Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 16:12
Behavioral task
behavioral1
Sample
9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe
-
Size
72KB
-
MD5
b6d86dcfe7d47193a7f1517565780fe0
-
SHA1
b822495ffbe9a3f3a50f3c115a49420cd4e090c6
-
SHA256
9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544
-
SHA512
86cd5fea8f4c330aa218ed67315059791a59ee1fc4a5078c56218728dc1a6d11a09c26c0650400bd6f0463e73e0e7572222c75d726a084b12da6111604246691
-
SSDEEP
1536:zvQBeOGtrYS3srx93UBWfwC6Ggnouy8iT4+IJPkffW2Vl4zQ3y3:zhOmTsF93UYfwC6GIoutiTm5kfuGC3
Malware Config
Signatures
-
Detect Blackmoon payload 59 IoCs
resource yara_rule behavioral1/memory/2708-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1152-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2804-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2056-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2904-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2304-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2820-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1868-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1468-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1828-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1868-127-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/3016-128-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3016-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-138-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1944-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/560-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2660-185-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/624-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1764-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/700-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2424-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1524-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2088-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1600-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2908-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2464-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-336-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2620-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2648-356-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2932-396-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3004-412-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2600-470-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1484-511-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2012-552-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2876-589-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2960-637-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2840-648-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/836-714-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2468-782-0x0000000076D20000-0x0000000076E3F000-memory.dmp family_blackmoon behavioral1/memory/2972-835-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2516-871-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2924-901-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1924-955-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2468-7031-0x0000000076D20000-0x0000000076E3F000-memory.dmp