Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 13:06
Behavioral task
behavioral1
Sample
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe
Resource
win7-20240729-en
6 signatures
150 seconds
General
-
Target
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe
-
Size
279KB
-
MD5
face18af5f70087e9fbf92c2ee116a20
-
SHA1
39ea6bb8cc8dfab8dc8229b7112765dbc2470ad0
-
SHA256
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bff
-
SHA512
b3e1cc83fbbf7fde920ace2599653336f1de8168a1e408e9ee135335670ea9ff96ad2cd5a664544eb606b7e2e15686418dc97fa7ecc9efb402f0540a1f62cfee
-
SSDEEP
6144:ncm4FmowdHoS6rW3NNTvBu6wo2J4JAgNXkArR/rtXOLtu4J6KvvLp3OKtUuuuTEl:14wFHoSeM/Tpu6w14JAOkIRhOBu4Jhv4
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2872-5-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2968-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/960-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4576-22-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/876-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3360-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1256-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1520-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3684-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3880-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2152-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3132-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3316-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4892-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4504-239-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1648-253-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2416-268-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3864-285-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1720-292-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/944-318-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1064-325-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2852-370-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1972-1043-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2000-673-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4000-582-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1608-473-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3852-466-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5092-450-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/220-422-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1704-400-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4576-387-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3080-383-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3316-366-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3492-362-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2820-339-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3896-329-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4236-311-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1604-281-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/620-261-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3840-257-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4772-249-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5016-232-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2960-228-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/900-221-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3488-212-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4896-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/932-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1236-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4048-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3416-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4700-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4456-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4960-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