Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 08:57
Behavioral task
behavioral1
Sample
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe
-
Size
335KB
-
MD5
7a0f333a155797167d0c5c56254cc806
-
SHA1
a2b255e1eb252ef27942c16ee3031bf6d5f63d5e
-
SHA256
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f
-
SHA512
7d1e40cafc3463f84b2610ef06f5644e9f5bab008da42a78d8d270a17d2110830377b4668643b74000d5ab296659dc930f710c647e80869b837a74c90a4cc82d
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRp:R4wFHoSHYHUrAwfMp3CDRp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
Processes:
resource yara_rule behavioral1/memory/2424-1-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2172-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2440-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2440-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1000-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1636-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2844-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2776-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1744-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-82-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2872-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1716-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1728-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2512-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3012-470-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/540-425-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2696-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2080-324-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2028-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/988-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3004-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/568-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1536-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1800-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1860-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2196-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1944-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2364-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1748-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/884-514-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/884-536-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2304-591-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2672-590-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1732-628-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2160-660-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2064-796-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2584-807-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2852-824-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2292-914-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1216-927-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2248-5159-0x00000000772C0000-0x00000000773DF000-memory.dmp family_blackmoon behavioral1/memory/2248-6403-0x00000000772C0000-0x00000000773DF000-memory.dmp family_blackmoon behavioral1/memory/2248-6651-0x00000000773E0000-0x00000000774DA000-memory.dmp family_blackmoon behavioral1/memory/2248-7144-0x00000000772C0000-0x00000000773DF000-memory.dmp