Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 12:24
Static task
static1
Behavioral task
behavioral1
Sample
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe
Resource
win7-20240903-en
General
-
Target
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe
-
Size
333KB
-
MD5
6f15a34ff2f291fbdbb06cda86083060
-
SHA1
1b9e7e4b967d1791dd54b7b983f9c29b1c30933b
-
SHA256
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fc
-
SHA512
341ba223867983230a2809cbead9fe7406bd2d6e8c83d228ef565b088f0d0ef3f39adc2c797994929348162ef348f84d904af8ae0b3e0efad2e6fc1249dfed2b
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhq:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTa
Malware Config
Signatures
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/1128-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-179-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2716-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/704-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-434-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1512-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1012-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-660-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1772-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-729-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2124-839-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2556-888-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2624-918-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1740-931-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1976-981-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2708-1179-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2288-1193-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2288-1192-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3024 thttbt.exe 1128 tthbth.exe 2108 vvpvj.exe 2728 3xrrlxf.exe 2856 5hbnbh.exe 2768 jdpjp.exe 2336 3vvvd.exe 2720 fxxllxr.exe 2732 tbthbb.exe 2648 tntthh.exe 3052 7vjjv.exe 2516 xrlfffr.exe 784 7nhtbn.exe 2168 ppddp.exe 484 rxflrfr.exe 2036 1tnnbh.exe 1684 ppjvj.exe 1484 1frxllx.exe 2800 bhbthn.exe 2716 pjvjv.exe 596 vdvpj.exe 1168 xrffxxr.exe 1692 nhtbtb.exe 3004 1nbntb.exe 1992 3tbnbh.exe 1800 pvjdp.exe 2256 vdvdp.exe 1744 rlrxrxr.exe 2440 fxrxlxf.exe 1844 lllllrr.exe 3016 1frxxlx.exe 2096 lfrxlrf.exe 3040 hbhhnb.exe 1568 lfxrfrl.exe 2020 1frxflr.exe 2804 3dpdj.exe 2184 1rflrrr.exe 1376 ththnt.exe 2752 bttbtt.exe 2900 pvpjj.exe 2336 ffxxlrf.exe 2708 rlxxlxx.exe 2732 thtbnh.exe 2848 hhbnbb.exe 2648 7ppvj.exe 2152 fxxxffr.exe 704 3htbbh.exe 2200 ddpdj.exe 1708 pddvv.exe 1984 llfxlrf.exe 484 7nnnbb.exe 2364 dvjjp.exe 1512 rrfxlrf.exe 1124 bnhntt.exe 1764 nhhhtb.exe 604 jvjpv.exe 2948 lfxfllf.exe 1572 3bbbhn.exe 2524 7pddd.exe 3036 5dvpp.exe 1052 fxxlrrl.exe 444 ttntbh.exe 1736 nhthbn.exe 2996 pddpv.exe -