1488-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/632-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2044-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3120-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1584-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4312-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1244-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2388-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/372-1278-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4452-2010-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2968 vpvjp.exe 960 nhnhbt.exe 4576 nttbtt.exe 876 jddvp.exe 3360 9rrfxxl.exe 2388 hbhhbt.exe 1256 jpdpj.exe 1244 7lrrflf.exe 4772 bbhbbt.exe 4312 9pvpd.exe 1520 pjpjd.exe 1584 xfffllf.exe 3684 9xlffxf.exe 3120 bbhnhn.exe 2044 jppdv.exe 632 5rrrllf.exe 1488 frrllfx.exe 4960 htttnn.exe 2936 dvjpd.exe 4456 dpvpd.exe 4700 fxrlfxx.exe 3416 xlllflf.exe 3880 5bhhnn.exe 4092 7pdvj.exe 4048 llrlrrf.exe 1176 lfrlfff.exe 4540 thbbtb.exe 544 vjjpj.exe 5096 dddvj.exe 2240 fxllffx.exe 1236 7nhhtt.exe 2152 jpjdv.exe 932 7xfxrll.exe 3692 hbhbtb.exe 4896 nhnbtn.exe 3132 3ddvp.exe 3316 vpjpd.exe 4892 xxxrlll.exe 3488 3bnhbb.exe 2328 bbntnn.exe 3080 pjvvp.exe 900 jjjjv.exe 4576 5lfxxll.exe 2960 llxxxrx.exe 5016 5tbttt.exe 4936 hbhbbb.exe 4504 pdpjv.exe 4508 xxlfllx.exe 2000 xrlrflf.exe 4772 bhhhhh.exe 1648 vdjdp.exe 3840 ddjdp.exe 620 xfrrrlf.exe 1476 llllfxr.exe 2416 nhttnn.exe 2912 thbthh.exe 2272 vjvdd.exe 4416 jdjdj.exe 1604 rffxxrr.exe 3864 bbtnbb.exe 2248 btttnn.exe 1720 djpjp.exe 4332 jpvvj.exe 1968 xfffxlr.exe -
resource yara_rule behavioral2/memory/2872-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000a000000023c09-4.dat upx behavioral2/memory/2968-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2872-5-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023ca2-11.dat upx behavioral2/memory/2968-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/960-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023ca3-16.dat upx behavioral2/files/0x0007000000023ca4-20.dat upx behavioral2/memory/4576-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023ca5-26.dat upx behavioral2/memory/876-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2388-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3360-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023ca6-33.dat upx behavioral2/files/0x0007000000023ca7-41.dat upx behavioral2/files/0x0007000000023ca8-47.dat upx behavioral2/memory/1256-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023cac-67.dat upx behavioral2/memory/1520-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023cad-75.dat upx behavioral2/memory/3684-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023cb0-90.dat upx behavioral2/files/0x0007000000023cb2-105.dat upx behavioral2/files/0x0007000000023cb3-111.dat upx behavioral2/files/0x0007000000023cb5-122.dat upx behavioral2/files/0x0007000000023cb6-125.dat upx behavioral2/files/0x0007000000023cb8-131.dat upx behavioral2/files/0x0007000000023cb9-140.dat upx behavioral2/memory/3880-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4048-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023cbf-176.dat upx behavioral2/memory/2152-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3132-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3316-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4892-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4504-239-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1648-253-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2416-268-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3864-285-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1720-292-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/944-318-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1064-325-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2852-370-