Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 00:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9a0abf33c1ecf68a77a7e45ab644b653483527e81e872525c90c71df145673b7.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
9a0abf33c1ecf68a77a7e45ab644b653483527e81e872525c90c71df145673b7.exe
-
Size
332KB
-
MD5
9743abf30826df06bf924921d3d9707b
-
SHA1
76069c9d325fc120eddaf0b5d4a901dd021ac83c
-
SHA256
9a0abf33c1ecf68a77a7e45ab644b653483527e81e872525c90c71df145673b7
-
SHA512
ad39e77266b54786b14dc8d6933af54b021c45134094d0f2aae10052d50f41d6e58c32ec4ed752c25a7fed34d019b1b513d3a7c41c11c3c86b42b69922573e96
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhb:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTr
Malware Config
Signatures
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2584-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-44-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2708-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-130-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/548-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-151-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2860-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/108-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1288-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-293-0x0000000076DC0000-0x0000000076EDF000-memory.dmp family_blackmoon behavioral1/memory/1688-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-317-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2520-323-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2072-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-375-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2916-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-382-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-389-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2540-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1380-440-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/900-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-454-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2376-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-558-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1928-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-559-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1664-736-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2264-865-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1428-1004-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2188-1065-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-1107-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1804 hbbnth.exe 540 rlrllxx.exe 2504 tthbbt.exe 1712 jvddd.exe 2708 xxlxlff.exe 2752 ntnbnh.exe 2828 5vdjp.exe 2880 bnhbhb.exe 2864 nhhhbn.exe 2728 fxlxffx.exe 2648 5xrrffl.exe 2668 vpdvd.exe 548 rffllrx.exe 2964 jpddd.exe 2860 vpdjp.exe 1976 nhbbnh.exe 1832 vpdjp.exe 2196 xrlfllx.exe 1676 hnhntb.exe 2336 vpjpd.exe 2052 lfrxrfr.exe 2536 tntbhh.exe 1340 vpddp.exe 