family_blackmoon behavioral1/memory/2468-7536-0x0000000076E40000-0x0000000076F3A000-memory.dmp family_blackmoon behavioral1/memory/2468-9796-0x0000000076E40000-0x0000000076F3A000-memory.dmp family_blackmoon behavioral1/memory/2468-10047-0x0000000076D20000-0x0000000076E3F000-memory.dmp family_blackmoon behavioral1/memory/2468-10300-0x0000000076E40000-0x0000000076F3A000-memory.dmp family_blackmoon behavioral1/memory/2468-10803-0x0000000076D20000-0x0000000076E3F000-memory.dmp family_blackmoon behavioral1/memory/2468-11308-0x0000000076E40000-0x0000000076F3A000-memory.dmp family_blackmoon behavioral1/memory/2468-11559-0x0000000076D20000-0x0000000076E3F000-memory.dmp family_blackmoon behavioral1/memory/2468-11812-0x0000000076E40000-0x0000000076F3A000-memory.dmp family_blackmoon behavioral1/memory/2468-12315-0x0000000076D20000-0x0000000076E3F000-memory.dmp family_blackmoon behavioral1/memory/2468-16843-0x0000000076D20000-0x0000000076E3F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2708 lffllrf.exe 2352 nhbnbn.exe 2804 vpdjp.exe 2056 frlxlrr.exe 2904 tbnbbb.exe 2304 dvpjd.exe 2912 lxlfflr.exe 2820 bnhbtn.exe 2668 jpvjp.exe 2664 1dddj.exe 1868 llfrlxr.exe 1468 nhnhbn.exe 1828 1nnhhb.exe 3016 xxllllf.exe 2948 llrlfrl.exe 2608 bhhbtn.exe 1944 7ddvj.exe 560 fxflxff.exe 1752 7lfllfx.exe 3064 5tntnn.exe 2660 7jppd.exe 756 9vpdp.exe 624 1lxllfx.exe 1764 nbbbtb.exe 700 3dvdp.exe 2132 xxlfllf.exe 1320 bbthnh.exe 2424 3jddp.exe 1484 vjdvp.exe 336 fllfxlf.exe 1792 bhttbb.exe 1496 ddjdp.exe 2596 vjdvv.exe 1708 rxxlfrr.exe 1524 tthtnh.exe 2088 pjjjd.exe 2552 vpjpj.exe 1600 rxxxxxf.exe 2764 nhttnb.exe 2464 btttbb.exe 2908 jvvvd.exe 2752 vvpvp.exe 2628 fxfrrrl.exe 2784 tbtbth.exe 2648 bbnbnh.exe 2868 vpjpd.exe 2620 rrfrfxl.exe 2652 xlxfxlx.exe 2024 hbthth.exe 2492 1ppjv.exe 2960 dpjvj.exe 1820 rlxfxfx.exe 3036 xrlxlrr.exe 2852 nhntbb.exe 2932 dpjdv.exe 3068 vvjjd.exe 2948 fxffffr.exe 3004 ntnbtt.exe 3056 bnbbhh.exe 856 jvppj.exe 2072 rxrflrx.exe 2068 rrxrfrf.exe 2500 hhthhn.exe 264 hbthbn.exe -
resource yara_rule behavioral1/memory/1152-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d000000015ceb-5.dat upx behavioral1/memory/2708-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1152-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015da1-17.dat upx behavioral1/files/0x0007000000015f4c-25.dat upx behavioral1/memory/2352-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015fba-33.dat upx behavioral1/memory/2804-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016033-41.dat upx behavioral1/memory/2056-40-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2056-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a000000016136-51.dat upx behavioral1/memory/2904-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2304-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000186c8-58.dat upx behavioral1/memory/2820-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2912-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001878d-66.dat upx behavioral1/memory/2820-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000190c6-76.dat upx