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1972-1043-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2000-673-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4000-582-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1608-473-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3852-466-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5092-450-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/220-422-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1704-400-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4576-387-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3080-383-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3316-366-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3492-362-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4896-355-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2820-339-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3896-329-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4236-311-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1604-281-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/620-261-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3840-257-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4772-249-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2968 2872 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 85 PID 2872 wrote to memory of 2968 2872 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 85 PID 2872 wrote to memory of 2968 2872 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 85 PID 2968 wrote to memory of 960 2968 vpvjp.exe 86 PID 2968 wrote to memory of 960 2968 vpvjp.exe 86 PID 2968 wrote to memory of 960 2968 vpvjp.exe 86 PID 960 wrote to memory of 4576 960 nhnhbt.exe 87 PID 960 wrote to memory of 4576 960 nhnhbt.exe 87 PID 960 wrote to memory of 4576 960 nhnhbt.exe 87 PID 4576 wrote to memory of 876 4576 nttbtt.exe 88 PID 4576 wrote to memory of 876 4576 nttbtt.exe 88 PID 4576 wrote to memory of 876 4576 nttbtt.exe 88 PID 876 wrote to memory of 3360 876 jddvp.exe 89 PID 876 wrote to memory of 3360 876 jddvp.exe 89 PID 876 wrote to memory of 3360 876 jddvp.exe 89 PID 3360 wrote to memory of 2388 3360 9rrfxxl.exe 90 PID 3360 wrote to memory of 2388 3360 9rrfxxl.exe 90 PID 3360 wrote to memory of 2388 3360 9rrfxxl.exe 90 PID 2388 wrote to memory of 1256 2388 hbhhbt.exe 91 PID 2388 wrote to memory of 1256 2388 hbhhbt.exe 91 PID 2388 wrote to memory of 1256 2388 hbhhbt.exe 91 PID 1256 wrote to memory of 1244 1256 jpdpj.exe 93 PID 1256 wrote to memory of 1244 1256 jpdpj.exe 93 PID 1256 wrote to memory of 1244 1256 jpdpj.exe 93 PID 1244 wrote to memory of 4772 1244 7lrrflf.exe 94 PID 1244 wrote to memory of 4772 1244 7lrrflf.exe 94 PID 1244 wrote to memory of 4772 1244 7lrrflf.exe 94 PID 4772 wrote to memory of 4312 4772 bbhbbt.exe 95 PID 4772 wrote to memory of 4312 4772 bbhbbt.exe 95 PID 4772 wrote to memory of 4312 4772 bbhbbt.exe 95 PID 4312 wrote to memory of 1520 4312 9pvpd.exe 96 PID 4312 wrote to memory of 1520 4312 9pvpd.exe 96 PID 4312 wrote to memory of 1520 4312 9pvpd.exe 96 PID 1520 wrote to memory of 1584 1520 pjpjd.exe 97 PID 1520 wrote to memory of 1584 1520 pjpjd.exe 97 PID 1520 wrote to memory of 1584 1520 pjpjd.exe 97 PID 1584 wrote to memory of 3684 1584 xfffllf.exe 98 PID 1584 wrote to memory of 3684 1584 xfffllf.exe 98 PID 1584 wrote to memory of 3684 1584 xfffllf.exe 98 PID 3684 wrote to memory of 3120 3684 9xlffxf.exe 100 PID 3684 wrote to memory of 3120 3684 9xlffxf.exe 100 PID 3684 wrote to memory of 3120 3684 9xlffxf.exe 100 PID 3120 wrote to memory of 2044 3120 bbhnhn.exe 101 PID 3120 wrote to memory of 2044 3120 bbhnhn.exe 101 PID 3120 wrote to memory of 2044 3120 bbhnhn.exe 101 PID 2044 wrote to memory of 632 2044 jppdv.exe 102 PID 2044 wrote to memory of 632 2044 jppdv.exe 102 PID 2044 wrote to memory of 632 2044 jppdv.exe 102 PID 632 wrote to memory of 1488 632 5rrrllf.exe 327 PID 632 wrote to memory of 1488 632 