Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 04:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe
-
Size
454KB
-
MD5
d831cc058ef62c48c0a1ec7cb33bbc40
-
SHA1
c0738465fabe52e3324005d4eb440b1a05a029ad
-
SHA256
968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5
-
SHA512
86fad2e9f8f224d39b9e1f6644767d2af9797ff1b86461e84afa6a507c4696c0b2a0897383bf8a29cc51dde8eac9b41511126387bde9ffe0fc2dcde0e2021b8d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 35 IoCs
resource yara_rule behavioral1/memory/1760-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1124-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1060-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/452-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-606-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2816-608-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2548-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-774-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2548-945-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1908 3lxxllr.exe 2776 vdppp.exe 2368 xfllllr.exe 2820 pjjjj.exe 2044 rrrlrxf.exe 2120 vvdvd.exe 2644 1fxrfxx.exe 2612 5jvjj.exe 2096 7jjpp.exe 2532 pdpjp.exe 1124 1jvvv.exe 1512 hbbbbb.exe 2324 7djdj.exe 2516 nhhbtn.exe 2060 fflfffl.exe 1860 hbhhhn.exe 2892 llrlrxx.exe 1060 7bnhhn.exe 3028 5vvdp.exe 2024 nnttnt.exe 2196 7jpvd.exe 2016 ttnnhh.exe 1504 7jdvd.exe 2348 5bntbh.exe 1748 jdddp.exe 1764 llrrxfl.exe 2936 5ntttb.exe 1316 rllffxx.exe 1484 7nbbnn.exe 1500 dvjpd.exe 880 xxfflll.exe 1572 lfffllr.exe 2452 3tnhnh.exe 1908 vddvv.exe 2776 ppdvj.exe 2828 lrxxxxf.exe 2136 nnbbbb.exe 2840 jdddv.exe 2784 jdddj.exe 2264 lflxxxx.exe 2832 bbttht.exe 2708 jjpvd.exe 2076 vvjdv.exe 1228 rxflllx.exe 452 1thhnn.exe 2092 pjjdd.exe 1360 ppjvd.exe 2460 1rfflrr.exe 2280 tntthh.exe 1148 ddvjj.exe 2516 jjddj.exe 1768 xllffff.exe 2492 tnnntn.exe 472 vvvvv.exe 2576 pjppp.exe 1104 xlrxflr.exe 2168 tbhbhh.exe 3028 ppddp.exe 2140 5djdp.exe 348 xxrxffl.exe 1272 hntntt.exe 2016 5vjjv.exe 2360 5lxfxrx.exe 1204 llxxflr.exe -
resource yara_rule behavioral1/memory/1760-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1124-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/452-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/472-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-813-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-945-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrfrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1908 1760 968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe 30 PID 1760 wrote to memory of 1908 1760 