Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 05:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe
-
Size
455KB
-
MD5
b02d0f5dbca4b4a74000cc28ff1a8c2f
-
SHA1
6febccd3d37816c5f48aab0399f2a9ea2302d2fe
-
SHA256
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209
-
SHA512
bbf03096c35eca93a9b9a3239ee19cc8d2ca525e991158aa65b19631cd15a1988f4c1ade992eeb6c6afb4cbaa46841f936677fac57bd42ee8f87d612ada9cfb5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2084-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1212-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-71-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1908-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-109-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2452-108-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2660-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/284-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/284-138-0x00000000001E0000-0x000000000020A000-memory.dmp family_blackmoon behavioral1/memory/668-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/284-176-0x00000000001E0000-0x000000000020A000-memory.dmp family_blackmoon behavioral1/memory/2956-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1188-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-266-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1724-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-322-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1592-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-614-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2344-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-824-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2616-960-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2816-985-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-1135-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1212 vvjpv.exe 1920 rrllrrf.exe 2264 bbhhnt.exe 792 ppdjp.exe 2860 xxfrxxf.exe 2184 xfxffxx.exe 2608 nthhtb.exe 2636 ppvvd.exe 1908 ttnntb.exe 2772 rfllllr.exe 2452 nnhnbh.exe 800 pjvvd.exe 2660 flrlllr.exe 284 hnbhnb.exe 1284 hhnntt.exe 668 9xrxfll.exe 1744 rxrlrrf.exe 2956 rrxrrrr.exe 2428 bntntt.exe 2136 rlxxffr.exe 1648 5bnnnt.exe 2584 nnbbbb.exe 1188 lfrlffl.exe 2500 bttttt.exe 1756 dvdvd.exe 2100 nhhbhb.exe 1796 1bttbb.exe 1988 rlxxxff.exe 1752 rxlflrx.exe 1724 tnnnnt.exe 2340 xxffflx.exe 1088 3lrllll.exe 2400 vpvvv.exe 2324 hbhhhn.exe 2448 thhhtt.exe 2488 vpppv.exe 1592 1fxrrll.exe 2264 xxrllll.exe 2748 hnbhnh.exe 2880 pdvjj.exe 2756 dvddd.exe 2472 fflffll.exe 2760 bthhnn.exe 2688 bhnntt.exe 2836 3vjjd.exe 2628 ffllllr.exe 2616 9frrffl.exe 2240 nnttbt.exe 2228 1thbbb.exe 2204 1pvpp.exe 1072 rlflffl.exe 684 9xrxffl.exe 1516 3nhhbb.exe 988 1jppp.exe 952 3pvvd.exe 1816 ffxrlfx.exe 2020 9bnhhh.exe 1108 ttbbbn.exe 2992 ppvjp.exe 2376 1vjjp.exe 1268 3lrllff.exe 2052 7thhbh.exe 2068 ppppd.exe 636 pjpjp.exe -
