 PID 2980 wrote to memory of 2328 2980 3nnthh.exe 31 PID 2980 wrote to memory of 2328 2980 3nnthh.exe 31 PID 2328 wrote to memory of 2444 2328 dppvv.exe 32 PID 2328 wrote to memory of 2444 2328 dppvv.exe 32 PID 2328 wrote to memory of 2444 2328 dppvv.exe 32 PID 2328 wrote to memory of 2444 2328 dppvv.exe 32 PID 2444 wrote to memory of 2696 2444 xxlxxlx.exe 33 PID 2444 wrote to memory of 2696 2444 xxlxxlx.exe 33 PID 2444 wrote to memory of 2696 2444 xxlxxlx.exe 33 PID 2444 wrote to memory of 2696 2444 xxlxxlx.exe 33 PID 2696 wrote to memory of 2852 2696 ntnbnb.exe 34 PID 2696 wrote to memory of 2852 2696 ntnbnb.exe 34 PID 2696 wrote to memory of 2852 2696 ntnbnb.exe 34 PID 2696 wrote to memory of 2852 2696 ntnbnb.exe 34 PID 2852 wrote to memory of 2732 2852 pjjjv.exe 35 PID 2852 wrote to memory of 2732 2852 pjjjv.exe 35 PID 2852 wrote to memory of 2732 2852 pjjjv.exe 35 PID 2852 wrote to memory of 2732 2852 pjjjv.exe 35 PID 2732 wrote to memory of 2988 2732 bhhhbn.exe 36 PID 2732 wrote to memory of 2988 2732 bhhhbn.exe 36 PID 2732 wrote to memory of 2988 2732 bhhhbn.exe 36 PID 2732 wrote to memory of 2988 2732 bhhhbn.exe 36 PID 2988 wrote to memory of 2968 2988 hhbhtb.exe 37 PID 2988 wrote to memory of 2968 2988 hhbhtb.exe 37 PID 2988 wrote to memory of 2968 2988 hhbhtb.exe 37 PID 2988 wrote to memory of 2968 2988 hhbhtb.exe 37 PID 2968 wrote to memory of 2720 2968 xxxlfrf.exe 38 PID 2968 wrote to memory of 2720 2968 xxxlfrf.exe 38 PID 2968 wrote to memory of 2720 2968 xxxlfrf.exe 38 PID 2968 wrote to memory of 2720 2968 xxxlfrf.exe 38 PID 2720 wrote to memory of 2636 2720 7bbnhh.exe 39 PID 2720 wrote to memory of 2636 2720 7bbnhh.exe 39 PID 2720 wrote to memory of 2636 2720 7bbnhh.exe 39 PID 2720 wrote to memory of 2636 2720 7bbnhh.exe 39 PID 2636 wrote to memory of 2916 2636 rfxrlxx.exe 40 PID 2636 wrote to memory of 2916 2636 rfxrlxx.exe 40 PID 2636 wrote to memory of 2916 2636 rfxrlxx.exe 40 PID 2636 wrote to memory of 2916 2636 rfxrlxx.exe 40 PID 2916 wrote to memory of 572 2916 ntthht.exe 41 PID 2916 wrote to memory of 572 2916 ntthht.exe 41 PID 2916 wrote to memory of 572 2916 ntthht.exe 41 PID 2916 wrote to memory of 572 2916 ntthht.exe 41 PID 572 wrote to memory of 2840 572 fxrfrxx.exe 42 PID 572 wrote to memory of 2840 572 fxrfrxx.exe 42 PID 572 wrote to memory of 2840 572 fxrfrxx.exe 42 PID 572 wrote to memory of 2840 572 fxrfrxx.exe 42 PID 2840 wrote to memory of 536 2840 ttnhtn.exe 43 PID 2840 wrote to memory of 536 2840 ttnhtn.exe 43 PID 2840 wrote to memory of 536 2840 ttnhtn.exe 43 PID 2840 wrote to memory of 536 2840 