968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe 30 PID 1760 wrote to memory of 1908 1760 968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe 30 PID 1760 wrote to memory of 1908 1760 968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe 30 PID 1908 wrote to memory of 2776 1908 3lxxllr.exe 31 PID 1908 wrote to memory of 2776 1908 3lxxllr.exe 31 PID 1908 wrote to memory of 2776 1908 3lxxllr.exe 31 PID 1908 wrote to memory of 2776 1908 3lxxllr.exe 31 PID 2776 wrote to memory of 2368 2776 vdppp.exe 32 PID 2776 wrote to memory of 2368 2776 vdppp.exe 32 PID 2776 wrote to memory of 2368 2776 vdppp.exe 32 PID 2776 wrote to memory of 2368 2776 vdppp.exe 32 PID 2368 wrote to memory of 2820 2368 xfllllr.exe 33 PID 2368 wrote to memory of 2820 2368 xfllllr.exe 33 PID 2368 wrote to memory of 2820 2368 xfllllr.exe 33 PID 2368 wrote to memory of 2820 2368 xfllllr.exe 33 PID 2820 wrote to memory of 2044 2820 pjjjj.exe 34 PID 2820 wrote to memory of 2044 2820 pjjjj.exe 34 PID 2820 wrote to memory of 2044 2820 pjjjj.exe 34 PID 2820 wrote to memory of 2044 2820 pjjjj.exe 34 PID 2044 wrote to memory of 2120 2044 rrrlrxf.exe 35 PID 2044 wrote to memory of 2120 2044 rrrlrxf.exe 35 PID 2044 wrote to memory of 2120 2044 rrrlrxf.exe 35 PID 2044 wrote to memory of 2120 2044 rrrlrxf.exe 35 PID 2120 wrote to memory of 2644 2120 vvdvd.exe 36 PID 2120 wrote to memory of 2644 2120 vvdvd.exe 36 PID 2120 wrote to memory of 2644 2120 vvdvd.exe 36 PID 2120 wrote to memory of 2644 2120 vvdvd.exe 36 PID 2644 wrote to memory of 2612 2644 1fxrfxx.exe 37 PID 2644 wrote to memory of 2612 2644 1fxrfxx.exe 37 PID 2644 wrote to memory of 2612 2644 1fxrfxx.exe 37 PID 2644 wrote to memory of 2612 2644 1fxrfxx.exe 37 PID 2612 wrote to memory of 2096 2612 5jvjj.exe 38 PID 2612 wrote to memory of 2096 2612 5jvjj.exe 38 PID 2612 wrote to memory of 2096 2612 5jvjj.exe 38 PID 2612 wrote to memory of 2096 2612 5jvjj.exe 38 PID 2096 wrote to memory of 2532 2096 7jjpp.exe 39 PID 2096 wrote to memory of 2532 2096 7jjpp.exe 39 PID 2096 wrote to memory of 2532 2096 7jjpp.exe 39 PID 2096 wrote to memory of 2532 2096 7jjpp.exe 39 PID 2532 wrote to memory of 1124 2532 pdpjp.exe 40 PID 2532 wrote to memory of 1124 2532 pdpjp.exe 40 PID 2532 wrote to memory of 1124 2532 pdpjp.exe 40 PID 2532 wrote to memory of 1124 2532 pdpjp.exe 40 PID 1124 wrote to memory of 1512 1124 1jvvv.exe 41 PID 1124 wrote to memory of 1512 1124 1jvvv.exe 41 PID 1124 wrote to memory of 1512 1124 1jvvv.exe 41 PID 1124 wrote to memory of 1512 1124 1jvvv.exe 41 PID 1512 wrote to memory of 2324 1512 hbbbbb.exe 42 PID 1512 wrote to memory of 2324 1512 