Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe
-
Size
456KB
-
MD5
c314a6af750bbbba8917583ff80eb4e3
-
SHA1
710e13ae554efc2c8ae7c23cc3a8887b08940648
-
SHA256
830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6
-
SHA512
152a854844b6c89e3295777a3fc05a067714a2fbeb24cd87cc0f66123abe23ab5aa2a94dda63c5325efd5d0e918bce1509565176dc20ff4dcf36cb6ccd786840
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRC:q7Tc2NYHUrAwfMp3CDRC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/1768-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-66-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2640-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-85-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2560-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2152-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/700-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/756-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-536-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1556-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-667-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2528-666-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2632-670-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2052-681-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2924-701-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1192-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-709-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/936-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-880-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2108-920-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2152-933-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2468 bnnttb.exe 1920 xllxrff.exe 2012 ppdvj.exe 2404 rlflrfr.exe 2808 hbnnnt.exe 2640 1pddj.exe 536 5llrlxl.exe 2560 xxlrflr.exe 2824 3ddpp.exe 2604 fxlllrl.exe 2152 djjpv.exe 2776 jdvdj.exe 2940 nhnbnn.exe 2036 jdvvp.exe 2520 tnnhtn.exe 2836 1hbntb.exe 2432 7lflrrf.exe 1756 5frxrxl.exe 2928 dddjd.exe 1916 xxlxflr.exe 2116 dvpjj.exe 1616 rlllffr.exe 880 5bhnbb.exe 1624 pjpvv.exe 908 btntbb.exe 1596 vppvj.exe 1740 lfxflrl.exe 2300 1htbtb.exe 1088 xrfxfff.exe 1888 xllfflr.exe 772 jjjjp.exe 1956 7lfrxlr.exe 1520 vpjpv.exe 3052 vvpdj.exe 2976 lffflrr.exe 700 nbtbnt.exe 2744 dvppp.exe 2808 pjddd.exe 756 9rlflrx.exe 2828 nntbnn.exe 2804 nhnhbn.exe 2580 jjdvj.exe 2824 lrxxflr.exe 2548 tbbhtt.exe 2704 nbtbhh.exe 2700 dvvjv.exe 2768 fxrxffr.exe 2776 5nhnhh.exe 2788 bbtthn.exe 2436 5vvdv.exe 848 lxxrxxx.exe 2800 nhtthb.exe 1724 9nhntt.exe 1728 ddvdv.exe 1368 xxrlxxf.exe 2912 9rrlxxl.exe 1612 3tntht.exe 2572 7pvjj.exe 2120 vvpvj.exe 2356 ffxxrlx.exe 2016 hbbhtt.exe 992 nhbbhn.exe 844 pjvvv.exe 1272 pjpvj.exe -