ttnhtn.exe 43 PID 536 wrote to memory of 596 536 lxxlxfr.exe 44 PID 536 wrote to memory of 596 536 lxxlxfr.exe 44 PID 536 wrote to memory of 596 536 lxxlxfr.exe 44 PID 536 wrote to memory of 596 536 lxxlxfr.exe 44 PID 596 wrote to memory of 1780 596 nhbhtb.exe 45 PID 596 wrote to memory of 1780 596 nhbhtb.exe 45 PID 596 wrote to memory of 1780 596 nhbhtb.exe 45 PID 596 wrote to memory of 1780 596 nhbhtb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd7d5b2aa1fccd3b9d5a05806a9e91cd1554143edcf4dea4e2eaf338ff25db2f.exe"C:\Users\Admin\AppData\Local\Temp\dd7d5b2aa1fccd3b9d5a05806a9e91cd1554143edcf4dea4e2eaf338ff25db2f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\3nnthh.exec:\3nnthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\dppvv.exec:\dppvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\xxlxxlx.exec:\xxlxxlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\ntnbnb.exec:\ntnbnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\pjjjv.exec:\pjjjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\bhhhbn.exec:\bhhhbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\hhbhtb.exec:\hhbhtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\xxxlfrf.exec:\xxxlfrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\7bbnhh.exec:\7bbnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\rfxrlxx.exec:\rfxrlxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\ntthht.exec:\ntthht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\fxrfrxx.exec:\fxrfrxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\ttnhtn.exec:\ttnhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\lxxlxfr.exec:\lxxlxfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\nhbhtb.exec:\nhbhtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:596 -
\??\c:\vdpvp.exec:\vdpvp.exe17⤵
- Executes dropped EXE
PID:1780 -
\??\c:\3hnhbn.exec:\3hnhbn.exe18⤵
- Executes dropped EXE
PID:2644 -
\??\c:\1lflxll.exec:\1lflxll.exe19⤵
- Executes dropped EXE
PID:2944 -
\??\c:\nnthhn.exec:\nnthhn.exe20⤵
- Executes dropped EXE
PID:2108 -
\??\c:\llfrfrr.exec:\llfrfrr.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364 -
\??\c:\lrrlrll.exec:\lrrlrll.exe22⤵
- Executes dropped EXE
PID:1672 -
\??\c:\7xrxlxl.exec:\7xrxlxl.exe23⤵
- Executes dropped EXE
PID:3008 -
\??\c:\9tbhbh.exec:\9tbhbh.exe24⤵
- Executes dropped EXE
PID:696 -
\??\c:\hhbhbn.exec:\hhbhbn.exe25⤵
- Executes dropped EXE
PID:1600 -
\??\c:\ppdjv.exec:\ppdjv.exe26⤵
- Executes dropped EXE
PID:1312 -
\??\c:\ffrlxxr.exec:\ffrlxxr.exe27⤵
- Executes dropped EXE
PID:1688 -
\??\c:\3jpdp.exec:\3jpdp.exe28⤵
- Executes dropped EXE