hbbbbb.exe 42 PID 1512 wrote to memory of 2324 1512 hbbbbb.exe 42 PID 1512 wrote to memory of 2324 1512 hbbbbb.exe 42 PID 2324 wrote to memory of 2516 2324 7djdj.exe 43 PID 2324 wrote to memory of 2516 2324 7djdj.exe 43 PID 2324 wrote to memory of 2516 2324 7djdj.exe 43 PID 2324 wrote to memory of 2516 2324 7djdj.exe 43 PID 2516 wrote to memory of 2060 2516 nhhbtn.exe 44 PID 2516 wrote to memory of 2060 2516 nhhbtn.exe 44 PID 2516 wrote to memory of 2060 2516 nhhbtn.exe 44 PID 2516 wrote to memory of 2060 2516 nhhbtn.exe 44 PID 2060 wrote to memory of 1860 2060 fflfffl.exe 45 PID 2060 wrote to memory of 1860 2060 fflfffl.exe 45 PID 2060 wrote to memory of 1860 2060 fflfffl.exe 45 PID 2060 wrote to memory of 1860 2060 fflfffl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe"C:\Users\Admin\AppData\Local\Temp\968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\3lxxllr.exec:\3lxxllr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\vdppp.exec:\vdppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\xfllllr.exec:\xfllllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\pjjjj.exec:\pjjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\rrrlrxf.exec:\rrrlrxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\vvdvd.exec:\vvdvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\1fxrfxx.exec:\1fxrfxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\5jvjj.exec:\5jvjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\7jjpp.exec:\7jjpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\pdpjp.exec:\pdpjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\1jvvv.exec:\1jvvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\hbbbbb.exec:\hbbbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\7djdj.exec:\7djdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\nhhbtn.exec:\nhhbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\fflfffl.exec:\fflfffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\hbhhhn.exec:\hbhhhn.exe17⤵
- Executes dropped EXE
PID:1860 -
\??\c:\llrlrxx.exec:\llrlrxx.exe18⤵
- Executes dropped EXE
PID:2892 -
\??\c:\7bnhhn.exec:\7bnhhn.exe19⤵
- Executes dropped EXE
PID:1060 -
\??\c:\5vvdp.exec:\5vvdp.exe20⤵
- Executes dropped EXE
PID:3028 -
\??\c:\nnttnt.exec:\nnttnt.exe21⤵
- Executes dropped EXE
PID:2024 -
\??\c:\7jpvd.exec:\7jpvd.exe22⤵
- Executes dropped EXE
PID:2196 -
\??\c:\ttnnhh.exec:\ttnnhh.exe23⤵
- Executes dropped EXE
PID:2016 -
\??\c:\7jdvd.exec:\7jdvd.exe24⤵
- Executes dropped EXE
PID:1504 -
\??\c:\5bntbh.exec:\5bntbh.exe25⤵
- Executes dropped EXE
PID:2348 -
\??\c:\jdddp.exec:\jdddp.exe26⤵
- Executes dropped EXE
PID:1748 -
