Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 15:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe
-
Size
454KB
-
MD5
64bd3ba7a3804ae3148aee576cf84150
-
SHA1
544f7f843f7877748293b23295ae94316508fd68
-
SHA256
39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243d
-
SHA512
8b631f99e6ce55ef8d0c4bee4ff3c963433a241adb43091fc5d62f71cdbb1770a24fddf83bdfa3162bb678b7eda0310e6b8fd6e089f1e08f4bda60a3c6f8848a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/1852-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-63-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2832-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-111-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2636-100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2628-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-121-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/792-131-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2804-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/468-158-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1328-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1328-176-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2452-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-195-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-214-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2148-232-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/968-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-262-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1652-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-388-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1268-470-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1932-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/944-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1460-497-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1440-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/604-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-538-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1852-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-596-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2624-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-659-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2324-924-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2328-931-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2280-977-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3000-1074-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2080 djjjp.exe 880 lfffrfr.exe 2940 jdppd.exe 2664 flllrxl.exe 2808 dpjpv.exe 2684 jvjpj.exe 2012 hhhhnt.exe 2832 tnbhtt.exe 2872 5pvdj.exe 2636 9xfxfrf.exe 2224 jpvvd.exe 2628 7vjjv.exe 792 hbtthn.exe 1368 htnbhh.exe 2804 xxlxfxx.exe 468 tbbbnh.exe 2936 jjdpd.exe 1328 ffxxlrr.exe 2452 5rrfxfl.exe 708 1tbbhh.exe 2100 lxlllxl.exe 2504 bbnttb.exe 1312 vdjjp.exe 2148 jdvvp.exe 968 btbhtt.exe 1444 vpjjv.exe 2968 nbtbtn.exe 1456 1ttntt.exe 2960 lflxlrf.exe 