5rrrllf.exe 327 PID 632 wrote to memory of 1488 632 5rrrllf.exe 327 PID 1488 wrote to memory of 4960 1488 frrllfx.exe 104 PID 1488 wrote to memory of 4960 1488 frrllfx.exe 104 PID 1488 wrote to memory of 4960 1488 frrllfx.exe 104 PID 4960 wrote to memory of 2936 4960 htttnn.exe 105 PID 4960 wrote to memory of 2936 4960 htttnn.exe 105 PID 4960 wrote to memory of 2936 4960 htttnn.exe 105 PID 2936 wrote to memory of 4456 2936 dvjpd.exe 427 PID 2936 wrote to memory of 4456 2936 dvjpd.exe 427 PID 2936 wrote to memory of 4456 2936 dvjpd.exe 427 PID 4456 wrote to memory of 4700 4456 dpvpd.exe 107 PID 4456 wrote to memory of 4700 4456 dpvpd.exe 107 PID 4456 wrote to memory of 4700 4456 dpvpd.exe 107 PID 4700 wrote to memory of 3416 4700 fxrlfxx.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe"C:\Users\Admin\AppData\Local\Temp\d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\vpvjp.exec:\vpvjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\nhnhbt.exec:\nhnhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\nttbtt.exec:\nttbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\jddvp.exec:\jddvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\9rrfxxl.exec:\9rrfxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\hbhhbt.exec:\hbhhbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\jpdpj.exec:\jpdpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\7lrrflf.exec:\7lrrflf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\bbhbbt.exec:\bbhbbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\9pvpd.exec:\9pvpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\pjpjd.exec:\pjpjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\xfffllf.exec:\xfffllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\9xlffxf.exec:\9xlffxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\bbhnhn.exec:\bbhnhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\jppdv.exec:\jppdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\5rrrllf.exec:\5rrrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\frrllfx.exec:\frrllfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\htttnn.exec:\htttnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\dvjpd.exec:\dvjpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\dpvpd.exec:\dpvpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\fxrlfxx.exec:\fxrlfxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\xlllflf.exec:\xlllflf.exe23⤵
- Executes dropped EXE
PID:3416 -
\??\c:\5bhhnn.exec:\5bhhnn.exe24⤵
- Executes dropped EXE
PID:3880 -
\??\c:\7pdvj.exec:\7pdvj.exe25⤵
- Executes dropped EXE
PID:4092 -
\??\c:\llrlrrf.exec:\llrlrrf.exe26⤵
- Executes dropped EXE
PID:4048 -
\??\c:\lfrlfff.exec:\lfrlfff.exe27⤵
- Executes dropped EXE
PID:1176 -
\??\c:\thbbtb.exec:\thbbtb.exe28⤵
- Executes dropped EXE
PID:4540 -
\??\c:\vjjpj.exec:\vjjpj.exe29⤵
- Executes dropped EXE
PID:544 -
\??\c:\dddvj.exec:\dddvj.exe30⤵
- Executes dropped EXE
PID:5096 -
\??\c:\fxllffx.exec:\fxllffx.exe31⤵
- Executes dropped EXE
PID:2240 -
\??\c:\7nhhtt.exec:\7nhhtt.exe32⤵
- Executes dropped EXE
PID:1236 -
\??\c:\jpjdv.exec:\jpjdv.exe33⤵
- Executes dropped EXE
PID:2152 -
\??\c:\7xfxrll.exec:\7xfxrll.exe34⤵
- Executes dropped EXE
PID:932 -
\??\c:\hbhbtb.exec:\hbhbtb.exe35⤵
- Executes dropped EXE
PID:3692 -
\??\c:\nhnbtn.exec:\nhnbtn.exe36⤵
- Executes dropped EXE
PID:4896 -
\??\c:\3ddvp.exec:\3ddvp.exe37⤵
- Executes dropped EXE
PID:3132 -
\??\c:\vpjpd.exec:\vpjpd.exe38⤵
- Executes dropped EXE
PID:3316 -
\??\c:\xxxrlll.exec:\xxxrlll.exe39⤵
- Executes dropped EXE
PID:4892 -
\??\c:\3bnhbb.exec:\3bnhbb.exe40⤵
- Executes dropped EXE
PID:3488 -
\??\c:\bbntnn.exec:\bbntnn.exe41⤵
- Executes dropped EXE
PID:2328 -
\??\c:\pjvvp.exec:\pjvvp.exe42⤵
- Executes dropped EXE
PID:3080 -
\??\c:\jjjjv.exec:\jjjjv.exe43⤵
- Executes dropped EXE
PID:900 -
\??\c:\5lfxxll.exec:\5lfxxll.exe44⤵
- Executes dropped EXE
PID:4576 -
\??\c:\llxxxrx.exec:\llxxxrx.exe45⤵
- Executes dropped EXE