2092 llxxlfr.exe 1680 nhnhtt.exe 964 ddvjv.exe 108 fxlxllx.exe 1288 1ddjv.exe 572 ffxlllr.exe 1728 bbhbbb.exe 1224 vvjpv.exe 3016 fxllrrx.exe 2416 llrxfxx.exe 2460 nbnnbb.exe 2520 dvpjp.exe 308 pddvv.exe 2072 xrfllxr.exe 2060 rlxxllr.exe 2840 nhbnbh.exe 2748 vvjjp.exe 2900 ddvdj.exe 2872 lllxrxr.exe 2916 tnntbh.exe 2516 5httbh.exe 2636 pvdvv.exe 2172 rrlxlrf.exe 2540 hnntbh.exe 3008 1btbnt.exe 2704 htntnt.exe 2984 vpddp.exe 868 frllllf.exe 1720 nhnnbn.exe 1380 jpdpj.exe 900 djdpj.exe 2208 lllxxxl.exe 2376 ntnbhn.exe 2156 hhnttb.exe 2532 dddpd.exe 2164 llflxfr.exe 1240 nnbhbn.exe 2496 3hbhnt.exe 356 5jdjp.exe 920 rfrrfxf.exe 1352 lfxlrlr.exe -
resource yara_rule behavioral1/memory/2584-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-293-0x0000000076DC0000-0x0000000076EDF000-memory.dmp upx behavioral1/memory/1688-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-382-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2540-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-770-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2188-1065-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-1085-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-1099-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-1127-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9htthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 1804 2584 9a0abf33c1ecf68a77a7e45ab644b653483527e81e872525c90c71df145673b7.exe 30 PID 2584 wrote to memory of 1804 2584 9a0abf33c1ecf68a77a7e45ab644b653483527e81e872525c90c71df145673b7.exe 30 PID 2584 wrote to memory of 1804 2584 9a0abf33c1ecf68a77a7e45ab644b653483527e81e872525c90c71df145673b7.exe 30 PID 2584 wrote to memory of 1804 2584 9a0abf33c1ecf68a77a7e45ab644b653483527e81e872525c90c71df145673b7.exe 30 PID 1804 wrote to memory of 540 1804 hbbnth.exe 31 PID 1804 wrote to memory of 540 1804 hbbnth.exe 31 PID 1804 wrote to memory of 540 1804 hbbnth.exe 31 PID 1804 wrote to memory of 540 1804 hbbnth.exe 31 PID 540 wrote to memory of 2504 540 rlrllxx.exe 32 PID 540 wrote to memory of 2504 540 rlrllxx.exe 32 PID 540 wrote to memory of 2504 540 rlrllxx.exe 32 PID 540 wrote to memory of 2504 540 rlrllxx.exe 32 PID 2504 wrote to memory of 1712 2504 tthbbt.exe 33 PID 2504 wrote to memory of 1712 2504 tthbbt.exe 33 PID 2504 wrote to memory of 1712 2504 tthbbt.exe 33 PID 2504 wrote to memory of 1712 2504 tthbbt.exe 33 PID 1712 wrote to memory of 2708 1712 jvddd.exe 34 PID 1712 wrote to memory of 2708 1712 jvddd.exe 34 PID 1712 wrote to memory of 2708 1712 jvddd.exe 34 PID 1712 wrote to memory of 2708 1712 jvddd.exe 34 PID 2708 wrote to memory of 2752 2708 xxlxlff.exe 35 PID 2708 wrote to memory of 2752 2708 xxlxlff.exe 35 PID 2708 wrote to memory of 2752 2708 xxlxlff.exe 35 PID 2708 wrote to memory of 2752 2708 xxlxlff.exe 35 PID 2752 wrote to memory of 2828 2752 ntnbnh.exe 36 PID 2752 wrote to memory of 2828 2752 ntnbnh.exe 36 PID 2752 wrote to memory of 2828 2752 ntnbnh.exe 36 PID 2752 wrote to memory of 2828 2752 ntnbnh.exe 36 PID 2828 wrote