behavioral1/memory/2668-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000190c9-85.dat upx behavioral1/files/0x00050000000191f3-95.dat upx behavioral1/memory/1868-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2664-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000191fd-102.dat upx behavioral1/files/0x0005000000019217-110.dat upx behavioral1/memory/1468-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019220-120.dat upx behavioral1/memory/1828-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3016-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019238-129.dat upx behavioral1/memory/2948-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019240-139.dat upx behavioral1/files/0x000500000001925d-146.dat upx behavioral1/memory/1944-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019263-154.dat upx behavioral1/memory/560-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019278-162.dat upx behavioral1/memory/3064-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019280-170.dat upx behavioral1/files/0x000500000001938b-178.dat upx behavioral1/files/0x0005000000019399-186.dat upx behavioral1/files/0x00050000000193b7-193.dat upx behavioral1/memory/624-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193c1-201.dat upx behavioral1/files/0x00050000000193c8-208.dat upx behavioral1/memory/1764-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193d4-218.dat upx behavioral1/memory/700-216-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193ec-226.dat upx behavioral1/files/0x0005000000019417-233.dat upx behavioral1/files/0x0009000000015d68-240.dat upx behavioral1/memory/1484-242-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2424-241-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001941a-249.dat upx behavioral1/files/0x0005000000019436-257.dat upx behavioral1/files/0x0005000000019441-263.dat upx behavioral1/memory/1524-280-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1524-286-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2088-292-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1600-303-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2908-319-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2708 1152 9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe 31 PID 1152 wrote to memory of 2708 1152 9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe 31 PID 1152 wrote to memory of 2708 1152 9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe 31 PID 1152 wrote to memory of 2708 1152 9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe 31 PID 2708 wrote to memory of 2352 2708 lffllrf.exe 32 PID 2708 wrote to memory of 2352 2708 lffllrf.exe 32 PID 2708 wrote to memory of 2352 2708 lffllrf.exe 32 PID 2708 wrote to memory of 2352 2708 lffllrf.exe 32 PID 2352 wrote to memory of 2804 2352 nhbnbn.exe 33 PID 2352 wrote to memory of 2804 2352 nhbnbn.exe 33 PID 2352 wrote to memory of 2804 2352 nhbnbn.exe 33 PID 2352 wrote to memory of 2804 2352 nhbnbn.exe 33 PID 2804 wrote to memory of 2056 2804 vpdjp.exe 34 PID 2804 wrote to memory of 2056 2804 vpdjp.exe 34 PID 2804 wrote to memory of 2056 2804 vpdjp.exe 34 PID 2804 wrote to memory of 2056 2804 vpdjp.exe 34 PID 2056 wrote