family_blackmoon behavioral1/memory/2248-7392-0x00000000773E0000-0x00000000774DA000-memory.dmp family_blackmoon behavioral1/memory/2248-9620-0x00000000772C0000-0x00000000773DF000-memory.dmp family_blackmoon behavioral1/memory/2248-10114-0x00000000772C0000-0x00000000773DF000-memory.dmp family_blackmoon behavioral1/memory/2248-10858-0x00000000772C0000-0x00000000773DF000-memory.dmp family_blackmoon behavioral1/memory/2248-11352-0x00000000772C0000-0x00000000773DF000-memory.dmp family_blackmoon behavioral1/memory/2248-12093-0x00000000772C0000-0x00000000773DF000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
9nnhnn.exexllrfrx.exexlxxfff.exe1bnnnt.exejjvpd.exethhhbn.exebhthht.exedvppj.exefxxrfxx.exe3jpdp.exevdvpp.exexfllfll.exebhthnn.exeddppd.exelffffrx.exe1fxfxfl.exehhnbbn.exevpjvj.exexfxxxrx.exenbnnhn.exedpjpj.exejjddj.exe9lllflf.exebhbhbt.exetntbht.exe1ppdv.exettttbh.exenthnbt.exedvdjj.exe9ffrxfl.exenttnth.exe7pppj.exe5pvdd.exexrlfxlr.exe9thnnt.exebnhtbn.exevvppd.exexxxrrlx.exexrlxffr.exe5tbntt.exetbhbnh.exejdpdj.exeflfxlxl.exerlrffxf.exebtnnbb.exe7hhtbn.exevpvjj.exedvjpd.exexrflrfl.exenttbbh.exe3bnnbn.exejpddj.exelfxxflr.exethbbhn.exebbbbhn.exevpdpj.exejvdvd.exerlrrfff.exelxlrflr.exettnbnt.exe9nhnhh.exeppppd.exejpvpp.exe7xxlxfr.exepid Process 2172 9nnhnn.exe 2440 xllrfrx.exe 1000 xlxxfff.exe 1636 1bnnnt.exe 2776 jjvpd.exe 2844 thhhbn.exe 1744 bhthht.exe 2796 dvppj.exe 2664 fxxrfxx.exe 2872 3jpdp.exe 2700 vdvpp.exe 2688 xfllfll.exe 1748 bhthnn.exe 2624 ddppd.exe 1716 lffffrx.exe 2364 1fxfxfl.exe 1280 hhnbbn.exe 1540 vpjvj.exe 1944 xfxxxrx.exe 2952 nbnnhn.exe 2492 dpjpj.exe 2196 jjddj.exe 1860 9lllflf.exe 1800 bhbhbt.exe 3012 tntbht.exe 1536 1ppdv.exe 568 ttttbh.exe 3004 nthnbt.exe 2092 dvdjj.exe 2320 9ffrxfl.exe 988 nttnth.exe 1760 7pppj.exe 1668 5pvdd.exe 2028 xrlfxlr.exe 1528 9thnnt.exe 2172 bnhtbn.exe 2720 vvppd.exe 2716 xxxrrlx.exe 2908 xrlxffr.exe 1636 5tbntt.exe 2080 tbhbnh.exe 2740 jdpdj.exe 2840 flfxlxl.exe 2056 rlrffxf.exe 2788 btnnbb.exe 1240 7hhtbn.exe 2644 vpvjj.exe 2772 dvjpd.exe 2712 xrflrfl.exe 2648 nttbbh.exe 1736 3bnnbn.exe 2696 jpddj.exe 1752 lfxxflr.exe 1360 thbbhn.exe 1548 bbbbhn.exe 1972 vpdpj.exe 1728 jvdvd.exe 1424 rlrrfff.exe 2232 lxlrflr.exe 540 ttnbnt.exe 1368 9nhnhh.exe 2944 ppppd.exe 2512 jpvpp.exe 2008 7xxlxfr.exe -
Processes:
resource yara_rule behavioral1/memory/2424-1-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000120f9-8.dat upx behavioral1/memory/2172-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000018bf3-14.dat upx behavioral1/memory/2172-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2440-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019227-25.dat upx behavioral1/memory/2440-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1000-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001922c-33.dat upx behavioral1/files/0x000700000001925e-42.dat upx behavioral1/memory/1636-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001926a-53.dat upx behavioral1/memory/2844-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019279-60.dat upx behavioral1/memory/2844-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2776-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019284-69.dat upx behavioral1/memory/1744-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001939d-78.dat