PID:760 -
\??\c:\ntthbn.exec:\ntthbn.exe29⤵
- Executes dropped EXE
PID:2232 -
\??\c:\3jjvj.exec:\3jjvj.exe30⤵
- Executes dropped EXE
PID:1936 -
\??\c:\ntnnbb.exec:\ntnnbb.exe31⤵
- Executes dropped EXE
PID:1480 -
\??\c:\jvdpj.exec:\jvdpj.exe32⤵
- Executes dropped EXE
PID:2340 -
\??\c:\tttbnt.exec:\tttbnt.exe33⤵
- Executes dropped EXE
PID:876 -
\??\c:\vjpjj.exec:\vjpjj.exe34⤵
- Executes dropped EXE
PID:1720 -
\??\c:\dddpj.exec:\dddpj.exe35⤵
- Executes dropped EXE
PID:2996 -
\??\c:\xxxlfrr.exec:\xxxlfrr.exe36⤵
- Executes dropped EXE
PID:1596 -
\??\c:\5nntnn.exec:\5nntnn.exe37⤵
- Executes dropped EXE
PID:2436 -
\??\c:\dddpd.exec:\dddpd.exe38⤵
- Executes dropped EXE
PID:2476 -
\??\c:\dddjv.exec:\dddjv.exe39⤵
- Executes dropped EXE
PID:1976 -
\??\c:\rllrfrf.exec:\rllrfrf.exe40⤵
- Executes dropped EXE
PID:2060 -
\??\c:\nbtnbb.exec:\nbtnbb.exe41⤵
- Executes dropped EXE
PID:2992 -
\??\c:\hnhbtb.exec:\hnhbtb.exe42⤵
- Executes dropped EXE
PID:2876 -
\??\c:\pvpdv.exec:\pvpdv.exe43⤵
- Executes dropped EXE
PID:2892 -
\??\c:\lrxlxfx.exec:\lrxlxfx.exe44⤵
- Executes dropped EXE
PID:2756 -
\??\c:\3lflxfr.exec:\3lflxfr.exe45⤵
- Executes dropped EXE
PID:2628 -
\??\c:\9bthbh.exec:\9bthbh.exe46⤵
- Executes dropped EXE
PID:2772 -
\??\c:\pvvpd.exec:\pvvpd.exe47⤵
- Executes dropped EXE
PID:2780 -
\??\c:\xrlrflx.exec:\xrlrflx.exe48⤵
- Executes dropped EXE
PID:2680 -
\??\c:\7hbbnt.exec:\7hbbnt.exe49⤵
- Executes dropped EXE
PID:1920 -
\??\c:\nnhtbh.exec:\nnhtbh.exe50⤵
- Executes dropped EXE
PID:1472 -
\??\c:\pjjpp.exec:\pjjpp.exe51⤵
- Executes dropped EXE
PID:2884 -
\??\c:\dvjvj.exec:\dvjvj.exe52⤵
- Executes dropped EXE
PID:1664 -
\??\c:\7xxfrlf.exec:\7xxfrlf.exe53⤵
- Executes dropped EXE
PID:2840 -
\??\c:\7nhnhn.exec:\7nhnhn.exe54⤵
- Executes dropped EXE
PID:588 -
\??\c:\ttthnt.exec:\ttthnt.exe55⤵
- Executes dropped EXE
PID:1084 -
\??\c:\7dvjv.exec:\7dvjv.exe56⤵
- Executes dropped EXE
PID:236 -
\??\c:\rxfrfxl.exec:\rxfrfxl.exe57⤵
- Executes dropped EXE
PID:2132 -
\??\c:\llrlfrl.exec:\llrlfrl.exe58⤵
- Executes dropped EXE
PID:2964 -
\??\c:\nnnnth.exec:\nnnnth.exe59⤵
- Executes dropped EXE
PID:2280 -
\??\c:\vpjpd.exec:\vpjpd.exe60⤵
- Executes dropped EXE
PID:2700 -
\??\c:\jpvjv.exec:\jpvjv.exe61⤵
- Executes dropped EXE
PID:2108 -
\??\c:\xrlrflr.exec:\xrlrflr.exe62⤵
- Executes dropped EXE
PID:3028 -
\??\c:\9nntbn.exec:\9nntbn.exe63⤵
- Executes dropped EXE
PID:2584 -
\??\c:\nnntnt.exec:\nnntnt.exe64⤵
- Executes dropped EXE
PID:2588 -
\??\c:\1vjdp.exec:\1vjdp.exe65⤵
- Executes dropped EXE
PID:1572 -
\??\c:\frxrfrr.exec:\frxrfrr.exe66⤵PID:948
-