resource yara_rule behavioral1/memory/1768-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-83-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2824-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/756-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-717-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2008-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-822-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-933-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2468 1768 830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe 30 PID 1768 wrote to memory of 2468 1768 830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe 30 PID 1768 wrote to memory of 2468 1768 830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe 30 PID 1768 wrote to memory of 2468 1768 830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe 30 PID 2468 wrote to memory of 1920 2468 bnnttb.exe 31 PID 2468 wrote to memory of 1920 2468 bnnttb.exe 31 PID 2468 wrote to memory of 1920 2468 bnnttb.exe 31 PID 2468 wrote to memory of 1920 2468 bnnttb.exe 31 PID 1920 wrote to memory of 2012 1920 xllxrff.exe 32 PID 1920 wrote to memory of 2012 1920 xllxrff.exe 32 PID 1920 wrote to memory of 2012 1920 xllxrff.exe 32 PID 1920 wrote to memory of 2012 1920 xllxrff.exe 32 PID 2012 wrote to memory of 2404 2012 ppdvj.exe 33 PID 2012 wrote to memory of 2404 2012 ppdvj.exe 33 PID 2012 wrote to memory of 2404 2012 ppdvj.exe 33 PID 2012 wrote to memory of 2404 2012 ppdvj.exe 33 PID 2404 wrote to memory of 2808 2404 rlflrfr.exe 34 PID 2404 wrote to memory of 2808 2404 rlflrfr.exe 34 PID 2404 wrote to memory of 2808 2404 rlflrfr.exe 34 PID 2404 wrote to memory of 2808 2404 rlflrfr.exe 34 PID 2808 wrote to memory of 2640 2808 hbnnnt.exe 35 PID 2808 wrote to memory of 2640 2808 hbnnnt.exe 35 PID 2808 wrote to memory of 2640 2808 hbnnnt.exe 35 PID 2808 wrote to memory of 2640 2808 hbnnnt.exe 35 PID 2640 wrote to memory of 536 2640 1pddj.exe 36 PID 2640 wrote to memory of 536 2640 1pddj.exe 36 PID 2640 wrote to memory of 536 2640 1pddj.exe 36 PID 2640 wrote to memory of 536 2640 1pddj.exe 36 PID 536 wrote to memory of 2560 536 5llrlxl.exe 37 PID 536 wrote to memory of 2560 536 5llrlxl.exe 37 PID 536 wrote to memory of 2560 536 5llrlxl.exe 37 PID 536 wrote to memory of 2560 536 5llrlxl.exe 37 PID 2560 wrote to memory of 2824 2560 xxlrflr.exe 38 PID 2560 wrote to memory of 2824 2560 xxlrflr.exe 38 PID 2560 wrote to memory of 2824 2560 xxlrflr.exe 38 PID 2560 wrote to memory of 2824 2560 xxlrflr.exe 38 PID 2824 wrote to memory of 2604 2824 3ddpp.exe 39 PID 2824 wrote to memory of 2604 2824 3ddpp.exe 39 PID 2824 wrote to memory of 2604 2824 3ddpp.exe 39 PID 2824 wrote to memory of 2604 2824 3ddpp.exe 39 PID 2604 wrote to memory of 2152 2604 fxlllrl.exe 40 PID 2604 wrote to memory of 2152 