resource yara_rule behavioral1/memory/1128-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-199-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1692-216-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1692-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/704-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-434-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1512-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1012-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-674-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1772-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-839-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2812-899-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1328-1050-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-1136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-1192-0x00000000003C0000-0x00000000003EA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5httbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 3024 2700 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 30 PID 2700 wrote to memory of 3024 2700 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 30 PID 2700 wrote to memory of 3024 2700 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 30 PID 2700 wrote to memory of 3024 2700 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 30 PID 3024 wrote to memory of 1128 3024 thttbt.exe 31 PID 3024 wrote to memory of 1128 3024 thttbt.exe 31 PID 3024 wrote to memory of 1128 3024 thttbt.exe 31 PID 3024 wrote to memory of 1128 3024 thttbt.exe 31 PID 1128 wrote to memory of 2108 1128 tthbth.exe 32 PID 1128 wrote to memory of 2108 1128 tthbth.exe 32 PID 1128 wrote to memory of 2108 1128 tthbth.exe 32 PID 1128 wrote to memory of 2108 1128 tthbth.exe 32 PID 2108 wrote to memory of 2728 2108 vvpvj.exe 33 PID 2108 wrote to memory of 2728 2108 vvpvj.exe 33 PID 2108 wrote to memory of 2728 2108 vvpvj.exe 33 PID 2108 wrote to memory of 2728 2108 vvpvj.exe 33 PID 2728 wrote to memory of 2856 2728 3xrrlxf.exe 34 PID 2728 wrote to memory of 2856 2728 3xrrlxf.exe 34 PID 2728 wrote to memory of 2856 2728 3xrrlxf.exe 34 PID 2728 wrote to memory of 2856 2728 3xrrlxf.exe 34 PID 2856 wrote to memory of 2768 2856 5hbnbh.exe 35 PID 2856 wrote to memory of 2768 2856 5hbnbh.exe 35 PID 2856 wrote to memory of 2768 2856 5hbnbh.exe 35 PID 2856 wrote to memory of 2768 2856 5hbnbh.exe 35 PID 2768 wrote to memory of 2336 2768 jdpjp.exe 36 PID 2768 wrote to memory of 2336 2768 jdpjp.exe 36 PID 2768 wrote to memory of 2336 2768 jdpjp.exe 36 PID 2768 wrote to memory of 2336 2768 jdpjp.exe 36 PID 2336 wrote to memory of 2720 2336 3vvvd.exe 37 PID 2336 wrote to memory of 2720 2336 3vvvd.exe 37 PID 2336 wrote to memory of 2720 2336 3vvvd.exe 37 PID 2336 wrote to memory of 2720 2336 3vvvd.exe 37 PID 2720 wrote to memory of 2732 2720 fxxllxr.exe 38 PID 2720 wrote to memory of 2732 2720 fxxllxr.exe 38 PID 2720 wrote