2060 lrlllrl.exe 1852 1vddv.exe 1652 xrffrxl.exe 2344 htntth.exe 2896 9hntbn.exe 2108 pppdp.exe 2836 lxllrlr.exe 2956 xxrxlrf.exe 2952 3tntbh.exe 2648 vvjpd.exe 2584 jdppv.exe 2760 lfrlxxr.exe 2744 bbnbth.exe 2820 jjvpp.exe 2636 ddvvv.exe 2152 xlffrxr.exe 2328 bnhhnt.exe 1800 bnbttn.exe 2764 5pppd.exe 2924 frllxfr.exe 2620 hbntbb.exe 2788 dvpvj.exe 1464 dpjjv.exe 840 tnbbhh.exe 1328 vvddd.exe 1948 xxlxfrx.exe 2396 bbnnbb.exe 2004 jdvvd.exe 1268 xrflrrl.exe 1932 tnntbb.exe 944 pdpjj.exe 1460 tnhthh.exe 1440 9dvdj.exe 1912 jvvpd.exe 604 9lfxffr.exe -
resource yara_rule behavioral1/memory/1852-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1328-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-388-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2924-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1460-497-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1440-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-867-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-917-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-938-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-970-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-1178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-1206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-1239-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2080 1852 39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe 31 PID 1852 wrote to memory of 2080 1852 39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe 31 PID 1852 wrote to memory of 2080 1852 39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe 31 PID 1852 wrote to memory of 2080 1852 39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe 31 PID 2080 wrote to memory of 880 2080 djjjp.exe 32 PID 2080 wrote to memory of 880 2080 djjjp.exe 32 PID 2080 wrote to memory of 880 2080 djjjp.exe 32 PID 2080 wrote to memory of 880 2080 djjjp.exe 32 PID 880 wrote to memory of 2940 880 lfffrfr.exe 33 PID 880 wrote to memory of 2940 880 lfffrfr.exe 33 PID 880 wrote to memory of 2940 880 lfffrfr.exe 33 PID 880 wrote to memory of 2940 880 lfffrfr.exe 33 PID 2940 wrote to memory of 2664 2940 jdppd.exe 34 PID 2940 wrote to memory of 2664 2940 jdppd.exe 34 PID 2940 wrote to memory of 2664 2940 jdppd.exe 34 PID 2940 wrote to memory of 2664 2940 jdppd.exe 34 PID 2664 wrote to memory of 2808 2664 flllrxl.exe 35 PID 2664 wrote to memory of 2808 2664 flllrxl.exe 35 PID 2664 wrote to memory of 2808 2664 flllrxl.exe 35 PID 2664 wrote to memory of 2808 2664 flllrxl.exe 35 PID 2808 wrote to memory of 2684 2808 dpjpv.exe 36 PID 2808 wrote to memory of 2684 2808 dpjpv.exe 36 PID 2808 wrote to memory of 2684 2808 dpjpv.exe 36 PID 2808 wrote to memory of 2684 2808 dpjpv.exe 36 PID 2684 wrote to memory of 2012 2684 jvjpj.exe 37 PID 2684 wrote to memory of 2012 2684 jvjpj.exe 37 PID 2684 wrote to memory of 2012 2684 jvjpj.exe 37 PID 2684 wrote to memory of 2012 2684 jvjpj.exe 37 PID 2012 wrote to memory of 2832 2012 hhhhnt.exe 38 