resource yara_rule behavioral1/memory/2084-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/668-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/668-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1188-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1108-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/608-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-614-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2344-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-921-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-985-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-986-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-1059-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-1086-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-1117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-1213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-1238-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 1212 2084 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 30 PID 2084 wrote to memory of 1212 2084 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 30 PID 2084 wrote to memory of 1212 2084 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 30 PID 2084 wrote to memory of 1212 2084 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 30 PID 1212 wrote to memory of 1920 1212 vvjpv.exe 31 PID 1212 wrote to memory of 1920 1212 vvjpv.exe 31 PID 1212 wrote to memory of 1920 1212 vvjpv.exe 31 PID 1212 wrote to memory of 1920 1212 vvjpv.exe 31 PID 1920 wrote to memory of 2264 1920 rrllrrf.exe 32 PID 1920 wrote to memory of 2264 1920 rrllrrf.exe 32 PID 1920 wrote to memory of 2264 1920 rrllrrf.exe 32 PID 1920 wrote to memory of 2264 1920 rrllrrf.exe 32 PID 2264 wrote to memory of 792 2264 bbhhnt.exe 33 PID 2264 wrote to memory of 792 2264 bbhhnt.exe 33 PID 2264 wrote to memory of 792 2264 bbhhnt.exe 33 PID 2264 wrote to memory of 792 2264 bbhhnt.exe 33 PID 792 wrote to memory of 2860 792 ppdjp.exe 34 PID 792 wrote to memory of 2860 792 ppdjp.exe 34 PID 792 wrote to memory of 2860 792 ppdjp.exe 34 PID 792 wrote to memory of 2860 792 ppdjp.exe 34 PID 2860 wrote to memory of 2184 2860 xxfrxxf.exe 35 PID 2860 wrote to memory of 2184 2860 xxfrxxf.exe 35 PID 2860 wrote to memory of 2184 2860 xxfrxxf.exe 35 PID 2860 wrote to memory of 2184 2860 xxfrxxf.exe 35 PID 2184 wrote to memory of 2608 2184 xfxffxx.exe 36 PID 2184 wrote to memory of 2608 2184 xfxffxx.exe 36 PID 2184 wrote to memory of 2608 2184 xfxffxx.exe 36 PID 2184 wrote to memory of 2608 2184 xfxffxx.exe 36 PID 2608 wrote to memory of 2636 2608 nthhtb.exe 37 PID 2608 wrote to memory of 2636 2608 nthhtb.exe 37 PID 2608 wrote to memory of 2636 2608 nthhtb.exe 37 PID 2608 wrote to memory of 2636 2608 nthhtb.exe 37 PID 2636 wrote to memory of 1908 2636 ppvvd.exe 38 PID 2636 wrote to memory of 1908 2636 ppvvd.exe 38 PID 2636 wrote to memory of 