\??\c:\llrrxfl.exec:\llrrxfl.exe27⤵
- Executes dropped EXE
PID:1764 -
\??\c:\5ntttb.exec:\5ntttb.exe28⤵
- Executes dropped EXE
PID:2936 -
\??\c:\rllffxx.exec:\rllffxx.exe29⤵
- Executes dropped EXE
PID:1316 -
\??\c:\7nbbnn.exec:\7nbbnn.exe30⤵
- Executes dropped EXE
PID:1484 -
\??\c:\dvjpd.exec:\dvjpd.exe31⤵
- Executes dropped EXE
PID:1500 -
\??\c:\xxfflll.exec:\xxfflll.exe32⤵
- Executes dropped EXE
PID:880 -
\??\c:\lfffllr.exec:\lfffllr.exe33⤵
- Executes dropped EXE
PID:1572 -
\??\c:\3tnhnh.exec:\3tnhnh.exe34⤵
- Executes dropped EXE
PID:2452 -
\??\c:\vddvv.exec:\vddvv.exe35⤵
- Executes dropped EXE
PID:1908 -
\??\c:\ppdvj.exec:\ppdvj.exe36⤵
- Executes dropped EXE
PID:2776 -
\??\c:\lrxxxxf.exec:\lrxxxxf.exe37⤵
- Executes dropped EXE
PID:2828 -
\??\c:\nnbbbb.exec:\nnbbbb.exe38⤵
- Executes dropped EXE
PID:2136 -
\??\c:\jdddv.exec:\jdddv.exe39⤵
- Executes dropped EXE
PID:2840 -
\??\c:\jdddj.exec:\jdddj.exe40⤵
- Executes dropped EXE
PID:2784 -
\??\c:\lflxxxx.exec:\lflxxxx.exe41⤵
- Executes dropped EXE
PID:2264 -
\??\c:\bbttht.exec:\bbttht.exe42⤵
- Executes dropped EXE
PID:2832 -
\??\c:\jjpvd.exec:\jjpvd.exe43⤵
- Executes dropped EXE
PID:2708 -
\??\c:\vvjdv.exec:\vvjdv.exe44⤵
- Executes dropped EXE
PID:2076 -
\??\c:\rxflllx.exec:\rxflllx.exe45⤵
- Executes dropped EXE
PID:1228 -
\??\c:\1thhnn.exec:\1thhnn.exe46⤵
- Executes dropped EXE
PID:452 -
\??\c:\pjjdd.exec:\pjjdd.exe47⤵
- Executes dropped EXE
PID:2092 -
\??\c:\ppjvd.exec:\ppjvd.exe48⤵
- Executes dropped EXE
PID:1360 -
\??\c:\1rfflrr.exec:\1rfflrr.exe49⤵
- Executes dropped EXE
PID:2460 -
\??\c:\tntthh.exec:\tntthh.exe50⤵
- Executes dropped EXE
PID:2280 -
\??\c:\ddvjj.exec:\ddvjj.exe51⤵
- Executes dropped EXE
PID:1148 -
\??\c:\jjddj.exec:\jjddj.exe52⤵
- Executes dropped EXE
PID:2516 -
\??\c:\xllffff.exec:\xllffff.exe53⤵
- Executes dropped EXE
PID:1768 -
\??\c:\tnnntn.exec:\tnnntn.exe54⤵
- Executes dropped EXE
PID:2492 -
\??\c:\vvvvv.exec:\vvvvv.exe55⤵
- Executes dropped EXE
PID:472 -
\??\c:\pjppp.exec:\pjppp.exe56⤵
- Executes dropped EXE
PID:2576 -
\??\c:\xlrxflr.exec:\xlrxflr.exe57⤵
- Executes dropped EXE
PID:1104 -
\??\c:\tbhbhh.exec:\tbhbhh.exe58⤵
- Executes dropped EXE
PID:2168 -
\??\c:\ppddp.exec:\ppddp.exe59⤵
- Executes dropped EXE
PID:3028 -
\??\c:\5djdp.exec:\5djdp.exe60⤵
- Executes dropped EXE
PID:2140 -
\??\c:\xxrxffl.exec:\xxrxffl.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:348 -
\??\c:\hntntt.exec:\hntntt.exe62⤵
- Executes dropped EXE
PID:1272 -
\??\c:\5vjjv.exec:\5vjjv.exe63⤵
- Executes dropped EXE
PID:2016 -
\??\c:\5lxfxrx.exec:\5lxfxrx.exe64⤵
- Executes dropped EXE
PID:2360 -
\??\c:\llxxflr.exec:\llxxflr.exe65⤵