to memory of 2904 2056 frlxlrr.exe 35 PID 2056 wrote to memory of 2904 2056 frlxlrr.exe 35 PID 2056 wrote to memory of 2904 2056 frlxlrr.exe 35 PID 2056 wrote to memory of 2904 2056 frlxlrr.exe 35 PID 2904 wrote to memory of 2304 2904 tbnbbb.exe 36 PID 2904 wrote to memory of 2304 2904 tbnbbb.exe 36 PID 2904 wrote to memory of 2304 2904 tbnbbb.exe 36 PID 2904 wrote to memory of 2304 2904 tbnbbb.exe 36 PID 2304 wrote to memory of 2912 2304 dvpjd.exe 37 PID 2304 wrote to memory of 2912 2304 dvpjd.exe 37 PID 2304 wrote to memory of 2912 2304 dvpjd.exe 37 PID 2304 wrote to memory of 2912 2304 dvpjd.exe 37 PID 2912 wrote to memory of 2820 2912 lxlfflr.exe 38 PID 2912 wrote to memory of 2820 2912 lxlfflr.exe 38 PID 2912 wrote to memory of 2820 2912 lxlfflr.exe 38 PID 2912 wrote to memory of 2820 2912 lxlfflr.exe 38 PID 2820 wrote to memory of 2668 2820 bnhbtn.exe 39 PID 2820 wrote to memory of 2668 2820 bnhbtn.exe 39 PID 2820 wrote to memory of 2668 2820 bnhbtn.exe 39 PID 2820 wrote to memory of 2668 2820 bnhbtn.exe 39 PID 2668 wrote to memory of 2664 2668 jpvjp.exe 40 PID 2668 wrote to memory of 2664 2668 jpvjp.exe 40 PID 2668 wrote to memory of 2664 2668 jpvjp.exe 40 PID 2668 wrote to memory of 2664 2668 jpvjp.exe 40 PID 2664 wrote to memory of 1868 2664 1dddj.exe 41 PID 2664 wrote to memory of 1868 2664 1dddj.exe 41 PID 2664 wrote to memory of 1868 2664 1dddj.exe 41 PID 2664 wrote to memory of 1868 2664 1dddj.exe 41 PID 1868 wrote to memory of 1468 1868 llfrlxr.exe 42 PID 1868 wrote to memory of 1468 1868 llfrlxr.exe 42 PID 1868 wrote to memory of 1468 1868 llfrlxr.exe 42 PID 1868 wrote to memory of 1468 1868 llfrlxr.exe 42 PID 1468 wrote to memory of 1828 1468 nhnhbn.exe 43 PID 1468 wrote to memory of 1828 1468 nhnhbn.exe 43 PID 1468 wrote to memory of 1828 1468 nhnhbn.exe 43 PID 1468 wrote to memory of 1828 1468 nhnhbn.exe 43 PID 1828 wrote to memory of 3016 1828 1nnhhb.exe 44 PID 1828 wrote to memory of 3016 1828 1nnhhb.exe 44 PID 1828 wrote to memory of 3016 1828 1nnhhb.exe 44 PID 1828 wrote to memory of 3016 1828 1nnhhb.exe 44 PID 3016 wrote to memory of 2948 3016 xxllllf.exe 45 PID 3016 wrote to memory of 2948 3016 xxllllf.exe 45 PID 3016 wrote to memory of 2948 3016 xxllllf.exe 45 PID 3016 wrote to memory of 2948 3016 xxllllf.exe 45 PID 2948 wrote to memory of 2608 2948 llrlfrl.exe 46 PID 2948 wrote to memory of 2608 2948 llrlfrl.exe 46 PID 2948 wrote to memory of 2608 2948 llrlfrl.exe 46 PID 2948 wrote to memory of 2608 2948 llrlfrl.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe"C:\Users\Admin\AppData\Local\Temp\9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\lffllrf.exec:\lffllrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\nhbnbn.exec:\nhbnbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\vpdjp.exec:\vpdjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\frlxlrr.exec:\frlxlrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\tbnbbb.exec:\tbnbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\dvpjd.exec:\dvpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\lxlfflr.exec:\lxlfflr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\bnhbtn.exec:\bnhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