1908 2636 ppvvd.exe 38 PID 2636 wrote to memory of 1908 2636 ppvvd.exe 38 PID 1908 wrote to memory of 2772 1908 ttnntb.exe 39 PID 1908 wrote to memory of 2772 1908 ttnntb.exe 39 PID 1908 wrote to memory of 2772 1908 ttnntb.exe 39 PID 1908 wrote to memory of 2772 1908 ttnntb.exe 39 PID 2772 wrote to memory of 2452 2772 rfllllr.exe 40 PID 2772 wrote to memory of 2452 2772 rfllllr.exe 40 PID 2772 wrote to memory of 2452 2772 rfllllr.exe 40 PID 2772 wrote to memory of 2452 2772 rfllllr.exe 40 PID 2452 wrote to memory of 800 2452 nnhnbh.exe 41 PID 2452 wrote to memory of 800 2452 nnhnbh.exe 41 PID 2452 wrote to memory of 800 2452 nnhnbh.exe 41 PID 2452 wrote to memory of 800 2452 nnhnbh.exe 41 PID 800 wrote to memory of 2660 800 pjvvd.exe 42 PID 800 wrote to memory of 2660 800 pjvvd.exe 42 PID 800 wrote to memory of 2660 800 pjvvd.exe 42 PID 800 wrote to memory of 2660 800 pjvvd.exe 42 PID 2660 wrote to memory of 284 2660 flrlllr.exe 43 PID 2660 wrote to memory of 284 2660 flrlllr.exe 43 PID 2660 wrote to memory of 284 2660 flrlllr.exe 43 PID 2660 wrote to memory of 284 2660 flrlllr.exe 43 PID 284 wrote to memory of 1284 284 hnbhnb.exe 44 PID 284 wrote to memory of 1284 284 hnbhnb.exe 44 PID 284 wrote to memory of 1284 284 hnbhnb.exe 44 PID 284 wrote to memory of 1284 284 hnbhnb.exe 44 PID 1284 wrote to memory of 668 1284 hhnntt.exe 45 PID 1284 wrote to memory of 668 1284 hhnntt.exe 45 PID 1284 wrote to memory of 668 1284 hhnntt.exe 45 PID 1284 wrote to memory of 668 1284 hhnntt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe"C:\Users\Admin\AppData\Local\Temp\c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\vvjpv.exec:\vvjpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\rrllrrf.exec:\rrllrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\bbhhnt.exec:\bbhhnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\ppdjp.exec:\ppdjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\xxfrxxf.exec:\xxfrxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\xfxffxx.exec:\xfxffxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\nthhtb.exec:\nthhtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\ppvvd.exec:\ppvvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\ttnntb.exec:\ttnntb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\rfllllr.exec:\rfllllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\nnhnbh.exec:\nnhnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\pjvvd.exec:\pjvvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\flrlllr.exec:\flrlllr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\hnbhnb.exec:\hnbhnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:284 -
\??\c:\hhnntt.exec:\hhnntt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\9xrxfll.exec:\9xrxfll.exe17⤵
- Executes dropped EXE
PID:668 -
\??\c:\rxrlrrf.exec:\rxrlrrf.exe18⤵
- Executes dropped EXE
PID:1744 -
\??\c:\rrxrrrr.exec:\rrxrrrr.exe19⤵