2604 fxlllrl.exe 40 PID 2604 wrote to memory of 2152 2604 fxlllrl.exe 40 PID 2604 wrote to memory of 2152 2604 fxlllrl.exe 40 PID 2152 wrote to memory of 2776 2152 djjpv.exe 41 PID 2152 wrote to memory of 2776 2152 djjpv.exe 41 PID 2152 wrote to memory of 2776 2152 djjpv.exe 41 PID 2152 wrote to memory of 2776 2152 djjpv.exe 41 PID 2776 wrote to memory of 2940 2776 jdvdj.exe 42 PID 2776 wrote to memory of 2940 2776 jdvdj.exe 42 PID 2776 wrote to memory of 2940 2776 jdvdj.exe 42 PID 2776 wrote to memory of 2940 2776 jdvdj.exe 42 PID 2940 wrote to memory of 2036 2940 nhnbnn.exe 43 PID 2940 wrote to memory of 2036 2940 nhnbnn.exe 43 PID 2940 wrote to memory of 2036 2940 nhnbnn.exe 43 PID 2940 wrote to memory of 2036 2940 nhnbnn.exe 43 PID 2036 wrote to memory of 2520 2036 jdvvp.exe 44 PID 2036 wrote to memory of 2520 2036 jdvvp.exe 44 PID 2036 wrote to memory of 2520 2036 jdvvp.exe 44 PID 2036 wrote to memory of 2520 2036 jdvvp.exe 44 PID 2520 wrote to memory of 2836 2520 tnnhtn.exe 45 PID 2520 wrote to memory of 2836 2520 tnnhtn.exe 45 PID 2520 wrote to memory of 2836 2520 tnnhtn.exe 45 PID 2520 wrote to memory of 2836 2520 tnnhtn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe"C:\Users\Admin\AppData\Local\Temp\830b8c7973cfd5d8f411062e3c835ee584d061e6a75aa3c38b6dbd9095eeb9c6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\bnnttb.exec:\bnnttb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\xllxrff.exec:\xllxrff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\ppdvj.exec:\ppdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\rlflrfr.exec:\rlflrfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\hbnnnt.exec:\hbnnnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\1pddj.exec:\1pddj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\5llrlxl.exec:\5llrlxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\xxlrflr.exec:\xxlrflr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\3ddpp.exec:\3ddpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\fxlllrl.exec:\fxlllrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\djjpv.exec:\djjpv.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\jdvdj.exec:\jdvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\nhnbnn.exec:\nhnbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\jdvvp.exec:\jdvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\tnnhtn.exec:\tnnhtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\1hbntb.exec:\1hbntb.exe17⤵
- Executes dropped EXE
PID:2836 -
\??\c:\7lflrrf.exec:\7lflrrf.exe18⤵
- Executes dropped EXE
PID:2432 -
\??\c:\5frxrxl.exec:\5frxrxl.exe19⤵
- Executes dropped EXE
PID:1756 -
\??\c:\dddjd.exec:\dddjd.exe20⤵
- Executes dropped EXE
PID:2928 -
\??\c:\xxlxflr.exec:\xxlxflr.exe21⤵
- Executes dropped EXE
PID:1916 -