upx behavioral1/memory/2796-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001957e-87.dat upx behavioral1/files/0x00050000000195a7-97.dat upx behavioral1/memory/2872-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195e6-105.dat upx behavioral1/memory/2688-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001961d-113.dat upx behavioral1/files/0x000500000001961f-124.dat upx behavioral1/files/0x0005000000019621-131.dat upx behavioral1/memory/1716-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019622-139.dat upx behavioral1/files/0x0005000000019623-148.dat upx behavioral1/files/0x0005000000019627-166.dat upx behavioral1/files/0x0005000000019629-174.dat upx behavioral1/files/0x000500000001962b-182.dat upx behavioral1/files/0x000500000001967f-199.dat upx behavioral1/files/0x000500000001970b-215.dat upx behavioral1/files/0x00050000000199b9-223.dat upx behavioral1/files/0x0005000000019c54-239.dat upx behavioral1/files/0x0005000000019c56-247.dat upx behavioral1/files/0x0005000000019c58-254.dat upx behavioral1/files/0x0005000000019c73-262.dat upx behavioral1/memory/2028-282-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2772-360-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1728-409-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2512-443-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3012-470-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2696-381-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2080-324-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2028-288-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d3d-270.dat upx behavioral1/memory/988-268-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3004-246-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/568-237-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000018742-231.dat upx behavioral1/memory/1536-229-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1800-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000196c0-208.dat upx behavioral1/memory/1800-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1860-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2196-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001963b-190.dat upx behavioral1/memory/1944-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019625-158.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bbntnn.exe9rrrflr.exepjdjv.exe9jvvv.exerfrxrxl.exerflllll.exethbbhh.exenhttbt.exe3pddv.exe3jdjv.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe9nnhnn.exexllrfrx.exexlxxfff.exe1bnnnt.exejjvpd.exethhhbn.exebhthht.exedvppj.exefxxrfxx.exe3jpdp.exevdvpp.exexfllfll.exebhthnn.exeddppd.exelffffrx.exedescription pid Process procid_target PID 2424 wrote to memory of 2172 2424 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 30 PID 2424 wrote to memory of 2172 2424 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 30 PID 2424 wrote to memory of 2172 2424 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 30 PID 2424 wrote to memory of 2172 2424 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 30 PID 2172 wrote to memory of 2440 2172 9nnhnn.exe 31 PID 2172 wrote to memory of 2440 2172 9nnhnn.exe 31 PID 2172 wrote to memory of 2440 2172 9nnhnn.exe 31 PID 2172 wrote to memory of 2440 2172 9nnhnn.exe 31 PID 2440 wrote to memory of 1000 2440 