- Executes dropped EXE
PID:2956 -
\??\c:\bntntt.exec:\bntntt.exe20⤵
- Executes dropped EXE
PID:2428 -
\??\c:\rlxxffr.exec:\rlxxffr.exe21⤵
- Executes dropped EXE
PID:2136 -
\??\c:\5bnnnt.exec:\5bnnnt.exe22⤵
- Executes dropped EXE
PID:1648 -
\??\c:\nnbbbb.exec:\nnbbbb.exe23⤵
- Executes dropped EXE
PID:2584 -
\??\c:\lfrlffl.exec:\lfrlffl.exe24⤵
- Executes dropped EXE
PID:1188 -
\??\c:\bttttt.exec:\bttttt.exe25⤵
- Executes dropped EXE
PID:2500 -
\??\c:\dvdvd.exec:\dvdvd.exe26⤵
- Executes dropped EXE
PID:1756 -
\??\c:\nhhbhb.exec:\nhhbhb.exe27⤵
- Executes dropped EXE
PID:2100 -
\??\c:\1bttbb.exec:\1bttbb.exe28⤵
- Executes dropped EXE
PID:1796 -
\??\c:\rlxxxff.exec:\rlxxxff.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
\??\c:\rxlflrx.exec:\rxlflrx.exe30⤵
- Executes dropped EXE
PID:1752 -
\??\c:\tnnnnt.exec:\tnnnnt.exe31⤵
- Executes dropped EXE
PID:1724 -
\??\c:\xxffflx.exec:\xxffflx.exe32⤵
- Executes dropped EXE
PID:2340 -
\??\c:\3lrllll.exec:\3lrllll.exe33⤵
- Executes dropped EXE
PID:1088 -
\??\c:\vpvvv.exec:\vpvvv.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400 -
\??\c:\hbhhhn.exec:\hbhhhn.exe35⤵
- Executes dropped EXE
PID:2324 -
\??\c:\thhhtt.exec:\thhhtt.exe36⤵
- Executes dropped EXE
PID:2448 -
\??\c:\vpppv.exec:\vpppv.exe37⤵
- Executes dropped EXE
PID:2488 -
\??\c:\1fxrrll.exec:\1fxrrll.exe38⤵
- Executes dropped EXE
PID:1592 -
\??\c:\xxrllll.exec:\xxrllll.exe39⤵
- Executes dropped EXE
PID:2264 -
\??\c:\hnbhnh.exec:\hnbhnh.exe40⤵
- Executes dropped EXE
PID:2748 -
\??\c:\pdvjj.exec:\pdvjj.exe41⤵
- Executes dropped EXE
PID:2880 -
\??\c:\dvddd.exec:\dvddd.exe42⤵
- Executes dropped EXE
PID:2756 -
\??\c:\fflffll.exec:\fflffll.exe43⤵
- Executes dropped EXE
PID:2472 -
\??\c:\bthhnn.exec:\bthhnn.exe44⤵
- Executes dropped EXE
PID:2760 -
\??\c:\bhnntt.exec:\bhnntt.exe45⤵
- Executes dropped EXE
PID:2688 -
\??\c:\3vjjd.exec:\3vjjd.exe46⤵
- Executes dropped EXE
PID:2836 -
\??\c:\ffllllr.exec:\ffllllr.exe47⤵
- Executes dropped EXE
PID:2628 -
\??\c:\9frrffl.exec:\9frrffl.exe48⤵
- Executes dropped EXE
PID:2616 -
\??\c:\nnttbt.exec:\nnttbt.exe49⤵
- Executes dropped EXE
PID:2240 -
\??\c:\1thbbb.exec:\1thbbb.exe50⤵
- Executes dropped EXE
PID:2228 -
\??\c:\1pvpp.exec:\1pvpp.exe51⤵
- Executes dropped EXE
PID:2204 -
\??\c:\rlflffl.exec:\rlflffl.exe52⤵
- Executes dropped EXE
PID:1072 -
\??\c:\9xrxffl.exec:\9xrxffl.exe53⤵
- Executes dropped EXE
PID:684 -
\??\c:\3nhhbb.exec:\3nhhbb.exe54⤵
- Executes dropped EXE
PID:1516 -
\??\c:\1jppp.exec:\1jppp.exe55⤵
- Executes dropped EXE
PID:988 -
\??\c:\3pvvd.exec:\3pvvd.exe56⤵
- Executes dropped EXE
PID:952 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe57⤵
- Executes dropped EXE
PID:1816 -
\??\c:\9bnhhh.exec:\9bnhhh.exe58⤵
- Executes dropped EXE
PID:2020 -
\??\c:\ttbbbn.exec:\ttbbbn.exe59⤵
- Executes dropped EXE
PID:1108 -
\??\c:\ppvjp.exec:\ppvjp.exe60⤵
- Executes dropped EXE
PID:2992 -
\??\c:\1vjjp.exec:\1vjjp.exe61⤵