to memory of 2880 2828 5vdjp.exe 37 PID 2828 wrote to memory of 2880 2828 5vdjp.exe 37 PID 2828 wrote to memory of 2880 2828 5vdjp.exe 37 PID 2828 wrote to memory of 2880 2828 5vdjp.exe 37 PID 2880 wrote to memory of 2864 2880 bnhbhb.exe 38 PID 2880 wrote to memory of 2864 2880 bnhbhb.exe 38 PID 2880 wrote to memory of 2864 2880 bnhbhb.exe 38 PID 2880 wrote to memory of 2864 2880 bnhbhb.exe 38 PID 2864 wrote to memory of 2728 2864 nhhhbn.exe 39 PID 2864 wrote to memory of 2728 2864 nhhhbn.exe 39 PID 2864 wrote to memory of 2728 2864 nhhhbn.exe 39 PID 2864 wrote to memory of 2728 2864 nhhhbn.exe 39 PID 2728 wrote to memory of 2648 2728 fxlxffx.exe 40 PID 2728 wrote to memory of 2648 2728 fxlxffx.exe 40 PID 2728 wrote to memory of 2648 2728 fxlxffx.exe 40 PID 2728 wrote to memory of 2648 2728 fxlxffx.exe 40 PID 2648 wrote to memory of 2668 2648 5xrrffl.exe 41 PID 2648 wrote to memory of 2668 2648 5xrrffl.exe 41 PID 2648 wrote to memory of 2668 2648 5xrrffl.exe 41 PID 2648 wrote to memory of 2668 2648 5xrrffl.exe 41 PID 2668 wrote to memory of 548 2668 vpdvd.exe 42 PID 2668 wrote to memory of 548 2668 vpdvd.exe 42 PID 2668 wrote to memory of 548 2668 vpdvd.exe 42 PID 2668 wrote to memory of 548 2668 vpdvd.exe 42 PID 548 wrote to memory of 2964 548 rffllrx.exe 43 PID 548 wrote to memory of 2964 548 rffllrx.exe 43 PID 548 wrote to memory of 2964 548 rffllrx.exe 43 PID 548 wrote to memory of 2964 548 rffllrx.exe 43 PID 2964 wrote to memory of 2860 2964 jpddd.exe 44 PID 2964 wrote to memory of 2860 2964 jpddd.exe 44 PID 2964 wrote to memory of 2860 2964 jpddd.exe 44 PID 2964 wrote to memory of 2860 2964 jpddd.exe 44 PID 2860 wrote to memory of 1976 2860 vpdjp.exe 45 PID 2860 wrote to memory of 1976 2860 vpdjp.exe 45 PID 2860 wrote to memory of 1976 2860 vpdjp.exe 45 PID 2860 wrote to memory of 1976 2860 vpdjp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a0abf33c1ecf68a77a7e45ab644b653483527e81e872525c90c71df145673b7.exe"C:\Users\Admin\AppData\Local\Temp\9a0abf33c1ecf68a77a7e45ab644b653483527e81e872525c90c71df145673b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\hbbnth.exec:\hbbnth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\rlrllxx.exec:\rlrllxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\tthbbt.exec:\tthbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\jvddd.exec:\jvddd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\xxlxlff.exec:\xxlxlff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\ntnbnh.exec:\ntnbnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\5vdjp.exec:\5vdjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\bnhbhb.exec:\bnhbhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\nhhhbn.exec:\nhhhbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\fxlxffx.exec:\fxlxffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\5xrrffl.exec:\5xrrffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\vpdvd.exec:\vpdvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\rffllrx.exec:\rffllrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\jpddd.exec:\jpddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\vpdjp.exec:\vpdjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\nhbbnh.exec:\nhbbnh.exe17⤵
