Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:47
Behavioral task
behavioral1
Sample
7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe
-
Size
345KB
-
MD5
f71b220df3dcfffd0380112f44a33edc
-
SHA1
5b094cc982f2f0bbef20e532b5a68180172f22be
-
SHA256
7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b
-
SHA512
9822a720d58ff28f5ea41e83d950ed9d5e720a9332657af388e86f0600b3293c0586ac018d3e00f73d7256ea5b448e44551abde35a24bcb230d07129a04da104
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAm:R4wFHoS3WXZshJX2VGdm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1276-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2528-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2240-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2360-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1000-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2844-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2444-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3572-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4388-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4908-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2656-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1636-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1864-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2584-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2900-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1592-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3888-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3408-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3440-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/756-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1892-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-471-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1244-504-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-506-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-542-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1516-579-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3804-681-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-914-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/912-1289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2240 fxlxflr.exe 2528 vjddj.exe 1144 xxxrrrf.exe 1336 lxfrlfr.exe 2360 lrffxxr.exe 2164 htbtnn.exe 4520 dpjdv.exe 1576 vpjjd.exe 1000 ddjdj.exe 3656 rrlfflf.exe 2844 hntnhh.exe 4880 7bthbt.exe 5052 hbbbtt.exe 2080 pdjvp.exe 2444 rrlllrl.exe 8 ppvvd.exe 400 rlrrrrl.exe 764 xrrxxxr.exe 4804 3btbth.exe 3520 jvdvv.exe 1724 5ffxffx.exe 4592 9hhnnn.exe 2392 ttnnhh.exe 4124 vpppd.exe 3852 xllfxll.exe 3620 hbttnn.exe 872 7lrlrlr.exe 4276 thhhhn.exe 2196 vvpdd.exe 2920 jvddj.exe 3572 9fxrlrl.exe 1900 vvppp.exe 4388 1ttnhh.exe 4612 ppddj.exe 748 xxfrrlf.exe 4216 ffxrfxl.exe 2160 bbbbhh.exe 1440 dvpjj.exe 4908 7xllflf.exe 4060 nnttnt.exe 2656 tthhhh.exe 1636 jpvvv.exe 3164 lflrrrr.exe 3464 5bnntb.exe 1392 ppddj.exe 2308 7xxxlfr.exe 1352 bhbntb.exe 2052 fxflrxf.exe 4584 rxxxxxr.exe 3448 hbbbbt.exe 1420 xxxxflf.exe 1864 hntttb.exe 2848 vddjj.exe 2584 rrxxxxx.exe 1232 9bbbtt.exe 452 jdddd.exe 3804 1dppp.exe 4456 rrrrrrl.exe 968 bbbbbb.exe 1276 1pvjd.exe 552 llllrxx.exe 3184 nbtntt.exe 376 jjppd.exe 3400 fxrlfxl.exe -