\jpvjp.exec:\jpvjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\1dddj.exec:\1dddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\llfrlxr.exec:\llfrlxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\nhnhbn.exec:\nhnhbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\1nnhhb.exec:\1nnhhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\xxllllf.exec:\xxllllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\llrlfrl.exec:\llrlfrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\bhhbtn.exec:\bhhbtn.exe17⤵
- Executes dropped EXE
PID:2608 -
\??\c:\7ddvj.exec:\7ddvj.exe18⤵
- Executes dropped EXE
PID:1944 -
\??\c:\fxflxff.exec:\fxflxff.exe19⤵
- Executes dropped EXE
PID:560 -
\??\c:\7lfllfx.exec:\7lfllfx.exe20⤵
- Executes dropped EXE
PID:1752 -
\??\c:\5tntnn.exec:\5tntnn.exe21⤵
- Executes dropped EXE
PID:3064 -
\??\c:\7jppd.exec:\7jppd.exe22⤵
- Executes dropped EXE
PID:2660 -
\??\c:\9vpdp.exec:\9vpdp.exe23⤵
- Executes dropped EXE
PID:756 -
\??\c:\1lxllfx.exec:\1lxllfx.exe24⤵
- Executes dropped EXE
PID:624 -
\??\c:\nbbbtb.exec:\nbbbtb.exe25⤵
- Executes dropped EXE
PID:1764 -
\??\c:\3dvdp.exec:\3dvdp.exe26⤵
- Executes dropped EXE
PID:700 -
\??\c:\xxlfllf.exec:\xxlfllf.exe27⤵
- Executes dropped EXE
PID:2132 -
\??\c:\bbthnh.exec:\bbthnh.exe28⤵
- Executes dropped EXE
PID:1320 -
\??\c:\3jddp.exec:\3jddp.exe29⤵
- Executes dropped EXE
PID:2424 -
\??\c:\vjdvp.exec:\vjdvp.exe30⤵
- Executes dropped EXE
PID:1484 -
\??\c:\fllfxlf.exec:\fllfxlf.exe31⤵
- Executes dropped EXE
PID:336 -
\??\c:\bhttbb.exec:\bhttbb.exe32⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ddjdp.exec:\ddjdp.exe33⤵
- Executes dropped EXE
PID:1496 -
\??\c:\vjdvv.exec:\vjdvv.exe34⤵
- Executes dropped EXE
PID:2596 -
\??\c:\rxxlfrr.exec:\rxxlfrr.exe35⤵
- Executes dropped EXE
PID:1708 -
\??\c:\tthtnh.exec:\tthtnh.exe36⤵
- Executes dropped EXE
PID:1524 -
\??\c:\pjjjd.exec:\pjjjd.exe37⤵
- Executes dropped EXE
PID:2088 -
\??\c:\vpjpj.exec:\vpjpj.exe38⤵
- Executes dropped EXE
PID:2552 -
\??\c:\rxxxxxf.exec:\rxxxxxf.exe39⤵
- Executes dropped EXE
PID:1600 -
\??\c:\nhttnb.exec:\nhttnb.exe40⤵
- Executes dropped EXE
PID:2764 -
\??\c:\btttbb.exec:\btttbb.exe41⤵
- Executes dropped EXE
PID:2464 -
\??\c:\jvvvd.exec:\jvvvd.exe42⤵
- Executes dropped EXE
PID:2908 -
\??\c:\vvpvp.exec:\vvpvp.exe43⤵
- Executes dropped EXE
PID:2752 -
\??\c:\fxfrrrl.exec:\fxfrrrl.exe44⤵
- Executes dropped EXE
PID:2628 -
\??\c:\tbtbth.exec:\tbtbth.exe45⤵
- Executes dropped EXE
PID:2784 -
\??\c:\bbnbnh.exec:\bbnbnh.exe46⤵
- Executes dropped EXE
PID:2648 -
\??\c:\vpjpd.exec:\vpjpd.exe47⤵
- Executes dropped EXE
PID:2868 -
\??\c:\rrfrfxl.exec:\rrfrfxl.exe48⤵
- Executes dropped EXE
PID:2620 -
\??\c:\xlxfxlx.exec:\xlxfxlx.exe49⤵
- Executes dropped EXE
PID:2652 -
\??\c:\hbthth.exec:\hbthth.exe50⤵
- Executes dropped EXE
PID:2024 -
\??\c:\1ppjv.exec:\1ppjv.exe51⤵
- Executes dropped EXE
PID:2492 -
\??\c:\dpjvj.exec:\dpjvj.exe52⤵
- Executes dropped EXE
PID:2960 -
\??\c:\rlxfxfx.exec:\rlxfxfx.exe53⤵
- Executes dropped EXE
PID:1820 -
\??\c:\xrlxlrr.exec:\xrlxlrr.exe54⤵
- Executes dropped EXE
PID:3036 -
\??\c:\nhntbb.exec:\nhntbb.exe55⤵
- Executes dropped EXE
PID:2852 -
\??\c:\dpjdv.exec:\dpjdv.exe56⤵
- Executes dropped EXE