- Executes dropped EXE
PID:1976 -
\??\c:\vpdjp.exec:\vpdjp.exe18⤵
- Executes dropped EXE
PID:1832 -
\??\c:\xrlfllx.exec:\xrlfllx.exe19⤵
- Executes dropped EXE
PID:2196 -
\??\c:\hnhntb.exec:\hnhntb.exe20⤵
- Executes dropped EXE
PID:1676 -
\??\c:\vpjpd.exec:\vpjpd.exe21⤵
- Executes dropped EXE
PID:2336 -
\??\c:\lfrxrfr.exec:\lfrxrfr.exe22⤵
- Executes dropped EXE
PID:2052 -
\??\c:\tntbhh.exec:\tntbhh.exe23⤵
- Executes dropped EXE
PID:2536 -
\??\c:\vpddp.exec:\vpddp.exe24⤵
- Executes dropped EXE
PID:1340 -
\??\c:\llxxlfr.exec:\llxxlfr.exe25⤵
- Executes dropped EXE
PID:2092 -
\??\c:\nhnhtt.exec:\nhnhtt.exe26⤵
- Executes dropped EXE
PID:1680 -
\??\c:\ddvjv.exec:\ddvjv.exe27⤵
- Executes dropped EXE
PID:964 -
\??\c:\fxlxllx.exec:\fxlxllx.exe28⤵
- Executes dropped EXE
PID:108 -
\??\c:\1ddjv.exec:\1ddjv.exe29⤵
- Executes dropped EXE
PID:1288 -
\??\c:\ffxlllr.exec:\ffxlllr.exe30⤵
- Executes dropped EXE
PID:572 -
\??\c:\bbhbbb.exec:\bbhbbb.exe31⤵
- Executes dropped EXE
PID:1728 -
\??\c:\vvjpv.exec:\vvjpv.exe32⤵
- Executes dropped EXE
PID:1224 -
\??\c:\fxllrrx.exec:\fxllrrx.exe33⤵
- Executes dropped EXE
PID:3016 -
\??\c:\bbhntb.exec:\bbhntb.exe34⤵PID:1688
-
\??\c:\llrxfxx.exec:\llrxfxx.exe35⤵
- Executes dropped EXE
PID:2416 -
\??\c:\nbnnbb.exec:\nbnnbb.exe36⤵
- Executes dropped EXE
PID:2460 -
\??\c:\dvpjp.exec:\dvpjp.exe37⤵
- Executes dropped EXE
PID:2520 -
\??\c:\pddvv.exec:\pddvv.exe38⤵
- Executes dropped EXE
PID:308 -
\??\c:\xrfllxr.exec:\xrfllxr.exe39⤵
- Executes dropped EXE
PID:2072 -
\??\c:\rlxxllr.exec:\rlxxllr.exe40⤵
- Executes dropped EXE
PID:2060 -
\??\c:\nhbnbh.exec:\nhbnbh.exe41⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vvjjp.exec:\vvjjp.exe42⤵
- Executes dropped EXE
PID:2748 -
\??\c:\ddvdj.exec:\ddvdj.exe43⤵
- Executes dropped EXE
PID:2900 -
\??\c:\lllxrxr.exec:\lllxrxr.exe44⤵
- Executes dropped EXE
PID:2872 -
\??\c:\tnntbh.exec:\tnntbh.exe45⤵
- Executes dropped EXE
PID:2916 -
\??\c:\5httbh.exec:\5httbh.exe46⤵
- Executes dropped EXE
PID:2516 -
\??\c:\pvdvv.exec:\pvdvv.exe47⤵
- Executes dropped EXE
PID:2636 -
\??\c:\rrlxlrf.exec:\rrlxlrf.exe48⤵
- Executes dropped EXE
PID:2172 -
\??\c:\hnntbh.exec:\hnntbh.exe49⤵
- Executes dropped EXE
PID:2540 -
\??\c:\1btbnt.exec:\1btbnt.exe50⤵
- Executes dropped EXE
PID:3008 -
\??\c:\htntnt.exec:\htntnt.exe51⤵
- Executes dropped EXE
PID:2704 -
\??\c:\vpddp.exec:\vpddp.exe52⤵
- Executes dropped EXE
PID:2984 -
\??\c:\frllllf.exec:\frllllf.exe53⤵
- Executes dropped EXE
PID:868 -
\??\c:\nhnnbn.exec:\nhnnbn.exe54⤵
- Executes dropped EXE
PID:1720 -
\??\c:\jpdpj.exec:\jpdpj.exe55⤵
- Executes dropped EXE
PID:1380 -
\??\c:\djdpj.exec:\djdpj.exe56⤵
- Executes dropped EXE
PID:900 -
\??\c:\lllxxxl.exec:\lllxxxl.exe57⤵
- Executes dropped EXE
PID:2208 -
\??\c:\ntnbhn.exec:\ntnbhn.exe58⤵
- Executes dropped EXE
PID:2376 -
\??\c:\hhnttb.exec:\hhnttb.exe59⤵