xllrfrx.exe 32 PID 2440 wrote to memory of 1000 2440 xllrfrx.exe 32 PID 2440 wrote to memory of 1000 2440 xllrfrx.exe 32 PID 2440 wrote to memory of 1000 2440 xllrfrx.exe 32 PID 1000 wrote to memory of 1636 1000 xlxxfff.exe 69 PID 1000 wrote to memory of 1636 1000 xlxxfff.exe 69 PID 1000 wrote to memory of 1636 1000 xlxxfff.exe 69 PID 1000 wrote to memory of 1636 1000 xlxxfff.exe 69 PID 1636 wrote to memory of 2776 1636 1bnnnt.exe 34 PID 1636 wrote to memory of 2776 1636 1bnnnt.exe 34 PID 1636 wrote to memory of 2776 1636 1bnnnt.exe 34 PID 1636 wrote to memory of 2776 1636 1bnnnt.exe 34 PID 2776 wrote to memory of 2844 2776 jjvpd.exe 35 PID 2776 wrote to memory of 2844 2776 jjvpd.exe 35 PID 2776 wrote to memory of 2844 2776 jjvpd.exe 35 PID 2776 wrote to memory of 2844 2776 jjvpd.exe 35 PID 2844 wrote to memory of 1744 2844 thhhbn.exe 36 PID 2844 wrote to memory of 1744 2844 thhhbn.exe 36 PID 2844 wrote to memory of 1744 2844 thhhbn.exe 36 PID 2844 wrote to memory of 1744 2844 thhhbn.exe 36 PID 1744 wrote to memory of 2796 1744 bhthht.exe 37 PID 1744 wrote to memory of 2796 1744 bhthht.exe 37 PID 1744 wrote to memory of 2796 1744 bhthht.exe 37 PID 1744 wrote to memory of 2796 1744 bhthht.exe 37 PID 2796 wrote to memory of 2664 2796 dvppj.exe 38 PID 2796 wrote to memory of 2664 2796 dvppj.exe 38 PID 2796 wrote to memory of 2664 2796 dvppj.exe 38 PID 2796 wrote to memory of 2664 2796 dvppj.exe 38 PID 2664 wrote to memory of 2872 2664 fxxrfxx.exe 39 PID 2664 wrote to memory of 2872 2664 fxxrfxx.exe 39 PID 2664 wrote to memory of 2872 2664 fxxrfxx.exe 39 PID 2664 wrote to memory of 2872 2664 fxxrfxx.exe 39 PID 2872 wrote to memory of 2700 2872 3jpdp.exe 40 PID 2872 wrote to memory of 2700 2872 3jpdp.exe 40 PID 2872 wrote to memory of 2700 2872 3jpdp.exe 40 PID 2872 wrote to memory of 2700 2872 3jpdp.exe 40 PID 2700 wrote to memory of 2688 2700 vdvpp.exe 41 PID 2700 wrote to memory of 2688 2700 vdvpp.exe 41 PID 2700 wrote to memory of 2688 2700 vdvpp.exe 41 PID 2700 wrote to memory of 2688 2700 vdvpp.exe 41 PID 2688 wrote to memory of 1748 2688 xfllfll.exe 42 PID 2688 wrote to memory of 1748 2688 xfllfll.exe 42 PID 2688 wrote to memory of 1748 2688 xfllfll.exe 42 PID 2688 wrote to memory of 1748 2688 xfllfll.exe 42 PID 1748 wrote to memory of 2624 1748 bhthnn.exe 43 PID 1748 wrote to memory of 2624 1748 bhthnn.exe 43 PID 1748 wrote to memory of 2624 1748 bhthnn.exe 43 PID 1748 wrote to memory of 2624 1748 bhthnn.exe 43 PID 2624 wrote to memory of 1716 2624 ddppd.exe 44 PID 2624 wrote to memory of 1716 2624 ddppd.exe 44 PID 2624 wrote to memory of 1716 2624 ddppd.exe 44 PID 2624 wrote to memory of 1716 2624 ddppd.exe 44 PID 1716 wrote to memory of 2364 1716 lffffrx.exe 45 PID 1716 wrote to memory of 2364 1716 lffffrx.exe 45 PID 1716 wrote to memory of 2364 1716 lffffrx.exe 45 PID 1716 wrote to memory of 2364 1716 