to memory of 2732 2720 fxxllxr.exe 38 PID 2720 wrote to memory of 2732 2720 fxxllxr.exe 38 PID 2732 wrote to memory of 2648 2732 tbthbb.exe 39 PID 2732 wrote to memory of 2648 2732 tbthbb.exe 39 PID 2732 wrote to memory of 2648 2732 tbthbb.exe 39 PID 2732 wrote to memory of 2648 2732 tbthbb.exe 39 PID 2648 wrote to memory of 3052 2648 tntthh.exe 40 PID 2648 wrote to memory of 3052 2648 tntthh.exe 40 PID 2648 wrote to memory of 3052 2648 tntthh.exe 40 PID 2648 wrote to memory of 3052 2648 tntthh.exe 40 PID 3052 wrote to memory of 2516 3052 7vjjv.exe 41 PID 3052 wrote to memory of 2516 3052 7vjjv.exe 41 PID 3052 wrote to memory of 2516 3052 7vjjv.exe 41 PID 3052 wrote to memory of 2516 3052 7vjjv.exe 41 PID 2516 wrote to memory of 784 2516 xrlfffr.exe 42 PID 2516 wrote to memory of 784 2516 xrlfffr.exe 42 PID 2516 wrote to memory of 784 2516 xrlfffr.exe 42 PID 2516 wrote to memory of 784 2516 xrlfffr.exe 42 PID 784 wrote to memory of 2168 784 7nhtbn.exe 43 PID 784 wrote to memory of 2168 784 7nhtbn.exe 43 PID 784 wrote to memory of 2168 784 7nhtbn.exe 43 PID 784 wrote to memory of 2168 784 7nhtbn.exe 43 PID 2168 wrote to memory of 484 2168 ppddp.exe 44 PID 2168 wrote to memory of 484 2168 ppddp.exe 44 PID 2168 wrote to memory of 484 2168 ppddp.exe 44 PID 2168 wrote to memory of 484 2168 ppddp.exe 44 PID 484 wrote to memory of 2036 484 rxflrfr.exe 45 PID 484 wrote to memory of 2036 484 rxflrfr.exe 45 PID 484 wrote to memory of 2036 484 rxflrfr.exe 45 PID 484 wrote to memory of 2036 484 rxflrfr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe"C:\Users\Admin\AppData\Local\Temp\f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\thttbt.exec:\thttbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\tthbth.exec:\tthbth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\vvpvj.exec:\vvpvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\3xrrlxf.exec:\3xrrlxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\5hbnbh.exec:\5hbnbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\jdpjp.exec:\jdpjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\3vvvd.exec:\3vvvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\fxxllxr.exec:\fxxllxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\tbthbb.exec:\tbthbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\tntthh.exec:\tntthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\7vjjv.exec:\7vjjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\xrlfffr.exec:\xrlfffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\7nhtbn.exec:\7nhtbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\ppddp.exec:\ppddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\rxflrfr.exec:\rxflrfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
\??\c:\1tnnbh.exec:\1tnnbh.exe17⤵
- Executes dropped EXE
PID:2036 -
\??\c:\ppjvj.exec:\ppjvj.exe18⤵
- Executes dropped EXE
PID:1684 -
\??\c:\1frxllx.exec:\1frxllx.exe19⤵