resource yara_rule behavioral2/memory/1276-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bc7-3.dat upx behavioral2/memory/1276-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023caf-8.dat upx behavioral2/memory/2528-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-14.dat upx behavioral2/memory/2240-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1144-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-19.dat upx behavioral2/files/0x0007000000023cc0-23.dat upx behavioral2/memory/1336-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2360-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-30.dat upx behavioral2/files/0x0007000000023cc2-34.dat upx behavioral2/memory/4520-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2164-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-39.dat upx behavioral2/memory/4520-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-44.dat upx behavioral2/memory/1000-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-50.dat upx behavioral2/memory/1576-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-54.dat upx behavioral2/memory/2844-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-60.dat upx behavioral2/files/0x0007000000023cc9-63.dat upx behavioral2/memory/4880-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-68.dat upx behavioral2/files/0x0007000000023ccb-72.dat upx behavioral2/memory/2444-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2444-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/8-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-83.dat upx behavioral2/files/0x0007000000023cce-88.dat upx behavioral2/files/0x0009000000023cba-92.dat upx behavioral2/memory/4804-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccf-97.dat upx behavioral2/files/0x0007000000023cd0-102.dat upx behavioral2/files/0x0007000000023cd1-105.dat upx behavioral2/memory/4592-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2392-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd4-120.dat upx behavioral2/files/0x0007000000023cd3-116.dat upx behavioral2/files/0x0007000000023cd2-111.dat upx behavioral2/memory/400-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-78.dat upx behavioral2/files/0x0007000000023cd5-122.dat upx behavioral2/files/0x0007000000023cd6-128.dat upx behavioral2/memory/3620-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd7-132.dat upx behavioral2/memory/4276-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd8-139.dat upx behavioral2/memory/872-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd9-143.dat upx behavioral2/files/0x0007000000023cda-146.dat upx behavioral2/memory/3572-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdb-151.dat upx behavioral2/memory/1900-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4388-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/748-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4216-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4908-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2656-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1636-181-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1276 wrote to memory of 2240 1276 7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe 83 PID 1276 wrote to memory of 2240 1276 7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe 83 PID 1276 wrote to memory of 2240 1276 7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe 83 PID 2240 wrote to memory of 2528 2240 fxlxflr.exe 84 PID 2240 wrote to memory of 