- Executes dropped EXE
PID:2376 -
\??\c:\3lrllff.exec:\3lrllff.exe62⤵
- Executes dropped EXE
PID:1268 -
\??\c:\7thhbh.exec:\7thhbh.exe63⤵
- Executes dropped EXE
PID:2052 -
\??\c:\ppppd.exec:\ppppd.exe64⤵
- Executes dropped EXE
PID:2068 -
\??\c:\pjpjp.exec:\pjpjp.exe65⤵
- Executes dropped EXE
PID:636 -
\??\c:\5llllfr.exec:\5llllfr.exe66⤵PID:956
-
\??\c:\nnthhh.exec:\nnthhh.exe67⤵PID:292
-
\??\c:\tttntb.exec:\tttntb.exe68⤵PID:2500
-
\??\c:\dvvpv.exec:\dvvpv.exe69⤵PID:608
-
\??\c:\jpvdv.exec:\jpvdv.exe70⤵PID:1676
-
\??\c:\5rfxfll.exec:\5rfxfll.exe71⤵PID:1692
-
\??\c:\tbhhtt.exec:\tbhhtt.exe72⤵PID:1796
-
\??\c:\pjjdd.exec:\pjjdd.exe73⤵PID:1988
-
\??\c:\7jvdd.exec:\7jvdd.exe74⤵PID:2520
-
\??\c:\xrllffx.exec:\xrllffx.exe75⤵PID:1900
-
\??\c:\lllffxx.exec:\lllffxx.exe76⤵PID:2792
-
\??\c:\7tbbtb.exec:\7tbbtb.exe77⤵PID:1084
-
\??\c:\jpvpp.exec:\jpvpp.exe78⤵PID:2040
-
\??\c:\5dpjp.exec:\5dpjp.exe79⤵PID:2032
-
\??\c:\5xlllll.exec:\5xlllll.exe80⤵PID:2400
-
\??\c:\bbbbbb.exec:\bbbbbb.exe81⤵PID:1916
-
\??\c:\tntbtt.exec:\tntbtt.exe82⤵PID:2448
-
\??\c:\1djvp.exec:\1djvp.exe83⤵PID:1596
-
\??\c:\7lrffff.exec:\7lrffff.exe84⤵PID:1592
-
\??\c:\1lrfllr.exec:\1lrfllr.exe85⤵PID:2864
-
\??\c:\3nbttb.exec:\3nbttb.exe86⤵PID:2848
-
\??\c:\pjvdj.exec:\pjvdj.exe87⤵PID:2292
-
\??\c:\lrxrrll.exec:\lrxrrll.exe88⤵
- System Location Discovery: System Language Discovery
PID:1932 -
\??\c:\5rfxxrr.exec:\5rfxxrr.exe89⤵PID:2344
-
\??\c:\1nhhtn.exec:\1nhhtn.exe90⤵PID:2928
-
\??\c:\dvvvv.exec:\dvvvv.exe91⤵PID:2688
-
\??\c:\jvddd.exec:\jvddd.exe92⤵PID:2044
-
\??\c:\9frrxxf.exec:\9frrxxf.exe93⤵PID:1984
-
\??\c:\xxfxlxf.exec:\xxfxlxf.exe94⤵PID:2672
-
\??\c:\7hhnnt.exec:\7hhnnt.exe95⤵PID:768
-
\??\c:\1vjdj.exec:\1vjdj.exe96⤵PID:884
-
\??\c:\dvjdj.exec:\dvjdj.exe97⤵PID:2800
-
\??\c:\rlrlfxf.exec:\rlrlfxf.exe98⤵PID:2660
-
\??\c:\tttnhh.exec:\tttnhh.exe99⤵PID:2812
-
\??\c:\7hnhbt.exec:\7hnhbt.exe100⤵PID:2668
-
\??\c:\5pjdd.exec:\5pjdd.exe101⤵PID:1168
-
\??\c:\3pddv.exec:\3pddv.exe102⤵PID:1636
-
\??\c:\xrxfxff.exec:\xrxfxff.exe103⤵PID:1520
-
\??\c:\bnnhbb.exec:\bnnhbb.exe104⤵PID:2940
-
\??\c:\jjjdv.exec:\jjjdv.exe105⤵PID:580
-
\??\c:\pdjjp.exec:\pdjjp.exe106⤵PID:2116
-
\??\c:\rlxxllr.exec:\rlxxllr.exe107⤵PID:2444
-
\??\c:\fxxfflr.exec:\fxxfflr.exe108⤵PID:560
-
\??\c:\hbhhhn.exec:\hbhhhn.exe109⤵PID:1280
-
\??\c:\5pdpp.exec:\5pdpp.exe110⤵PID:2584
-
\??\c:\rxlrflx.exec:\rxlrflx.exe111⤵PID:1616
-
\??\c:\5xffrlr.exec:\5xffrlr.exe112⤵PID:2824
-
\??\c:\3thbhb.exec:\3thbhb.exe113⤵PID:2568
-
\??\c:\nnhthb.exec:\nnhthb.exe114⤵PID:3056
-
\??\c:\ppvvp.exec:\ppvvp.exe115⤵PID:2100
-
\??\c:\rrrrrxx.exec:\rrrrrxx.exe116⤵PID:744
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe117⤵PID:2120
-
\??\c:\hbhbhb.exec:\hbhbhb.exe118⤵PID:1912
-
\??\c:\pjjdv.exec:\pjjdv.exe119⤵PID:1952
-
\??\c:\jvjdd.exec:\jvjdd.exe120⤵PID:556
-
\??\c:\flxrxxf.exec:\flxrxxf.exe121⤵PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-