lffffrx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe"C:\Users\Admin\AppData\Local\Temp\d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\9nnhnn.exec:\9nnhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\xllrfrx.exec:\xllrfrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\xlxxfff.exec:\xlxxfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\1bnnnt.exec:\1bnnnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\jjvpd.exec:\jjvpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\thhhbn.exec:\thhhbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\bhthht.exec:\bhthht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\dvppj.exec:\dvppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\fxxrfxx.exec:\fxxrfxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\3jpdp.exec:\3jpdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\vdvpp.exec:\vdvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\xfllfll.exec:\xfllfll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\bhthnn.exec:\bhthnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\ddppd.exec:\ddppd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\lffffrx.exec:\lffffrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\1fxfxfl.exec:\1fxfxfl.exe17⤵
- Executes dropped EXE
PID:2364 -
\??\c:\hhnbbn.exec:\hhnbbn.exe18⤵
- Executes dropped EXE
PID:1280 -
\??\c:\vpjvj.exec:\vpjvj.exe19⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xfxxxrx.exec:\xfxxxrx.exe20⤵
- Executes dropped EXE
PID:1944 -
\??\c:\nbnnhn.exec:\nbnnhn.exe21⤵
- Executes dropped EXE
PID:2952 -
\??\c:\dpjpj.exec:\dpjpj.exe22⤵
- Executes dropped EXE
PID:2492 -
\??\c:\jjddj.exec:\jjddj.exe23⤵
- Executes dropped EXE
PID:2196 -
\??\c:\9lllflf.exec:\9lllflf.exe24⤵
- Executes dropped EXE
PID:1860 -
\??\c:\bhbhbt.exec:\bhbhbt.exe25⤵
- Executes dropped EXE
PID:1800 -
\??\c:\tntbht.exec:\tntbht.exe26⤵
- Executes dropped EXE
PID:3012 -
\??\c:\1ppdv.exec:\1ppdv.exe27⤵
- Executes dropped EXE
PID:1536 -
\??\c:\ttttbh.exec:\ttttbh.exe28⤵
- Executes dropped EXE
PID:568 -
\??\c:\nthnbt.exec:\nthnbt.exe29⤵
- Executes dropped EXE
PID:3004 -
\??\c:\dvdjj.exec:\dvdjj.exe30⤵
- Executes dropped EXE
PID:2092 -
\??\c:\9ffrxfl.exec:\9ffrxfl.exe31⤵
- Executes dropped EXE
PID:2320 -
\??\c:\nttnth.exec:\nttnth.exe32⤵
- Executes dropped EXE
PID:988 -
\??\c:\7pppj.exec:\7pppj.exe33⤵
- Executes dropped EXE
PID:1760 -
\??\c:\5pvdd.exec:\5pvdd.exe34⤵
- Executes dropped EXE
PID:1668 -
\??\c:\xrlfxlr.exec:\xrlfxlr.exe35⤵
- Executes dropped EXE
PID:2028 -
\??\c:\9thnnt.exec:\9thnnt.exe36⤵
- Executes dropped EXE
PID:1528 -
\??\c:\bnhtbn.exec:\bnhtbn.exe37⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vvppd.exec:\vvppd.exe38⤵
- Executes dropped EXE
PID:2720 -
\??\c:\xxxrrlx.exec:\xxxrrlx.exe39⤵
- Executes dropped EXE
PID:2716 -
\??\c:\xrlxffr.exec:\xrlxffr.exe40⤵
- Executes dropped EXE
PID:2908 -
\??\c:\5tbntt.exec:\5tbntt.exe41⤵
- Executes dropped EXE
PID:1636 -
\??\c:\tbhbnh.exec:\tbhbnh.exe42⤵
- Executes dropped EXE
PID:2080 -
\??\c:\jdpdj.exec:\jdpdj.exe43⤵
- Executes dropped EXE
PID:2740 -
\??\c:\flfxlxl.exec:\flfxlxl.exe44⤵
- Executes dropped EXE
PID:2840 -
\??\c:\rlrffxf.exec:\rlrffxf.exe45⤵
- Executes dropped EXE
PID:2056 -
\??\c:\btnnbb.exec:\btnnbb.exe46⤵
- Executes dropped EXE
PID:2788 -
\??\c:\7hhtbn.exec:\7hhtbn.exe47⤵
- Executes dropped EXE
PID:1240 -
\??\c:\vpvjj.exec:\vpvjj.exe48⤵
- Executes dropped EXE
PID:2644 -
\??\c:\dvjpd.exec:\dvjpd.exe49⤵
- Executes dropped EXE
PID:2772 -
\??\c:\xrflrfl.exec:\xrflrfl.exe50⤵
- Executes dropped EXE
PID:2712 -
\??\c:\nttbbh.exec:\nttbbh.exe51⤵
- Executes dropped EXE
PID:2648 -
\??\c:\3bnnbn.exec:\3bnnbn.exe52⤵
- Executes dropped EXE
PID:1736 -
\??\c:\jpddj.exec:\jpddj.exe53⤵
- Executes dropped EXE
PID:2696 -
\??\c:\lfxxflr.exec:\lfxxflr.exe54⤵