2528 2240 fxlxflr.exe 84 PID 2240 wrote to memory of 2528 2240 fxlxflr.exe 84 PID 2528 wrote to memory of 1144 2528 vjddj.exe 85 PID 2528 wrote to memory of 1144 2528 vjddj.exe 85 PID 2528 wrote to memory of 1144 2528 vjddj.exe 85 PID 1144 wrote to memory of 1336 1144 xxxrrrf.exe 86 PID 1144 wrote to memory of 1336 1144 xxxrrrf.exe 86 PID 1144 wrote to memory of 1336 1144 xxxrrrf.exe 86 PID 1336 wrote to memory of 2360 1336 lxfrlfr.exe 87 PID 1336 wrote to memory of 2360 1336 lxfrlfr.exe 87 PID 1336 wrote to memory of 2360 1336 lxfrlfr.exe 87 PID 2360 wrote to memory of 2164 2360 lrffxxr.exe 88 PID 2360 wrote to memory of 2164 2360 lrffxxr.exe 88 PID 2360 wrote to memory of 2164 2360 lrffxxr.exe 88 PID 2164 wrote to memory of 4520 2164 htbtnn.exe 89 PID 2164 wrote to memory of 4520 2164 htbtnn.exe 89 PID 2164 wrote to memory of 4520 2164 htbtnn.exe 89 PID 4520 wrote to memory of 1576 4520 dpjdv.exe 90 PID 4520 wrote to memory of 1576 4520 dpjdv.exe 90 PID 4520 wrote to memory of 1576 4520 dpjdv.exe 90 PID 1576 wrote to memory of 1000 1576 vpjjd.exe 91 PID 1576 wrote to memory of 1000 1576 vpjjd.exe 91 PID 1576 wrote to memory of 1000 1576 vpjjd.exe 91 PID 1000 wrote to memory of 3656 1000 ddjdj.exe 92 PID 1000 wrote to memory of 3656 1000 ddjdj.exe 92 PID 1000 wrote to memory of 3656 1000 ddjdj.exe 92 PID 3656 wrote to memory of 2844 3656 rrlfflf.exe 93 PID 3656 wrote to memory of 2844 3656 rrlfflf.exe 93 PID 3656 wrote to memory of 2844 3656 rrlfflf.exe 93 PID 2844 wrote to memory of 4880 2844 hntnhh.exe 94 PID 2844 wrote to memory of 4880 2844 hntnhh.exe 94 PID 2844 wrote to memory of 4880 2844 hntnhh.exe 94 PID 4880 wrote to memory of 5052 4880 7bthbt.exe 95 PID 4880 wrote to memory of 5052 4880 7bthbt.exe 95 PID 4880 wrote to memory of 5052 4880 7bthbt.exe 95 PID 5052 wrote to memory of 2080 5052 hbbbtt.exe 96 PID 5052 wrote to memory of 2080 5052 hbbbtt.exe 96 PID 5052 wrote to memory of 2080 5052 hbbbtt.exe 96 PID 2080 wrote to memory of 2444 2080 pdjvp.exe 97 PID 2080 wrote to memory of 2444 2080 pdjvp.exe 97 PID 2080 wrote to memory of 2444 2080 pdjvp.exe 97 PID 2444 wrote to memory of 8 2444 rrlllrl.exe 98 PID 2444 wrote to memory of 8 2444 rrlllrl.exe 98 PID 2444 wrote to memory of 8 2444 rrlllrl.exe 98 PID 8 wrote to memory of 400 8 ppvvd.exe 99 PID 8 wrote to memory of 400 8 ppvvd.exe 99 PID 8 wrote to memory of 400 8 ppvvd.exe 99 PID 400 wrote to memory of 764 400 rlrrrrl.exe 100 PID 400 wrote to memory of 764 400 rlrrrrl.exe 100 PID 400 wrote to memory of 764 400 rlrrrrl.exe 100 PID 764 wrote to memory of 4804 764 xrrxxxr.exe 101 PID 764 wrote to memory of 4804 764 xrrxxxr.exe 101 PID 764 wrote to memory of 4804 764 xrrxxxr.exe 101 PID 4804 wrote to memory of 3520 4804 3btbth.exe 102 PID 4804 wrote to memory of 3520 4804 3btbth.exe 102 PID 4804 wrote to memory of 3520 4804 3btbth.exe 102 PID 3520 wrote to memory of 1724 3520 jvdvv.exe 103 PID 3520 wrote to memory of 1724 3520 jvdvv.exe 103 PID 3520 wrote to memory of 1724 3520 jvdvv.exe 103 PID 1724 wrote to memory of 4592 1724 