\??\c:\dvpjj.exec:\dvpjj.exe22⤵
- Executes dropped EXE
PID:2116 -
\??\c:\rlllffr.exec:\rlllffr.exe23⤵
- Executes dropped EXE
PID:1616 -
\??\c:\5bhnbb.exec:\5bhnbb.exe24⤵
- Executes dropped EXE
PID:880 -
\??\c:\pjpvv.exec:\pjpvv.exe25⤵
- Executes dropped EXE
PID:1624 -
\??\c:\btntbb.exec:\btntbb.exe26⤵
- Executes dropped EXE
PID:908 -
\??\c:\vppvj.exec:\vppvj.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1596 -
\??\c:\lfxflrl.exec:\lfxflrl.exe28⤵
- Executes dropped EXE
PID:1740 -
\??\c:\1htbtb.exec:\1htbtb.exe29⤵
- Executes dropped EXE
PID:2300 -
\??\c:\xrfxfff.exec:\xrfxfff.exe30⤵
- Executes dropped EXE
PID:1088 -
\??\c:\xllfflr.exec:\xllfflr.exe31⤵
- Executes dropped EXE
PID:1888 -
\??\c:\jjjjp.exec:\jjjjp.exe32⤵
- Executes dropped EXE
PID:772 -
\??\c:\7lfrxlr.exec:\7lfrxlr.exe33⤵
- Executes dropped EXE
PID:1956 -
\??\c:\vpjpv.exec:\vpjpv.exe34⤵
- Executes dropped EXE
PID:1520 -
\??\c:\vvpdj.exec:\vvpdj.exe35⤵
- Executes dropped EXE
PID:3052 -
\??\c:\lffflrr.exec:\lffflrr.exe36⤵
- Executes dropped EXE
PID:2976 -
\??\c:\nbtbnt.exec:\nbtbnt.exe37⤵
- Executes dropped EXE
PID:700 -
\??\c:\dvppp.exec:\dvppp.exe38⤵
- Executes dropped EXE
PID:2744 -
\??\c:\pjddd.exec:\pjddd.exe39⤵
- Executes dropped EXE
PID:2808 -
\??\c:\9rlflrx.exec:\9rlflrx.exe40⤵
- Executes dropped EXE
PID:756 -
\??\c:\nntbnn.exec:\nntbnn.exe41⤵
- Executes dropped EXE
PID:2828 -
\??\c:\nhnhbn.exec:\nhnhbn.exe42⤵
- Executes dropped EXE
PID:2804 -
\??\c:\jjdvj.exec:\jjdvj.exe43⤵
- Executes dropped EXE
PID:2580 -
\??\c:\lrxxflr.exec:\lrxxflr.exe44⤵
- Executes dropped EXE
PID:2824 -
\??\c:\tbbhtt.exec:\tbbhtt.exe45⤵
- Executes dropped EXE
PID:2548 -
\??\c:\nbtbhh.exec:\nbtbhh.exe46⤵
- Executes dropped EXE
PID:2704 -
\??\c:\dvvjv.exec:\dvvjv.exe47⤵
- Executes dropped EXE
PID:2700 -
\??\c:\fxrxffr.exec:\fxrxffr.exe48⤵
- Executes dropped EXE
PID:2768 -
\??\c:\5nhnhh.exec:\5nhnhh.exe49⤵
- Executes dropped EXE
PID:2776 -
\??\c:\bbtthn.exec:\bbtthn.exe50⤵
- Executes dropped EXE
PID:2788 -
\??\c:\5vvdv.exec:\5vvdv.exe51⤵
- Executes dropped EXE
PID:2436 -
\??\c:\lxxrxxx.exec:\lxxrxxx.exe52⤵
- Executes dropped EXE
PID:848 -
\??\c:\nhtthb.exec:\nhtthb.exe53⤵
- Executes dropped EXE
PID:2800 -
\??\c:\9nhntt.exec:\9nhntt.exe54⤵
- Executes dropped EXE
PID:1724 -
\??\c:\ddvdv.exec:\ddvdv.exe55⤵
- Executes dropped EXE
PID:1728 -
\??\c:\xxrlxxf.exec:\xxrlxxf.exe56⤵
- Executes dropped EXE
PID:1368 -
\??\c:\9rrlxxl.exec:\9rrlxxl.exe57⤵
- Executes dropped EXE
PID:2912 -
\??\c:\3tntht.exec:\3tntht.exe58⤵
- Executes dropped EXE
PID:1612 -
\??\c:\7pvjj.exec:\7pvjj.exe59⤵
- Executes dropped EXE
PID:2572 -
\??\c:\vvpvj.exec:\vvpvj.exe60⤵
- Executes dropped EXE
PID:2120 -
\??\c:\ffxxrlx.exec:\ffxxrlx.exe61⤵
- Executes dropped EXE
PID:2356 -
\??\c:\hbbhtt.exec:\hbbhtt.exe62⤵
- Executes dropped EXE