PID 2012 wrote to memory of 2832 2012 hhhhnt.exe 38 PID 2012 wrote to memory of 2832 2012 hhhhnt.exe 38 PID 2012 wrote to memory of 2832 2012 hhhhnt.exe 38 PID 2832 wrote to memory of 2872 2832 tnbhtt.exe 39 PID 2832 wrote to memory of 2872 2832 tnbhtt.exe 39 PID 2832 wrote to memory of 2872 2832 tnbhtt.exe 39 PID 2832 wrote to memory of 2872 2832 tnbhtt.exe 39 PID 2872 wrote to memory of 2636 2872 5pvdj.exe 74 PID 2872 wrote to memory of 2636 2872 5pvdj.exe 74 PID 2872 wrote to memory of 2636 2872 5pvdj.exe 74 PID 2872 wrote to memory of 2636 2872 5pvdj.exe 74 PID 2636 wrote to memory of 2224 2636 9xfxfrf.exe 41 PID 2636 wrote to memory of 2224 2636 9xfxfrf.exe 41 PID 2636 wrote to memory of 2224 2636 9xfxfrf.exe 41 PID 2636 wrote to memory of 2224 2636 9xfxfrf.exe 41 PID 2224 wrote to memory of 2628 2224 jpvvd.exe 42 PID 2224 wrote to memory of 2628 2224 jpvvd.exe 42 PID 2224 wrote to memory of 2628 2224 jpvvd.exe 42 PID 2224 wrote to memory of 2628 2224 jpvvd.exe 42 PID 2628 wrote to memory of 792 2628 7vjjv.exe 43 PID 2628 wrote to memory of 792 2628 7vjjv.exe 43 PID 2628 wrote to memory of 792 2628 7vjjv.exe 43 PID 2628 wrote to memory of 792 2628 7vjjv.exe 43 PID 792 wrote to memory of 1368 792 hbtthn.exe 44 PID 792 wrote to memory of 1368 792 hbtthn.exe 44 PID 792 wrote to memory of 1368 792 hbtthn.exe 44 PID 792 wrote to memory of 1368 792 hbtthn.exe 44 PID 1368 wrote to memory of 2804 1368 htnbhh.exe 45 PID 1368 wrote to memory of 2804 1368 htnbhh.exe 45 PID 1368 wrote to memory of 2804 1368 htnbhh.exe 45 PID 1368 wrote to memory of 2804 1368 htnbhh.exe 45 PID 2804 wrote to memory of 468 2804 xxlxfxx.exe 46 PID 2804 wrote to memory of 468 2804 xxlxfxx.exe 46 PID 2804 wrote to memory of 468 2804 xxlxfxx.exe 46 PID 2804 wrote to memory of 468 2804 xxlxfxx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe"C:\Users\Admin\AppData\Local\Temp\39923c59d2aff7d1f5dda03ecf3f014cd5a87e26577f7009671cc9d274c8243dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\djjjp.exec:\djjjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\lfffrfr.exec:\lfffrfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\jdppd.exec:\jdppd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\flllrxl.exec:\flllrxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\dpjpv.exec:\dpjpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\jvjpj.exec:\jvjpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\hhhhnt.exec:\hhhhnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\tnbhtt.exec:\tnbhtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\5pvdj.exec:\5pvdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\9xfxfrf.exec:\9xfxfrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\jpvvd.exec:\jpvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\7vjjv.exec:\7vjjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\hbtthn.exec:\hbtthn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\htnbhh.exec:\htnbhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\xxlxfxx.exec:\xxlxfxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\tbbbnh.exec:\tbbbnh.exe17⤵