5ffxffx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe"C:\Users\Admin\AppData\Local\Temp\7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\fxlxflr.exec:\fxlxflr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\vjddj.exec:\vjddj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\xxxrrrf.exec:\xxxrrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\lxfrlfr.exec:\lxfrlfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\lrffxxr.exec:\lrffxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\htbtnn.exec:\htbtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\dpjdv.exec:\dpjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\vpjjd.exec:\vpjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\ddjdj.exec:\ddjdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\rrlfflf.exec:\rrlfflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\hntnhh.exec:\hntnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\7bthbt.exec:\7bthbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\hbbbtt.exec:\hbbbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\pdjvp.exec:\pdjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\rrlllrl.exec:\rrlllrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\ppvvd.exec:\ppvvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\rlrrrrl.exec:\rlrrrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\xrrxxxr.exec:\xrrxxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\3btbth.exec:\3btbth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\jvdvv.exec:\jvdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\5ffxffx.exec:\5ffxffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\9hhnnn.exec:\9hhnnn.exe23⤵
- Executes dropped EXE
PID:4592 -
\??\c:\ttnnhh.exec:\ttnnhh.exe24⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vpppd.exec:\vpppd.exe25⤵
- Executes dropped EXE
PID:4124 -
\??\c:\xllfxll.exec:\xllfxll.exe26⤵
- Executes dropped EXE
PID:3852 -
\??\c:\hbttnn.exec:\hbttnn.exe27⤵
- Executes dropped EXE
PID:3620 -
\??\c:\7lrlrlr.exec:\7lrlrlr.exe28⤵
- Executes dropped EXE
PID:872 -
\??\c:\thhhhn.exec:\thhhhn.exe29⤵
- Executes dropped EXE
PID:4276 -
\??\c:\vvpdd.exec:\vvpdd.exe30⤵
- Executes dropped EXE
PID:2196 -
\??\c:\jvddj.exec:\jvddj.exe31⤵
- Executes dropped EXE
PID:2920 -
\??\c:\9fxrlrl.exec:\9fxrlrl.exe32⤵
- Executes dropped EXE
PID:3572 -
\??\c:\vvppp.exec:\vvppp.exe33⤵
- Executes dropped EXE
PID:1900 -
\??\c:\1ttnhh.exec:\1ttnhh.exe34⤵
- Executes dropped EXE
PID:4388 -
\??\c:\ppddj.exec:\ppddj.exe35⤵
- Executes dropped EXE
PID:4612 -
\??\c:\xxfrrlf.exec:\xxfrrlf.exe36⤵
- Executes dropped EXE
PID:748 -
\??\c:\ffxrfxl.exec:\ffxrfxl.exe37⤵
- Executes dropped EXE
PID:4216 -
\??\c:\bbbbhh.exec:\bbbbhh.exe38⤵
- Executes dropped EXE
PID:2160 -
\??\c:\dvpjj.exec:\dvpjj.exe39⤵
- Executes dropped EXE
PID:1440 -
\??\c:\7xllflf.exec:\7xllflf.exe40⤵
- Executes dropped EXE
PID:4908 -
\??\c:\nnttnt.exec:\nnttnt.exe41⤵
- Executes dropped EXE
PID:4060 -
\??\c:\tthhhh.exec:\tthhhh.exe42⤵
- Executes dropped EXE
PID:2656 -
\??\c:\jpvvv.exec:\jpvvv.exe43⤵
- Executes dropped EXE
PID:1636 -
\??\c:\lflrrrr.exec:\lflrrrr.exe44⤵
- Executes dropped EXE
PID:3164 -
\??\c:\5bnntb.exec:\5bnntb.exe45⤵
- Executes dropped EXE
PID:3464 -
\??\c:\ppddj.exec:\ppddj.exe46⤵
- Executes dropped EXE
PID:1392 -
\??\c:\7xxxlfr.exec:\7xxxlfr.exe47⤵
- Executes dropped EXE
PID:2308 -
\??\c:\bhbntb.exec:\bhbntb.exe48⤵
- Executes dropped EXE
PID:1352 -
\??\c:\fxflrxf.exec:\fxflrxf.exe49⤵
- Executes dropped EXE
PID:2052 -
\??\c:\rxxxxxr.exec:\rxxxxxr.exe50⤵
- Executes dropped EXE
PID:4584 -
\??\c:\hbbbbt.exec:\hbbbbt.exe51⤵
- Executes dropped EXE
PID:3448 -
\??\c:\xxxxflf.exec:\xxxxflf.exe52⤵
- Executes dropped EXE
PID:1420 -
\??\c:\hntttb.exec:\hntttb.exe53⤵
- Executes dropped EXE