- Executes dropped EXE
PID:1484 -
\??\c:\bhbthn.exec:\bhbthn.exe20⤵
- Executes dropped EXE
PID:2800 -
\??\c:\pjvjv.exec:\pjvjv.exe21⤵
- Executes dropped EXE
PID:2716 -
\??\c:\vdvpj.exec:\vdvpj.exe22⤵
- Executes dropped EXE
PID:596 -
\??\c:\xrffxxr.exec:\xrffxxr.exe23⤵
- Executes dropped EXE
PID:1168 -
\??\c:\nhtbtb.exec:\nhtbtb.exe24⤵
- Executes dropped EXE
PID:1692 -
\??\c:\1nbntb.exec:\1nbntb.exe25⤵
- Executes dropped EXE
PID:3004 -
\??\c:\3tbnbh.exec:\3tbnbh.exe26⤵
- Executes dropped EXE
PID:1992 -
\??\c:\pvjdp.exec:\pvjdp.exe27⤵
- Executes dropped EXE
PID:1800 -
\??\c:\vdvdp.exec:\vdvdp.exe28⤵
- Executes dropped EXE
PID:2256 -
\??\c:\rlrxrxr.exec:\rlrxrxr.exe29⤵
- Executes dropped EXE
PID:1744 -
\??\c:\fxrxlxf.exec:\fxrxlxf.exe30⤵
- Executes dropped EXE
PID:2440 -
\??\c:\lllllrr.exec:\lllllrr.exe31⤵
- Executes dropped EXE
PID:1844 -
\??\c:\1frxxlx.exec:\1frxxlx.exe32⤵
- Executes dropped EXE
PID:3016 -
\??\c:\lfrxlrf.exec:\lfrxlrf.exe33⤵
- Executes dropped EXE
PID:2096 -
\??\c:\hbhhnb.exec:\hbhhnb.exe34⤵
- Executes dropped EXE
PID:3040 -
\??\c:\lfxrfrl.exec:\lfxrfrl.exe35⤵
- Executes dropped EXE
PID:1568 -
\??\c:\1frxflr.exec:\1frxflr.exe36⤵
- Executes dropped EXE
PID:2020 -
\??\c:\3dpdj.exec:\3dpdj.exe37⤵
- Executes dropped EXE
PID:2804 -
\??\c:\1rflrrr.exec:\1rflrrr.exe38⤵
- Executes dropped EXE
PID:2184 -
\??\c:\ththnt.exec:\ththnt.exe39⤵
- Executes dropped EXE
PID:1376 -
\??\c:\bttbtt.exec:\bttbtt.exe40⤵
- Executes dropped EXE
PID:2752 -
\??\c:\pvpjj.exec:\pvpjj.exe41⤵
- Executes dropped EXE
PID:2900 -
\??\c:\ffxxlrf.exec:\ffxxlrf.exe42⤵
- Executes dropped EXE
PID:2336 -
\??\c:\rlxxlxx.exec:\rlxxlxx.exe43⤵
- Executes dropped EXE
PID:2708 -
\??\c:\thtbnh.exec:\thtbnh.exe44⤵
- Executes dropped EXE
PID:2732 -
\??\c:\hhbnbb.exec:\hhbnbb.exe45⤵
- Executes dropped EXE
PID:2848 -
\??\c:\7ppvj.exec:\7ppvj.exe46⤵
- Executes dropped EXE
PID:2648 -
\??\c:\fxxxffr.exec:\fxxxffr.exe47⤵
- Executes dropped EXE
PID:2152 -
\??\c:\3htbbh.exec:\3htbbh.exe48⤵
- Executes dropped EXE
PID:704 -
\??\c:\ddpdj.exec:\ddpdj.exe49⤵
- Executes dropped EXE
PID:2200 -
\??\c:\pddvv.exec:\pddvv.exe50⤵
- Executes dropped EXE
PID:1708 -
\??\c:\llfxlrf.exec:\llfxlrf.exe51⤵
- Executes dropped EXE
PID:1984 -
\??\c:\7nnnbb.exec:\7nnnbb.exe52⤵
- Executes dropped EXE
PID:484 -
\??\c:\dvjjp.exec:\dvjjp.exe53⤵
- Executes dropped EXE
PID:2364 -
\??\c:\rrfxlrf.exec:\rrfxlrf.exe54⤵
- Executes dropped EXE
PID:1512 -
\??\c:\bnhntt.exec:\bnhntt.exe55⤵
- Executes dropped EXE
PID:1124 -
\??\c:\nhhhtb.exec:\nhhhtb.exe56⤵
- Executes dropped EXE
PID:1764 -
\??\c:\jvjpv.exec:\jvjpv.exe57⤵
- Executes dropped EXE
PID:604 -
\??\c:\lfxfllf.exec:\lfxfllf.exe58⤵
- Executes dropped EXE
PID:2948 -
\??\c:\3bbbhn.exec:\3bbbhn.exe59⤵
- Executes dropped EXE
PID:1572 -
\??\c:\7pddd.exec:\7pddd.exe60⤵
- Executes dropped EXE
PID:2524 -
\??\c:\5dvpp.exec:\5dvpp.exe61⤵
- Executes dropped EXE
PID:3036 -