PID:2932 -
\??\c:\vvjjd.exec:\vvjjd.exe57⤵
- Executes dropped EXE
PID:3068 -
\??\c:\fxffffr.exec:\fxffffr.exe58⤵
- Executes dropped EXE
PID:2948 -
\??\c:\ntnbtt.exec:\ntnbtt.exe59⤵
- Executes dropped EXE
PID:3004 -
\??\c:\bnbbhh.exec:\bnbbhh.exe60⤵
- Executes dropped EXE
PID:3056 -
\??\c:\jvppj.exec:\jvppj.exe61⤵
- Executes dropped EXE
PID:856 -
\??\c:\rxrflrx.exec:\rxrflrx.exe62⤵
- Executes dropped EXE
PID:2072 -
\??\c:\rrxrfrf.exec:\rrxrfrf.exe63⤵
- Executes dropped EXE
PID:2068 -
\??\c:\hhthhn.exec:\hhthhn.exe64⤵
- Executes dropped EXE
PID:2500 -
\??\c:\hbthbn.exec:\hbthbn.exe65⤵
- Executes dropped EXE
PID:264 -
\??\c:\djdvv.exec:\djdvv.exe66⤵PID:2376
-
\??\c:\1rrxfrr.exec:\1rrxfrr.exe67⤵PID:836
-
\??\c:\1rxxfxr.exec:\1rxxfxr.exe68⤵PID:404
-
\??\c:\thbbhn.exec:\thbbhn.exe69⤵PID:2604
-
\??\c:\nhthhh.exec:\nhthhh.exe70⤵PID:2600
-
\??\c:\3jpdj.exec:\3jpdj.exe71⤵PID:1356
-
\??\c:\jjjvj.exec:\jjjvj.exe72⤵PID:932
-
\??\c:\xffrxlx.exec:\xffrxlx.exe73⤵PID:1548
-
\??\c:\hbbhnt.exec:\hbbhnt.exe74⤵PID:1696
-
\??\c:\bhnnbh.exec:\bhnnbh.exe75⤵PID:2252
-
\??\c:\vjdjv.exec:\vjdjv.exe76⤵PID:1960
-
\??\c:\rxrxrxl.exec:\rxrxrxl.exe77⤵PID:1484
-
\??\c:\hhhbhb.exec:\hhhbhb.exe78⤵PID:292
-
\??\c:\nbnbhh.exec:\nbnbhh.exe79⤵PID:1000
-
\??\c:\jvvvd.exec:\jvvvd.exe80⤵PID:888
-
\??\c:\vvdjv.exec:\vvdjv.exe81⤵PID:1956
-
\??\c:\rfrfflf.exec:\rfrfflf.exe82⤵PID:1608
-
\??\c:\hthnnt.exec:\hthnnt.exe83⤵PID:2544
-
\??\c:\5bntbh.exec:\5bntbh.exe84⤵PID:2012
-
\??\c:\jjddp.exec:\jjddp.exe85⤵PID:2092
-
\??\c:\9xrrlrf.exec:\9xrrlrf.exe86⤵PID:2240
-
\??\c:\ttntbh.exec:\ttntbh.exe87⤵PID:2112
-
\??\c:\nnntnb.exec:\nnntnb.exe88⤵PID:2780
-
\??\c:\vvdpj.exec:\vvdpj.exe89⤵PID:2972
-
\??\c:\vvjpd.exec:\vvjpd.exe90⤵PID:2884
-
\??\c:\xrfrxxl.exec:\xrfrxxl.exe91⤵PID:2876
-
\??\c:\5bntbn.exec:\5bntbn.exe92⤵PID:1808
-
\??\c:\ttnhnh.exec:\ttnhnh.exe93⤵PID:2740
-
\??\c:\pvvpj.exec:\pvvpj.exe94⤵PID:2792
-
\??\c:\jdvjv.exec:\jdvjv.exe95⤵PID:2624
-
\??\c:\xrrxrff.exec:\xrrxrff.exe96⤵PID:2700
-
\??\c:\xrxlflr.exec:\xrxlflr.exe97⤵PID:2672
-
\??\c:\7nnbtb.exec:\7nnbtb.exe98⤵PID:1580
-
\??\c:\djpvp.exec:\djpvp.exe99⤵PID:2344
-
\??\c:\dvdjd.exec:\dvdjd.exe100⤵PID:2960
-
\??\c:\xrffflx.exec:\xrffflx.exe101⤵PID:1820
-
\??\c:\lrxxfxf.exec:\lrxxfxf.exe102⤵PID:2840
-
\??\c:\nbnbth.exec:\nbnbth.exe103⤵PID:3016
-
\??\c:\vpjjv.exec:\vpjjv.exe104⤵PID:2940
-
\??\c:\jjdjp.exec:\jjdjp.exe105⤵PID:1536
-
\??\c:\xlrrrlr.exec:\xlrrrlr.exe106⤵PID:2844
-
\??\c:\hhbhht.exec:\hhbhht.exe107⤵PID:2020
-
\??\c:\tbnthh.exec:\tbnthh.exe108⤵PID:1924
-
\??\c:\dpjdp.exec:\dpjdp.exe109⤵PID:788
-
\??\c:\xrxllrf.exec:\xrxllrf.exe110⤵PID:2072
-
\??\c:\lflxllx.exec:\lflxllx.exe111⤵PID:2068
-
\??\c:\nbtbnt.exec:\nbtbnt.exe112⤵PID:2568
-
\??\c:\btnhtb.exec:\btnhtb.exe113⤵PID:264
-
\??\c:\ddvjv.exec:\ddvjv.exe114⤵PID:2376
-
\??\c:\xxlrxfr.exec:\xxlrxfr.exe115⤵PID:836
-
\??\c:\lffflrx.exec:\lffflrx.exe116⤵PID:404
-
\??\c:\5bnbhn.exec:\5bnbhn.exe117⤵PID:2604
-
\??\c:\nbttnb.exec:\nbttnb.exe118⤵PID:1704
-
\??\c:\5dpdp.exec:\5dpdp.exe119⤵PID:1356
-
\??\c:\9xxxxxl.exec:\9xxxxxl.exe120⤵PID:2132
-
\??\c:\llfrfxl.exec:\llfrfxl.exe121⤵PID:3020
-
\??\c:\9hhbtb.exec:\9hhbtb.exe122⤵PID:1320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-