- Executes dropped EXE
PID:1204 -
\??\c:\nhnbnh.exec:\nhnbnh.exe66⤵PID:1968
-
\??\c:\ppdjv.exec:\ppdjv.exe67⤵PID:2928
-
\??\c:\5djdp.exec:\5djdp.exe68⤵PID:2112
-
\??\c:\9lrrflr.exec:\9lrrflr.exe69⤵PID:2916
-
\??\c:\7thhhh.exec:\7thhhh.exe70⤵PID:2936
-
\??\c:\dvppp.exec:\dvppp.exe71⤵PID:1876
-
\??\c:\jpvvd.exec:\jpvvd.exe72⤵PID:1992
-
\??\c:\fxxffrr.exec:\fxxffrr.exe73⤵PID:764
-
\??\c:\nhhbbt.exec:\nhhbbt.exe74⤵PID:1732
-
\??\c:\9htbnh.exec:\9htbnh.exe75⤵PID:2008
-
\??\c:\dpddp.exec:\dpddp.exe76⤵PID:3000
-
\??\c:\fxlffxf.exec:\fxlffxf.exe77⤵PID:2304
-
\??\c:\5xlllll.exec:\5xlllll.exe78⤵PID:2788
-
\??\c:\5bnnhn.exec:\5bnnhn.exe79⤵PID:2816
-
\??\c:\djdvp.exec:\djdvp.exe80⤵PID:3032
-
\??\c:\xflrxlr.exec:\xflrxlr.exe81⤵PID:2848
-
\??\c:\nhbbtb.exec:\nhbbtb.exe82⤵PID:2844
-
\??\c:\jjppv.exec:\jjppv.exe83⤵PID:2872
-
\??\c:\llrxffl.exec:\llrxffl.exe84⤵PID:2600
-
\??\c:\llxffll.exec:\llxffll.exe85⤵PID:2648
-
\??\c:\9hnhtb.exec:\9hnhtb.exe86⤵PID:2108
-
\??\c:\pdvpp.exec:\pdvpp.exe87⤵PID:2548
-
\??\c:\xflflfl.exec:\xflflfl.exe88⤵PID:2540
-
\??\c:\fllrrxl.exec:\fllrrxl.exe89⤵PID:804
-
\??\c:\nhhhtt.exec:\nhhhtt.exe90⤵PID:1948
-
\??\c:\vppjj.exec:\vppjj.exe91⤵PID:1952
-
\??\c:\ppvpv.exec:\ppvpv.exe92⤵PID:1956
-
\??\c:\fxflxxf.exec:\fxflxxf.exe93⤵PID:2424
-
\??\c:\ttnhnt.exec:\ttnhnt.exe94⤵PID:2256
-
\??\c:\bhntbb.exec:\bhntbb.exe95⤵PID:988
-
\??\c:\1vjjv.exec:\1vjjv.exe96⤵
- System Location Discovery: System Language Discovery
PID:2116 -
\??\c:\1xrxxxf.exec:\1xrxxxf.exe97⤵PID:776
-
\??\c:\5thntt.exec:\5thntt.exe98⤵PID:1492
-
\??\c:\hbbtnn.exec:\hbbtnn.exe99⤵PID:2148
-
\??\c:\dpddp.exec:\dpddp.exe100⤵PID:2212
-
\??\c:\ffxlrrl.exec:\ffxlrrl.exe101⤵PID:2168
-
\??\c:\fflrxxf.exec:\fflrxxf.exe102⤵PID:2364
-
\??\c:\9tbbbh.exec:\9tbbbh.exe103⤵PID:1892
-
\??\c:\jdvpv.exec:\jdvpv.exe104⤵PID:1600
-
\??\c:\3pdvd.exec:\3pdvd.exe105⤵PID:1452
-
\??\c:\rrfxlfr.exec:\rrfxlfr.exe106⤵PID:1504
-
\??\c:\bhntbb.exec:\bhntbb.exe107⤵PID:2564
-
\??\c:\dvddp.exec:\dvddp.exe108⤵PID:1488
-
\??\c:\3dvdd.exec:\3dvdd.exe109⤵PID:1004
-
\??\c:\rfxrrrl.exec:\rfxrrrl.exe110⤵PID:2956
-
\??\c:\3bttbb.exec:\3bttbb.exe111⤵PID:1368
-
\??\c:\bbnhnh.exec:\bbnhnh.exe112⤵PID:1316
-
\??\c:\pvjpd.exec:\pvjpd.exe113⤵PID:2904
-
\??\c:\vvppv.exec:\vvppv.exe114⤵PID:1896
-
\??\c:\9fxflxf.exec:\9fxflxf.exe115⤵PID:1072
-
\??\c:\5nhhnt.exec:\5nhhnt.exe116⤵PID:1608
-
\??\c:\9nnnhn.exec:\9nnnhn.exe117⤵PID:1572
-
\??\c:\jjpjj.exec:\jjpjj.exe118⤵PID:1036
-
\??\c:\rlxrrrr.exec:\rlxrrrr.exe119⤵PID:2736
-
\??\c:\7thbnn.exec:\7thbnn.exe120⤵PID:2804
-
\??\c:\ddjpv.exec:\ddjpv.exe121⤵PID:2368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-