- Executes dropped EXE
PID:468 -
\??\c:\jjdpd.exec:\jjdpd.exe18⤵
- Executes dropped EXE
PID:2936 -
\??\c:\ffxxlrr.exec:\ffxxlrr.exe19⤵
- Executes dropped EXE
PID:1328 -
\??\c:\5rrfxfl.exec:\5rrfxfl.exe20⤵
- Executes dropped EXE
PID:2452 -
\??\c:\1tbbhh.exec:\1tbbhh.exe21⤵
- Executes dropped EXE
PID:708 -
\??\c:\lxlllxl.exec:\lxlllxl.exe22⤵
- Executes dropped EXE
PID:2100 -
\??\c:\bbnttb.exec:\bbnttb.exe23⤵
- Executes dropped EXE
PID:2504 -
\??\c:\vdjjp.exec:\vdjjp.exe24⤵
- Executes dropped EXE
PID:1312 -
\??\c:\jdvvp.exec:\jdvvp.exe25⤵
- Executes dropped EXE
PID:2148 -
\??\c:\btbhtt.exec:\btbhtt.exe26⤵
- Executes dropped EXE
PID:968 -
\??\c:\vpjjv.exec:\vpjjv.exe27⤵
- Executes dropped EXE
PID:1444 -
\??\c:\nbtbtn.exec:\nbtbtn.exe28⤵
- Executes dropped EXE
PID:2968 -
\??\c:\1ttntt.exec:\1ttntt.exe29⤵
- Executes dropped EXE
PID:1456 -
\??\c:\lflxlrf.exec:\lflxlrf.exe30⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lrlllrl.exec:\lrlllrl.exe31⤵
- Executes dropped EXE
PID:2060 -
\??\c:\1vddv.exec:\1vddv.exe32⤵
- Executes dropped EXE
PID:1852 -
\??\c:\xrffrxl.exec:\xrffrxl.exe33⤵
- Executes dropped EXE
PID:1652 -
\??\c:\htntth.exec:\htntth.exe34⤵
- Executes dropped EXE
PID:2344 -
\??\c:\9hntbn.exec:\9hntbn.exe35⤵
- Executes dropped EXE
PID:2896 -
\??\c:\pppdp.exec:\pppdp.exe36⤵
- Executes dropped EXE
PID:2108 -
\??\c:\lxllrlr.exec:\lxllrlr.exe37⤵
- Executes dropped EXE
PID:2836 -
\??\c:\xxrxlrf.exec:\xxrxlrf.exe38⤵
- Executes dropped EXE
PID:2956 -
\??\c:\3tntbh.exec:\3tntbh.exe39⤵
- Executes dropped EXE
PID:2952 -
\??\c:\vvjpd.exec:\vvjpd.exe40⤵
- Executes dropped EXE
PID:2648 -
\??\c:\jdppv.exec:\jdppv.exe41⤵
- Executes dropped EXE
PID:2584 -
\??\c:\lfrlxxr.exec:\lfrlxxr.exe42⤵
- Executes dropped EXE
PID:2760 -
\??\c:\bbnbth.exec:\bbnbth.exe43⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jjvpp.exec:\jjvpp.exe44⤵
- Executes dropped EXE
PID:2820 -
\??\c:\ddvvv.exec:\ddvvv.exe45⤵
- Executes dropped EXE
PID:2636 -
\??\c:\xlffrxr.exec:\xlffrxr.exe46⤵
- Executes dropped EXE
PID:2152 -
\??\c:\bnhhnt.exec:\bnhhnt.exe47⤵
- Executes dropped EXE
PID:2328 -
\??\c:\bnbttn.exec:\bnbttn.exe48⤵
- Executes dropped EXE
PID:1800 -
\??\c:\5pppd.exec:\5pppd.exe49⤵
- Executes dropped EXE
PID:2764 -
\??\c:\frllxfr.exec:\frllxfr.exe50⤵
- Executes dropped EXE
PID:2924 -
\??\c:\hbntbb.exec:\hbntbb.exe51⤵
- Executes dropped EXE
PID:2620 -
\??\c:\dvpvj.exec:\dvpvj.exe52⤵
- Executes dropped EXE
PID:2788 -
\??\c:\dpjjv.exec:\dpjjv.exe53⤵
- Executes dropped EXE
PID:1464 -
\??\c:\tnbbhh.exec:\tnbbhh.exe54⤵
- Executes dropped EXE
PID:840 -
\??\c:\vvddd.exec:\vvddd.exe55⤵
- Executes dropped EXE
PID:1328 -
\??\c:\xxlxfrx.exec:\xxlxfrx.exe56⤵
- Executes dropped EXE
PID:1948 -
\??\c:\bbnnbb.exec:\bbnnbb.exe57⤵
- Executes dropped EXE
PID:2396 -
\??\c:\jdvvd.exec:\jdvvd.exe58⤵
- Executes dropped EXE
PID:2004 -
\??\c:\xrflrrl.exec:\xrflrrl.exe59⤵
- Executes dropped EXE