PID:1864 -
\??\c:\vddjj.exec:\vddjj.exe54⤵
- Executes dropped EXE
PID:2848 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe55⤵
- Executes dropped EXE
PID:2584 -
\??\c:\9bbbtt.exec:\9bbbtt.exe56⤵
- Executes dropped EXE
PID:1232 -
\??\c:\jdddd.exec:\jdddd.exe57⤵
- Executes dropped EXE
PID:452 -
\??\c:\1dppp.exec:\1dppp.exe58⤵
- Executes dropped EXE
PID:3804 -
\??\c:\rrrrrrl.exec:\rrrrrrl.exe59⤵
- Executes dropped EXE
PID:4456 -
\??\c:\bbbbbb.exec:\bbbbbb.exe60⤵
- Executes dropped EXE
PID:968 -
\??\c:\1pvjd.exec:\1pvjd.exe61⤵
- Executes dropped EXE
PID:1276 -
\??\c:\llllrxx.exec:\llllrxx.exe62⤵
- Executes dropped EXE
PID:552 -
\??\c:\nbtntt.exec:\nbtntt.exe63⤵
- Executes dropped EXE
PID:3184 -
\??\c:\jjppd.exec:\jjppd.exe64⤵
- Executes dropped EXE
PID:376 -
\??\c:\fxrlfxl.exec:\fxrlfxl.exe65⤵
- Executes dropped EXE
PID:3400 -
\??\c:\xrllxxx.exec:\xrllxxx.exe66⤵PID:4888
-
\??\c:\nhhhhn.exec:\nhhhhn.exe67⤵PID:2900
-
\??\c:\vjvpj.exec:\vjvpj.exe68⤵PID:4032
-
\??\c:\3flfrlf.exec:\3flfrlf.exe69⤵PID:1168
-
\??\c:\hhbbbt.exec:\hhbbbt.exe70⤵PID:3548
-
\??\c:\5nbbbh.exec:\5nbbbh.exe71⤵PID:1432
-
\??\c:\djpvd.exec:\djpvd.exe72⤵PID:832
-
\??\c:\vdjpp.exec:\vdjpp.exe73⤵PID:1848
-
\??\c:\xrxrlll.exec:\xrxrlll.exe74⤵PID:2304
-
\??\c:\hntnnb.exec:\hntnnb.exe75⤵PID:3964
-
\??\c:\vjjjj.exec:\vjjjj.exe76⤵PID:1592
-
\??\c:\5jjjv.exec:\5jjjv.exe77⤵PID:4140
-
\??\c:\frlrfff.exec:\frlrfff.exe78⤵PID:4128
-
\??\c:\bhtthn.exec:\bhtthn.exe79⤵PID:3360
-
\??\c:\hhnhhn.exec:\hhnhhn.exe80⤵PID:5056
-
\??\c:\djjjd.exec:\djjjd.exe81⤵PID:3356
-
\??\c:\rffxlfx.exec:\rffxlfx.exe82⤵PID:3040
-
\??\c:\9rfffll.exec:\9rfffll.exe83⤵PID:3888
-
\??\c:\hhbttn.exec:\hhbttn.exe84⤵PID:4148
-
\??\c:\jdjjj.exec:\jdjjj.exe85⤵PID:3152
-
\??\c:\ffxfxll.exec:\ffxfxll.exe86⤵PID:3584
-
\??\c:\xfflllx.exec:\xfflllx.exe87⤵PID:4844
-
\??\c:\nthbnb.exec:\nthbnb.exe88⤵PID:764
-
\??\c:\vdjjj.exec:\vdjjj.exe89⤵PID:3368
-
\??\c:\lffxrlf.exec:\lffxrlf.exe90⤵PID:4756
-
\??\c:\bnnnnn.exec:\bnnnnn.exe91⤵PID:1724
-
\??\c:\hntbtt.exec:\hntbtt.exe92⤵PID:2828
-
\??\c:\dpddj.exec:\dpddj.exe93⤵PID:1464
-
\??\c:\llrrxxl.exec:\llrrxxl.exe94⤵PID:4892
-
\??\c:\fffxrrl.exec:\fffxrrl.exe95⤵PID:1644
-
\??\c:\bbnnbb.exec:\bbnnbb.exe96⤵PID:3408
-
\??\c:\hhbbbn.exec:\hhbbbn.exe97⤵PID:1820
-
\??\c:\vpjjd.exec:\vpjjd.exe98⤵PID:1708
-
\??\c:\fxrrlfx.exec:\fxrrlfx.exe99⤵PID:2260
-
\??\c:\9nbttt.exec:\9nbttt.exe100⤵PID:2632
-
\??\c:\tbbhbb.exec:\tbbhbb.exe101⤵PID:3440
-
\??\c:\djvdv.exec:\djvdv.exe102⤵PID:4604
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe103⤵PID:3800
-
\??\c:\5tnhtt.exec:\5tnhtt.exe104⤵PID:1152
-
\??\c:\tttttt.exec:\tttttt.exe105⤵PID:3260
-
\??\c:\pdvpj.exec:\pdvpj.exe106⤵PID:4664
-
\??\c:\ffrlrll.exec:\ffrlrll.exe107⤵PID:4644
-
\??\c:\lllllll.exec:\lllllll.exe108⤵PID:1720
-
\??\c:\7tbtnh.exec:\7tbtnh.exe109⤵PID:3280
-
\??\c:\dvpjd.exec:\dvpjd.exe110⤵PID:4612
-
\??\c:\9xrfxxx.exec:\9xrfxxx.exe111⤵PID:2688
-
\??\c:\hhnnbb.exec:\hhnnbb.exe112⤵PID:1880
-
\??\c:\hnnhbb.exec:\hnnhbb.exe113⤵PID:2452
-
\??\c:\pvddv.exec:\pvddv.exe114⤵PID:4424
-
\??\c:\pjjjd.exec:\pjjjd.exe115⤵PID:996
-
\??\c:\fxrlffx.exec:\fxrlffx.exe116⤵PID:4556
-
\??\c:\ttbbtt.exec:\ttbbtt.exe117⤵PID:2968
-
\??\c:\htnnhh.exec:\htnnhh.exe118⤵PID:3952
-
\??\c:\jdjdd.exec:\jdjdd.exe119⤵PID:4596
-
\??\c:\frxxrrl.exec:\frxxrrl.exe120⤵PID:656
-
\??\c:\7hhnhh.exec:\7hhnhh.exe121⤵PID:4648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-