PID:2960 -
\??\c:\5tbttt.exec:\5tbttt.exe46⤵
- Executes dropped EXE
PID:5016 -
\??\c:\hbhbbb.exec:\hbhbbb.exe47⤵
- Executes dropped EXE
PID:4936 -
\??\c:\pdpjv.exec:\pdpjv.exe48⤵
- Executes dropped EXE
PID:4504 -
\??\c:\xxlfllx.exec:\xxlfllx.exe49⤵
- Executes dropped EXE
PID:4508 -
\??\c:\xrlrflf.exec:\xrlrflf.exe50⤵
- Executes dropped EXE
PID:2000 -
\??\c:\bhhhhh.exec:\bhhhhh.exe51⤵
- Executes dropped EXE
PID:4772 -
\??\c:\vdjdp.exec:\vdjdp.exe52⤵
- Executes dropped EXE
PID:1648 -
\??\c:\ddjdp.exec:\ddjdp.exe53⤵
- Executes dropped EXE
PID:3840 -
\??\c:\xfrrrlf.exec:\xfrrrlf.exe54⤵
- Executes dropped EXE
PID:620 -
\??\c:\llllfxr.exec:\llllfxr.exe55⤵
- Executes dropped EXE
PID:1476 -
\??\c:\nhttnn.exec:\nhttnn.exe56⤵
- Executes dropped EXE
PID:2416 -
\??\c:\thbthh.exec:\thbthh.exe57⤵
- Executes dropped EXE
PID:2912 -
\??\c:\vjvdd.exec:\vjvdd.exe58⤵
- Executes dropped EXE
PID:2272 -
\??\c:\jdjdj.exec:\jdjdj.exe59⤵
- Executes dropped EXE
PID:4416 -
\??\c:\rffxxrr.exec:\rffxxrr.exe60⤵
- Executes dropped EXE
PID:1604 -
\??\c:\bbtnbb.exec:\bbtnbb.exe61⤵
- Executes dropped EXE
PID:3864 -
\??\c:\btttnn.exec:\btttnn.exe62⤵
- Executes dropped EXE
PID:2248 -
\??\c:\djpjp.exec:\djpjp.exe63⤵
- Executes dropped EXE
PID:1720 -
\??\c:\jpvvj.exec:\jpvvj.exe64⤵
- Executes dropped EXE
PID:4332 -
\??\c:\xfffxlr.exec:\xfffxlr.exe65⤵
- Executes dropped EXE
PID:1968 -
\??\c:\rrffxxr.exec:\rrffxxr.exe66⤵PID:3736
-
\??\c:\httnhb.exec:\httnhb.exe67⤵PID:1172
-
\??\c:\thbtnh.exec:\thbtnh.exe68⤵PID:2120
-
\??\c:\vdvpj.exec:\vdvpj.exe69⤵PID:4236
-
\??\c:\pdjdv.exec:\pdjdv.exe70⤵PID:4956
-
\??\c:\xllfrlf.exec:\xllfrlf.exe71⤵PID:944
-
\??\c:\1ffxxll.exec:\1ffxxll.exe72⤵PID:3212
-
\??\c:\hbbbtt.exec:\hbbbtt.exe73⤵PID:1064
-
\??\c:\nnbttt.exec:\nnbttt.exe74⤵PID:3896
-
\??\c:\ppjdv.exec:\ppjdv.exe75⤵PID:4296
-
\??\c:\ppvpd.exec:\ppvpd.exe76⤵PID:3900
-
\??\c:\5rlffff.exec:\5rlffff.exe77⤵PID:2820
-
\??\c:\xfrrlll.exec:\xfrrlll.exe78⤵PID:3788
-
\??\c:\nnttnh.exec:\nnttnh.exe79⤵PID:2964
-
\??\c:\thbbtt.exec:\thbbtt.exe80⤵PID:4840
-
\??\c:\jpdvp.exec:\jpdvp.exe81⤵PID:2700
-
\??\c:\djpjv.exec:\djpjv.exe82⤵PID:768
-
\??\c:\xfrrflx.exec:\xfrrflx.exe83⤵PID:4896
-
\??\c:\hnbbtt.exec:\hnbbtt.exe84⤵PID:3492
-
\??\c:\hthbnn.exec:\hthbnn.exe85⤵PID:3316
-
\??\c:\jdjjv.exec:\jdjjv.exe86⤵PID:2852
-
\??\c:\ppdvd.exec:\ppdvd.exe87⤵PID:4392
-
\??\c:\9flfflf.exec:\9flfflf.exe88⤵PID:3004
-
\??\c:\5ntnht.exec:\5ntnht.exe89⤵PID:960
-
\??\c:\tbhbtn.exec:\tbhbtn.exe90⤵PID:3080
-
\??\c:\vvddd.exec:\vvddd.exe91⤵PID:4576
-
\??\c:\3jjjd.exec:\3jjjd.exe92⤵PID:1016
-
\??\c:\3xrlxxx.exec:\3xrlxxx.exe93⤵PID:2008
-
\??\c:\rflffff.exec:\rflffff.exe94⤵PID:1256
-
\??\c:\tnbtbt.exec:\tnbtbt.exe95⤵PID:1704
-
\??\c:\1ttnhh.exec:\1ttnhh.exe96⤵PID:4148
-
\??\c:\jjddj.exec:\jjddj.exe97⤵PID:2320
-
\??\c:\pjvpj.exec:\pjvpj.exe98⤵PID:2052
-
\??\c:\lrrlxxl.exec:\lrrlxxl.exe99⤵PID:1404
-
\??\c:\hbbhbn.exec:\hbbhbn.exe100⤵PID:1520
-
\??\c:\tbhhbb.exec:\tbhhbb.exe101⤵PID:2376
-
\??\c:\dvddv.exec:\dvddv.exe102⤵PID:220
-
\??\c:\3djvv.exec:\3djvv.exe103⤵PID:3612
-
\??\c:\9fffrlx.exec:\9fffrlx.exe104⤵PID:5056
-
\??\c:\bhntnt.exec:\bhntnt.exe105⤵PID:3120
-
\??\c:\btnnnn.exec:\btnnnn.exe106⤵PID:2940
-
\??\c:\vpvjp.exec:\vpvjp.exe107⤵PID:3852
-
\??\c:\vvpjv.exec:\vvpjv.exe108⤵PID:4856
-
\??\c:\lxfrffl.exec:\lxfrffl.exe109⤵PID:2248
-
\??\c:\frffxxx.exec:\frffxxx.exe110⤵PID:2568
-
\??\c:\xffxrlr.exec:\xffxrlr.exe111⤵PID:5092
-
\??\c:\5tbtbh.exec:\5tbtbh.exe112⤵PID:4456
-
\??\c:\jvvjd.exec:\jvvjd.exe113⤵PID:1732
-
\??\c:\dvvdv.exec:\dvvdv.exe114⤵PID:3912
-
\??\c:\pdpjj.exec:\pdpjj.exe115⤵PID:2788
-
\??\c:\3rfxlfx.exec:\3rfxlfx.exe116⤵PID:2796
-
\??\c:\lfxfffx.exec:\lfxfffx.exe117⤵PID:4500
-
\??\c:\nhbtht.exec:\nhbtht.exe118⤵PID:1608
-
\??\c:\hthnbb.exec:\hthnbb.exe119⤵PID:1040
-
\??\c:\pdjjd.exec:\pdjjd.exe120⤵PID:4008
-
\??\c:\vpdvd.exec:\vpdvd.exe121⤵PID:2684
-
\??\c:\xxllffl.exec:\xxllffl.exe122⤵PID:5080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-