\??\c:\fxxlrrl.exec:\fxxlrrl.exe62⤵
- Executes dropped EXE
PID:1052 -
\??\c:\ttntbh.exec:\ttntbh.exe63⤵
- Executes dropped EXE
PID:444 -
\??\c:\nhthbn.exec:\nhthbn.exe64⤵
- Executes dropped EXE
PID:1736 -
\??\c:\pddpv.exec:\pddpv.exe65⤵
- Executes dropped EXE
PID:2996 -
\??\c:\fxllflf.exec:\fxllflf.exe66⤵PID:400
-
\??\c:\9nbbhh.exec:\9nbbhh.exe67⤵PID:896
-
\??\c:\vvvjv.exec:\vvvjv.exe68⤵PID:1072
-
\??\c:\ppvpp.exec:\ppvpp.exe69⤵PID:2448
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe70⤵PID:2004
-
\??\c:\htnbbb.exec:\htnbbb.exe71⤵PID:1012
-
\??\c:\5pdjp.exec:\5pdjp.exe72⤵PID:2440
-
\??\c:\dvpvj.exec:\dvpvj.exe73⤵PID:1644
-
\??\c:\xxxfxfl.exec:\xxxfxfl.exe74⤵PID:2068
-
\??\c:\3thhnt.exec:\3thhnt.exe75⤵PID:2396
-
\??\c:\nhbntt.exec:\nhbntt.exe76⤵PID:2372
-
\??\c:\jddvd.exec:\jddvd.exe77⤵PID:2564
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe78⤵PID:2220
-
\??\c:\3lfrffx.exec:\3lfrffx.exe79⤵PID:1672
-
\??\c:\ntthtb.exec:\ntthtb.exe80⤵PID:2804
-
\??\c:\jdddj.exec:\jdddj.exe81⤵PID:2728
-
\??\c:\xlfrrll.exec:\xlfrrll.exe82⤵PID:2980
-
\??\c:\7xflllr.exec:\7xflllr.exe83⤵PID:2880
-
\??\c:\tnhhtb.exec:\tnhhtb.exe84⤵PID:2736
-
\??\c:\7vpvv.exec:\7vpvv.exe85⤵PID:2852
-
\??\c:\lxrrffr.exec:\lxrrffr.exe86⤵PID:2820
-
\??\c:\hbhhtt.exec:\hbhhtt.exe87⤵PID:2720
-
\??\c:\3tthbb.exec:\3tthbb.exe88⤵PID:1924
-
\??\c:\3dpdd.exec:\3dpdd.exe89⤵PID:3052
-
\??\c:\xrflxff.exec:\xrflxff.exe90⤵PID:3060
-
\??\c:\rrllfll.exec:\rrllfll.exe91⤵PID:388
-
\??\c:\bbhnbn.exec:\bbhnbn.exe92⤵PID:2504
-
\??\c:\jjpvj.exec:\jjpvj.exe93⤵PID:2652
-
\??\c:\1lxfrrf.exec:\1lxfrrf.exe94⤵PID:2156
-
\??\c:\ffrxflx.exec:\ffrxflx.exe95⤵PID:684
-
\??\c:\hhthtb.exec:\hhthtb.exe96⤵PID:1772
-
\??\c:\dddjd.exec:\dddjd.exe97⤵PID:2024
-
\??\c:\jjpvp.exec:\jjpvp.exe98⤵PID:2028
-
\??\c:\ffxfrrf.exec:\ffxfrrf.exe99⤵PID:2832
-
\??\c:\tbtnbh.exec:\tbtnbh.exe100⤵PID:1944
-
\??\c:\nnnnth.exec:\nnnnth.exe101⤵PID:604
-
\??\c:\vvjvd.exec:\vvjvd.exe102⤵PID:2584
-
\??\c:\rffrllx.exec:\rffrllx.exe103⤵PID:2488
-
\??\c:\xxxfrlx.exec:\xxxfrlx.exe104⤵PID:2524
-
\??\c:\tnbbhh.exec:\tnbbhh.exe105⤵PID:2952
-
\??\c:\hnnbtn.exec:\hnnbtn.exe106⤵PID:1052
-
\??\c:\dvjpv.exec:\dvjpv.exe107⤵PID:2704
-
\??\c:\7xlrxlx.exec:\7xlrxlx.exe108⤵PID:2272
-
\??\c:\9xlxflf.exec:\9xlxflf.exe109⤵PID:1720
-
\??\c:\5thnnn.exec:\5thnnn.exe110⤵PID:1544
-
\??\c:\ppjpd.exec:\ppjpd.exe111⤵PID:2332
-
\??\c:\9vppd.exec:\9vppd.exe112⤵PID:1036
-
\??\c:\xrlfrfx.exec:\xrlfrfx.exe113⤵PID:2392
-
\??\c:\xrflflr.exec:\xrflflr.exe114⤵PID:584
-
\??\c:\9nnbnb.exec:\9nnbnb.exe115⤵PID:1956
-
\??\c:\vjpdj.exec:\vjpdj.exe116⤵PID:1896
-
\??\c:\vvvvj.exec:\vvvvj.exe117⤵PID:1852
-
\??\c:\flrllxr.exec:\flrllxr.exe118⤵PID:3016
-
\??\c:\bnhhht.exec:\bnhhht.exe119⤵PID:2124
-
\??\c:\bhbthn.exec:\bhbthn.exe120⤵PID:1856
-
\??\c:\jjpvd.exec:\jjpvd.exe121⤵PID:1508
-
\??\c:\xrffrfl.exec:\xrffrfl.exe122⤵PID:1568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-