- Executes dropped EXE
PID:2156 -
\??\c:\dddpd.exec:\dddpd.exe60⤵
- Executes dropped EXE
PID:2532 -
\??\c:\llflxfr.exec:\llflxfr.exe61⤵
- Executes dropped EXE
PID:2164 -
\??\c:\nnbhbn.exec:\nnbhbn.exe62⤵
- Executes dropped EXE
PID:1240 -
\??\c:\3hbhnt.exec:\3hbhnt.exe63⤵
- Executes dropped EXE
PID:2496 -
\??\c:\5jdjp.exec:\5jdjp.exe64⤵
- Executes dropped EXE
PID:356 -
\??\c:\rfrrfxf.exec:\rfrrfxf.exe65⤵
- Executes dropped EXE
PID:920 -
\??\c:\lfxlrlr.exec:\lfxlrlr.exe66⤵
- Executes dropped EXE
PID:1352 -
\??\c:\tnhhnb.exec:\tnhhnb.exe67⤵PID:964
-
\??\c:\ddvjp.exec:\ddvjp.exe68⤵PID:2388
-
\??\c:\7vppv.exec:\7vppv.exe69⤵PID:1532
-
\??\c:\xllrllx.exec:\xllrllx.exe70⤵PID:1156
-
\??\c:\tbbnht.exec:\tbbnht.exe71⤵PID:892
-
\??\c:\ttbbbh.exec:\ttbbbh.exe72⤵PID:1728
-
\??\c:\jdpjd.exec:\jdpjd.exe73⤵PID:1928
-
\??\c:\5vdpj.exec:\5vdpj.exe74⤵PID:1224
-
\??\c:\rrllrxl.exec:\rrllrxl.exe75⤵PID:2380
-
\??\c:\ffxflxf.exec:\ffxflxf.exe76⤵PID:2500
-
\??\c:\hnhbnt.exec:\hnhbnt.exe77⤵PID:2316
-
\??\c:\pppjv.exec:\pppjv.exe78⤵PID:2384
-
\??\c:\vvpvd.exec:\vvpvd.exe79⤵PID:2520
-
\??\c:\lfrxxlr.exec:\lfrxxlr.exe80⤵PID:308
-
\??\c:\1rxlxxf.exec:\1rxlxxf.exe81⤵PID:2724
-
\??\c:\bthhbt.exec:\bthhbt.exe82⤵PID:2752
-
\??\c:\tttbtt.exec:\tttbtt.exe83⤵PID:2896
-
\??\c:\jdjpp.exec:\jdjpp.exe84⤵PID:2768
-
\??\c:\rrrfrfl.exec:\rrrfrfl.exe85⤵PID:2848
-
\??\c:\xxxxllr.exec:\xxxxllr.exe86⤵PID:2656
-
\??\c:\btnbth.exec:\btnbth.exe87⤵PID:2864
-
\??\c:\tnbbnh.exec:\tnbbnh.exe88⤵PID:2632
-
\??\c:\jvjjp.exec:\jvjjp.exe89⤵PID:2636
-
\??\c:\ppdpj.exec:\ppdpj.exe90⤵PID:2284
-
\??\c:\xxrrflr.exec:\xxrrflr.exe91⤵PID:1788
-
\??\c:\fxrflrf.exec:\fxrflrf.exe92⤵PID:1696
-
\??\c:\bnbhnt.exec:\bnbhnt.exe93⤵PID:2980
-
\??\c:\jjdjv.exec:\jjdjv.exe94⤵PID:1724
-
\??\c:\jdpvd.exec:\jdpvd.exe95⤵PID:2976
-
\??\c:\rrlxrfr.exec:\rrlxrfr.exe96⤵PID:2952
-
\??\c:\nnhhbh.exec:\nnhhbh.exe97⤵PID:472
-
\??\c:\hbnthh.exec:\hbnthh.exe98⤵PID:900
-
\??\c:\pjppd.exec:\pjppd.exe99⤵PID:2032
-
\??\c:\ppjdj.exec:\ppjdj.exe100⤵PID:2064
-
\??\c:\fflrffl.exec:\fflrffl.exe101⤵PID:1664
-
\??\c:\xlxfrrx.exec:\xlxfrrx.exe102⤵PID:2156
-
\??\c:\5thhtt.exec:\5thhtt.exe103⤵PID:2296
-
\??\c:\pjvvv.exec:\pjvvv.exe104⤵PID:1012
-
\??\c:\pjddv.exec:\pjddv.exe105⤵PID:2372
-
\??\c:\rfllllx.exec:\rfllllx.exe106⤵PID:1384
-
\??\c:\3lflxxf.exec:\3lflxxf.exe107⤵PID:1680
-
\??\c:\9tbthh.exec:\9tbthh.exe108⤵PID:2436
-
\??\c:\bbtthh.exec:\bbtthh.exe109⤵PID:2292
-
\??\c:\ppdpj.exec:\ppdpj.exe110⤵PID:2188
-
\??\c:\rlllxrx.exec:\rlllxrx.exe111⤵PID:2448
-
\??\c:\3rflrrx.exec:\3rflrrx.exe112⤵PID:1968
-
\??\c:\bhtthh.exec:\bhtthh.exe113⤵PID:1504
-
\??\c:\5bbbbb.exec:\5bbbbb.exe114⤵PID:1496
-
\??\c:\pjjpp.exec:\pjjpp.exe115⤵PID:1656
-
\??\c:\dvjjd.exec:\dvjjd.exe116⤵PID:3012
-
\??\c:\lfxxrxf.exec:\lfxxrxf.exe117⤵PID:1804
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe118⤵PID:540
-
\??\c:\tnbhtt.exec:\tnbhtt.exe119⤵PID:2464
-
\??\c:\jpvjj.exec:\jpvjj.exe120⤵PID:2504
-
\??\c:\vpppv.exec:\vpppv.exe121⤵PID:2264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-