PID:2016 -
\??\c:\nhbbhn.exec:\nhbbhn.exe63⤵
- Executes dropped EXE
PID:992 -
\??\c:\pjvvv.exec:\pjvvv.exe64⤵
- Executes dropped EXE
PID:844 -
\??\c:\pjpvj.exec:\pjpvj.exe65⤵
- Executes dropped EXE
PID:1272 -
\??\c:\fxxxllx.exec:\fxxxllx.exe66⤵PID:1500
-
\??\c:\1tntnt.exec:\1tntnt.exe67⤵PID:1700
-
\??\c:\dvpvd.exec:\dvpvd.exe68⤵PID:1800
-
\??\c:\ddvdv.exec:\ddvdv.exe69⤵PID:1524
-
\??\c:\lfrfrxf.exec:\lfrfrxf.exe70⤵PID:800
-
\??\c:\hnhnhn.exec:\hnhnhn.exe71⤵PID:2292
-
\??\c:\ppppv.exec:\ppppv.exe72⤵PID:2228
-
\??\c:\dddjv.exec:\dddjv.exe73⤵PID:1768
-
\??\c:\fxllllx.exec:\fxllllx.exe74⤵PID:772
-
\??\c:\frlrxfr.exec:\frlrxfr.exe75⤵PID:1956
-
\??\c:\btnhbh.exec:\btnhbh.exe76⤵PID:1556
-
\??\c:\vvjvv.exec:\vvjvv.exe77⤵PID:1244
-
\??\c:\7vpjp.exec:\7vpjp.exe78⤵PID:2000
-
\??\c:\1rlxllr.exec:\1rlxllr.exe79⤵PID:2732
-
\??\c:\5hbbtb.exec:\5hbbtb.exe80⤵PID:2404
-
\??\c:\tbbnbn.exec:\tbbnbn.exe81⤵PID:2992
-
\??\c:\9jdvd.exec:\9jdvd.exe82⤵PID:2108
-
\??\c:\rxrfflf.exec:\rxrfflf.exe83⤵PID:2660
-
\??\c:\rrlxllx.exec:\rrlxllx.exe84⤵PID:2848
-
\??\c:\nhhhtn.exec:\nhhhtn.exe85⤵PID:2560
-
\??\c:\djjvj.exec:\djjvj.exe86⤵PID:2528
-
\??\c:\vvvdp.exec:\vvvdp.exe87⤵PID:2824
-
\??\c:\ffflxfx.exec:\ffflxfx.exe88⤵PID:2544
-
\??\c:\3bnthn.exec:\3bnthn.exe89⤵PID:2704
-
\??\c:\5thtth.exec:\5thtth.exe90⤵PID:2632
-
\??\c:\vpdpj.exec:\vpdpj.exe91⤵PID:2052
-
\??\c:\ffflxxx.exec:\ffflxxx.exe92⤵PID:2776
-
\??\c:\5fxxxfr.exec:\5fxxxfr.exe93⤵PID:1792
-
\??\c:\1hhhtb.exec:\1hhhtb.exe94⤵PID:2924
-
\??\c:\1ttbht.exec:\1ttbht.exe95⤵PID:1192
-
\??\c:\9dddj.exec:\9dddj.exe96⤵PID:2836
-
\??\c:\fxxxrrf.exec:\fxxxrrf.exe97⤵PID:2972
-
\??\c:\bthtbt.exec:\bthtbt.exe98⤵PID:2920
-
\??\c:\pjdjp.exec:\pjdjp.exe99⤵PID:1860
-
\??\c:\3pdjj.exec:\3pdjj.exe100⤵PID:2260
-
\??\c:\9xrxllx.exec:\9xrxllx.exe101⤵PID:1844
-
\??\c:\hhtbtb.exec:\hhtbtb.exe102⤵PID:1308
-
\??\c:\dvvvv.exec:\dvvvv.exe103⤵PID:956
-
\??\c:\5lxflxx.exec:\5lxflxx.exe104⤵PID:1716
-
\??\c:\llxxlrx.exec:\llxxlrx.exe105⤵PID:852
-
\??\c:\5htbth.exec:\5htbth.exe106⤵PID:2008
-
\??\c:\1tnthh.exec:\1tnthh.exe107⤵PID:1848
-
\??\c:\jvjpv.exec:\jvjpv.exe108⤵PID:936
-
\??\c:\9fxflrf.exec:\9fxflrf.exe109⤵PID:2324
-
\??\c:\nbnnnn.exec:\nbnnnn.exe110⤵PID:1628
-
\??\c:\hbbhbh.exec:\hbbhbh.exe111⤵PID:2148
-
\??\c:\pjvpj.exec:\pjvpj.exe112⤵PID:484
-
\??\c:\lfxfxxl.exec:\lfxfxxl.exe113⤵PID:3012
-
\??\c:\5rlrxrx.exec:\5rlrxrx.exe114⤵PID:1888
-
\??\c:\bttbth.exec:\bttbth.exe115⤵PID:1944
-
\??\c:\dvpvv.exec:\dvpvv.exe116⤵PID:1544
-
\??\c:\jddjj.exec:\jddjj.exe117⤵PID:1912
-
\??\c:\lfxxffl.exec:\lfxxffl.exe118⤵PID:2060
-
\??\c:\1bnbhh.exec:\1bnbhh.exe119⤵PID:3040
-
\??\c:\jdppp.exec:\jdppp.exe120⤵PID:2276
-
\??\c:\pjpdj.exec:\pjpdj.exe121⤵PID:2816
-
\??\c:\xrlflfl.exec:\xrlflfl.exe122⤵PID:2736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-