- Executes dropped EXE
PID:1752 -
\??\c:\thbbhn.exec:\thbbhn.exe55⤵
- Executes dropped EXE
PID:1360 -
\??\c:\bbbbhn.exec:\bbbbhn.exe56⤵
- Executes dropped EXE
PID:1548 -
\??\c:\vpdpj.exec:\vpdpj.exe57⤵
- Executes dropped EXE
PID:1972 -
\??\c:\jvdvd.exec:\jvdvd.exe58⤵
- Executes dropped EXE
PID:1728 -
\??\c:\rlrrfff.exec:\rlrrfff.exe59⤵
- Executes dropped EXE
PID:1424 -
\??\c:\lxlrflr.exec:\lxlrflr.exe60⤵
- Executes dropped EXE
PID:2232 -
\??\c:\ttnbnt.exec:\ttnbnt.exe61⤵
- Executes dropped EXE
PID:540 -
\??\c:\9nhnhh.exec:\9nhnhh.exe62⤵
- Executes dropped EXE
PID:1368 -
\??\c:\ppppd.exec:\ppppd.exe63⤵
- Executes dropped EXE
PID:2944 -
\??\c:\jpvpp.exec:\jpvpp.exe64⤵
- Executes dropped EXE
PID:2512 -
\??\c:\7xxlxfr.exec:\7xxlxfr.exe65⤵
- Executes dropped EXE
PID:2008 -
\??\c:\nnhnhn.exec:\nnhnhn.exe66⤵PID:1452
-
\??\c:\nnhnnn.exec:\nnhnnn.exe67⤵PID:1404
-
\??\c:\jpjpj.exec:\jpjpj.exe68⤵PID:396
-
\??\c:\jvvjv.exec:\jvvjv.exe69⤵PID:3012
-
\??\c:\ffxfflx.exec:\ffxfflx.exe70⤵PID:1572
-
\??\c:\rfxfrlx.exec:\rfxfrlx.exe71⤵PID:2144
-
\??\c:\nbhbbh.exec:\nbhbbh.exe72⤵PID:2484
-
\??\c:\hbttnh.exec:\hbttnh.exe73⤵PID:1076
-
\??\c:\7jdpd.exec:\7jdpd.exe74⤵PID:684
-
\??\c:\1rffflx.exec:\1rffflx.exe75⤵PID:648
-
\??\c:\9vvdp.exec:\9vvdp.exe76⤵PID:2544
-
\??\c:\pdjvv.exec:\pdjvv.exe77⤵PID:884
-
\??\c:\7xrxflf.exec:\7xrxflf.exe78⤵PID:1776
-
\??\c:\bbbhbh.exec:\bbbhbh.exe79⤵PID:1668
-
\??\c:\3jjjd.exec:\3jjjd.exe80⤵PID:2576
-
\??\c:\3jddp.exec:\3jddp.exe81⤵PID:2420
-
\??\c:\rrlfrlx.exec:\rrlfrlx.exe82⤵PID:2496
-
\??\c:\3nnbnb.exec:\3nnbnb.exe83⤵PID:2328
-
\??\c:\ppddj.exec:\ppddj.exe84⤵PID:3044
-
\??\c:\vpjpj.exec:\vpjpj.exe85⤵PID:3028
-
\??\c:\xrflrrf.exec:\xrflrrf.exe86⤵PID:1708
-
\??\c:\bbbhth.exec:\bbbhth.exe87⤵PID:2304
-
\??\c:\jdjpv.exec:\jdjpv.exe88⤵PID:2848
-
\??\c:\pjdvp.exec:\pjdvp.exe89⤵PID:2784
-
\??\c:\rllxrxr.exec:\rllxrxr.exe90⤵PID:1524
-
\??\c:\bbthth.exec:\bbthth.exe91⤵PID:2672
-
\??\c:\bbbhtt.exec:\bbbhtt.exe92⤵PID:2660
-
\??\c:\vvjvj.exec:\vvjvj.exe93⤵PID:2500
-
\??\c:\ffrllxf.exec:\ffrllxf.exe94⤵PID:1124
-
\??\c:\bnbtbh.exec:\bnbtbh.exe95⤵PID:2636
-
\??\c:\ppjvj.exec:\ppjvj.exe96⤵PID:1628
-
\??\c:\xxxfffl.exec:\xxxfffl.exe97⤵PID:2360
-
\??\c:\btnthn.exec:\btnthn.exe98⤵PID:1732
-
\??\c:\pjvdp.exec:\pjvdp.exe99⤵PID:1140
-
\??\c:\bbnbtn.exec:\bbnbtn.exe100⤵PID:2684
-
\??\c:\hbttbh.exec:\hbttbh.exe101⤵PID:2160
-
\??\c:\vjpjv.exec:\vjpjv.exe102⤵PID:2460
-
\??\c:\7fxxlrx.exec:\7fxxlrx.exe103⤵PID:1688
-
\??\c:\nnbbht.exec:\nnbbht.exe104⤵PID:1840
-
\??\c:\7hhhth.exec:\7hhhth.exe105⤵PID:1224
-
\??\c:\jjjjd.exec:\jjjjd.exe106⤵PID:336
-
\??\c:\rllrlll.exec:\rllrlll.exe107⤵PID:2204
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe108⤵PID:2624
-
\??\c:\1tbhbh.exec:\1tbhbh.exe109⤵PID:2456
-
\??\c:\1dvjd.exec:\1dvjd.exe110⤵PID:1556
-
\??\c:\jdpvj.exec:\jdpvj.exe111⤵PID:820
-
\??\c:\rllrflf.exec:\rllrflf.exe112⤵PID:2616
-
\??\c:\btntbb.exec:\btntbb.exe113⤵PID:2296
-
\??\c:\hthhhn.exec:\hthhhn.exe114⤵PID:476
-
\??\c:\jppvd.exec:\jppvd.exe115⤵PID:1724
-
\??\c:\xrxxxrx.exec:\xrxxxrx.exe116⤵PID:1472
-
\??\c:\5rrrlfx.exec:\5rrrlfx.exe117⤵PID:572
-
\??\c:\3tnnnn.exec:\3tnnnn.exe118⤵PID:1872
-
\??\c:\dvppd.exec:\dvppd.exe119⤵PID:1044
-
\??\c:\pjpvd.exec:\pjpvd.exe120⤵PID:3004
-
\??\c:\fxlxxlx.exec:\fxlxxlx.exe121⤵PID:684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-