PID:1268 -
\??\c:\tnntbb.exec:\tnntbb.exe60⤵
- Executes dropped EXE
PID:1932 -
\??\c:\pdpjj.exec:\pdpjj.exe61⤵
- Executes dropped EXE
PID:944 -
\??\c:\tnhthh.exec:\tnhthh.exe62⤵
- Executes dropped EXE
PID:1460 -
\??\c:\9dvdj.exec:\9dvdj.exe63⤵
- Executes dropped EXE
PID:1440 -
\??\c:\jvvpd.exec:\jvvpd.exe64⤵
- Executes dropped EXE
PID:1912 -
\??\c:\9lfxffr.exec:\9lfxffr.exe65⤵
- Executes dropped EXE
PID:604 -
\??\c:\nbbtbb.exec:\nbbtbb.exe66⤵PID:1444
-
\??\c:\ddvdp.exec:\ddvdp.exe67⤵PID:3016
-
\??\c:\3pjjd.exec:\3pjjd.exe68⤵PID:2432
-
\??\c:\llxflrf.exec:\llxflrf.exe69⤵PID:2440
-
\??\c:\hhbthn.exec:\hhbthn.exe70⤵PID:2496
-
\??\c:\3hbbhh.exec:\3hbbhh.exe71⤵PID:2060
-
\??\c:\pdpvd.exec:\pdpvd.exe72⤵PID:1852
-
\??\c:\frllrrx.exec:\frllrrx.exe73⤵PID:1532
-
\??\c:\3fxrrxl.exec:\3fxrrxl.exe74⤵PID:2360
-
\??\c:\hhbhtb.exec:\hhbhtb.exe75⤵PID:2640
-
\??\c:\pjjvj.exec:\pjjvj.exe76⤵PID:2272
-
\??\c:\vjddp.exec:\vjddp.exe77⤵PID:2664
-
\??\c:\bbtbnt.exec:\bbtbnt.exe78⤵PID:2808
-
\??\c:\5tntbb.exec:\5tntbb.exe79⤵PID:2956
-
\??\c:\ddpdd.exec:\ddpdd.exe80⤵PID:2952
-
\??\c:\vvddv.exec:\vvddv.exe81⤵PID:2648
-
\??\c:\llxlxfx.exec:\llxlxfx.exe82⤵PID:2584
-
\??\c:\lffrlrl.exec:\lffrlrl.exe83⤵PID:2624
-
\??\c:\btbhnn.exec:\btbhnn.exe84⤵PID:2732
-
\??\c:\vjvvv.exec:\vjvvv.exe85⤵PID:2820
-
\??\c:\jdvjp.exec:\jdvjp.exe86⤵PID:1480
-
\??\c:\3fxxfrx.exec:\3fxxfrx.exe87⤵PID:2628
-
\??\c:\frlxllx.exec:\frlxllx.exe88⤵PID:2876
-
\??\c:\1ntttb.exec:\1ntttb.exe89⤵
- System Location Discovery: System Language Discovery
PID:792 -
\??\c:\jpjpv.exec:\jpjpv.exe90⤵PID:484
-
\??\c:\xxrflrx.exec:\xxrflrx.exe91⤵PID:1728
-
\??\c:\llrrfxf.exec:\llrrfxf.exe92⤵PID:1548
-
\??\c:\3hhnnt.exec:\3hhnnt.exe93⤵PID:1144
-
\??\c:\3btttb.exec:\3btttb.exe94⤵PID:1364
-
\??\c:\vpdjv.exec:\vpdjv.exe95⤵PID:1984
-
\??\c:\lffllfr.exec:\lffllfr.exe96⤵PID:872
-
\??\c:\ffxxxfl.exec:\ffxxxfl.exe97⤵PID:2216
-
\??\c:\hbtbhb.exec:\hbtbhb.exe98⤵PID:2392
-
\??\c:\jjdjp.exec:\jjdjp.exe99⤵PID:1036
-
\??\c:\pjjvj.exec:\pjjvj.exe100⤵PID:1008
-
\??\c:\rrlfrlf.exec:\rrlfrlf.exe101⤵PID:1268
-
\??\c:\tnbntb.exec:\tnbntb.exe102⤵PID:1448
-
\??\c:\bbtbtb.exec:\bbtbtb.exe103⤵PID:1956
-
\??\c:\1dddj.exec:\1dddj.exe104⤵PID:1748
-
\??\c:\xlflxxr.exec:\xlflxxr.exe105⤵PID:1740
-
\??\c:\7xffrxf.exec:\7xffrxf.exe106⤵PID:968
-
\??\c:\3nhbbb.exec:\3nhbbb.exe107⤵PID:2424
-
\??\c:\vpjjj.exec:\vpjjj.exe108⤵PID:2232
-
\??\c:\jvjpd.exec:\jvjpd.exe109⤵PID:2296
-
\??\c:\frlrflx.exec:\frlrflx.exe110⤵PID:3016
-
\??\c:\nhnnhn.exec:\nhnnhn.exe111⤵PID:2432
-
\??\c:\nbnnbh.exec:\nbnnbh.exe112⤵PID:2332
-
\??\c:\9ddjv.exec:\9ddjv.exe113⤵PID:2072
-
\??\c:\fxrlffl.exec:\fxrlffl.exe114⤵PID:1764
-
\??\c:\rlxxxfl.exec:\rlxxxfl.exe115⤵PID:1648
-
\??\c:\ntntth.exec:\ntntth.exe116⤵PID:2376
-
\??\c:\vdvvp.exec:\vdvvp.exe117⤵PID:2248
-
\??\c:\7vvpv.exec:\7vvpv.exe118⤵PID:880
-
\??\c:\7lxffll.exec:\7lxffll.exe119⤵PID:2700
-
\??\c:\9ththn.exec:\9ththn.exe120⤵PID:2852
-
\??\c:\3hbhnt.exec:\3hbhnt.exe121⤵PID:2864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-