\??\c:\bbbhbh.exec:\bbbhbh.exe67⤵PID:1796
-
\??\c:\5bbtht.exec:\5bbtht.exe68⤵PID:1788
-
\??\c:\dddpj.exec:\dddpj.exe69⤵PID:1372
-
\??\c:\xxllffx.exec:\xxllffx.exe70⤵PID:1760
-
\??\c:\fllrlxf.exec:\fllrlxf.exe71⤵PID:1300
-
\??\c:\nhhnth.exec:\nhhnth.exe72⤵PID:3040
-
\??\c:\jjjdp.exec:\jjjdp.exe73⤵PID:2216
-
\??\c:\7pdvp.exec:\7pdvp.exe74⤵PID:2244
-
\??\c:\lrlfrfx.exec:\lrlfrfx.exe75⤵PID:2488
-
\??\c:\hhnnhn.exec:\hhnnhn.exe76⤵PID:2340
-
\??\c:\pddvp.exec:\pddvp.exe77⤵PID:876
-
\??\c:\pppvd.exec:\pppvd.exe78⤵PID:1948
-
\??\c:\5fffrfr.exec:\5fffrfr.exe79⤵PID:1916
-
\??\c:\9nntnb.exec:\9nntnb.exe80⤵PID:2932
-
\??\c:\bbbnhn.exec:\bbbnhn.exe81⤵PID:2300
-
\??\c:\pppdp.exec:\pppdp.exe82⤵PID:2332
-
\??\c:\llrxxlx.exec:\llrxxlx.exe83⤵PID:1580
-
\??\c:\llfflrf.exec:\llfflrf.exe84⤵PID:2852
-
\??\c:\btbhth.exec:\btbhth.exe85⤵PID:2060
-
\??\c:\vvvjv.exec:\vvvjv.exe86⤵PID:2920
-
\??\c:\fflfrfr.exec:\fflfrfr.exe87⤵PID:2712
-
\??\c:\xffffrl.exec:\xffffrl.exe88⤵PID:2224
-
\??\c:\htntht.exec:\htntht.exe89⤵PID:2744
-
\??\c:\9hhtht.exec:\9hhtht.exe90⤵PID:1968
-
\??\c:\jjjpd.exec:\jjjpd.exe91⤵PID:2728
-
\??\c:\rrrxffr.exec:\rrrxffr.exe92⤵PID:2780
-
\??\c:\bhhbnt.exec:\bhhbnt.exe93⤵PID:2648
-
\??\c:\hhnhbh.exec:\hhnhbh.exe94⤵PID:688
-
\??\c:\vdjvv.exec:\vdjvv.exe95⤵PID:2828
-
\??\c:\lxxxrff.exec:\lxxxrff.exe96⤵PID:1108
-
\??\c:\lrlfrfx.exec:\lrlfrfx.exe97⤵PID:332
-
\??\c:\1nbhth.exec:\1nbhth.exe98⤵
- System Location Discovery: System Language Discovery
PID:2808 -
\??\c:\vvppj.exec:\vvppj.exe99⤵PID:1068
-
\??\c:\dppdp.exec:\dppdp.exe100⤵PID:1132
-
\??\c:\lxxfllx.exec:\lxxfllx.exe101⤵PID:2956
-
\??\c:\nnntnt.exec:\nnntnt.exe102⤵PID:2940
-
\??\c:\btbbtb.exec:\btbbtb.exe103⤵PID:2276
-
\??\c:\jppdp.exec:\jppdp.exe104⤵PID:2280
-
\??\c:\xrrxlrf.exec:\xrrxlrf.exe105⤵PID:2700
-
\??\c:\hhthnn.exec:\hhthnn.exe106⤵PID:1844
-
\??\c:\bhhnth.exec:\bhhnth.exe107⤵PID:3028
-
\??\c:\vdvvp.exec:\vdvvp.exe108⤵PID:1996
-
\??\c:\xxrfrxr.exec:\xxrfrxr.exe109⤵PID:696
-
\??\c:\7nbnbb.exec:\7nbnbb.exe110⤵PID:1080
-
\??\c:\nnhtbb.exec:\nnhtbb.exe111⤵PID:316
-
\??\c:\1pvvj.exec:\1pvvj.exe112⤵
- System Location Discovery: System Language Discovery
PID:1312 -
\??\c:\fxrxflx.exec:\fxrxflx.exe113⤵PID:896
-
\??\c:\bbtbnt.exec:\bbtbnt.exe114⤵PID:2492
-
\??\c:\hhhhnt.exec:\hhhhnt.exe115⤵PID:2480
-
\??\c:\dddpj.exec:\dddpj.exe116⤵PID:3056
-
\??\c:\ffxflrf.exec:\ffxflrf.exe117⤵PID:1036
-
\??\c:\nnhtht.exec:\nnhtht.exe118⤵PID:2080
-
\??\c:\hnnbhn.exec:\hnnbhn.exe119⤵PID:2244
-
\??\c:\vjppp.exec:\vjppp.exe120⤵PID:1676
-
\??\c:\1xrrrxf.exec:\1xrrrxf.exe121⤵PID:2560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-