Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/12/2024, 01:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94ac157fc063f1744c7e36b975f09e18ff7fb8fe25f1ce2cc2388d4cfb137b0eN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
94ac157fc063f1744c7e36b975f09e18ff7fb8fe25f1ce2cc2388d4cfb137b0eN.exe
-
Size
452KB
-
MD5
c733b0cc54d58d491341dff68e6bfa00
-
SHA1
78fb8bd44bb659c6b5f2092945499a42f013f5b7
-
SHA256
94ac157fc063f1744c7e36b975f09e18ff7fb8fe25f1ce2cc2388d4cfb137b0e
-
SHA512
ac0caa1bfea6ac6ef67fe28fba40b344765e167ab0e66b9c3d2d0aeba25b1d2b79ef337cf8ce9100cb35ccfbd8aaa7c7efd45bd0c1b10d2fc978e438cda2d181
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2336-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/848-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/712-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-364-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1756-455-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2384-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-525-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1716-510-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2128-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-619-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2648-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-732-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2020-755-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2128-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-851-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3040-858-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2060-877-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2508 9flrrlr.exe 2288 vpjjp.exe 3056 lxllxlr.exe 2980 vvjjp.exe 2724 ffrrxxf.exe 2684 htbhhn.exe 768 dvdjj.exe 2108 3lxxffr.exe 2556 nhbttn.exe 2536 vjvjp.exe 2652 3lrxxrx.exe 2700 dpvjj.exe 1252 ffrlrfl.exe 2884 7htbhh.exe 1792 ddvvj.exe 848 7rfxfff.exe 2948 hthhnt.exe 2896 vjddd.exe 2968 9hbhtb.exe 2188 9vppv.exe 2064 7fflrrf.exe 2120 hhhthh.exe 288 nbtbnt.exe 1716 dvpvv.exe 1600 llxfxlr.exe 1500 3bnthn.exe 2124 dpvjp.exe 1800 nbbtnh.exe 712 pjvjp.exe 1456 9rrflrx.exe 2984 pjvdp.exe 2336 9rffrlx.exe 2464 nhthnt.exe 2508 3dvjj.exe 3052 dvvjv.exe 2976 fxrfrfr.exe 2276 tntbnt.exe 2712 vvpdp.exe 2660 rlflxxl.exe 820 frlrfrx.exe 2112 1btttb.exe 2828 1bnthh.exe 1972 1vpdv.exe 2532 rrllrxl.exe 2596 hbbtnn.exe 2196 tnnbbn.exe 2004 vppvj.exe 1328 frfllxr.exe 1380 bnbhnn.exe 2940 hthhnt.exe 2436 jjvdd.exe 2592 3rfflxf.exe 1452 3btbhn.exe 1192 7hbhnt.exe 1840 ddpvj.exe 1756 jpvdv.exe 2956 lfxfllr.exe 3048 3hbbhn.exe 1980 tttbnt.exe 2384 pjvvj.exe 2252 llffrxl.exe 3060 lfffxlx.exe 1712 ttttbt.exe 1716 3pdvp.exe -
resource yara_rule behavioral1/memory/2336-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/712-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1452-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-885-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxllxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlxfr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2508 2336 94ac157fc063f1744c7e36b975f09e18ff7fb8fe25f1ce2cc2388d4cfb137b0eN.exe 30 PID 2336 wrote to memory of 2508 2336 94ac157fc063f1744c7e36b975f09e18ff7fb8fe25f1ce2cc2388d4cfb137b0eN.exe 30 PID 2336 wrote to memory of 2508 2336 94ac157fc063f1744c7e36b975f09e18ff7fb8fe25f1ce2cc2388d4cfb137b0eN.exe 30 PID 2336 wrote to memory of 2508 2336 94ac157fc063f1744c7e36b975f09e18ff7fb8fe25f1ce2cc2388d4cfb137b0eN.exe 30 PID 2508 wrote to memory of 2288 2508 9flrrlr.exe 31 PID 2508 wrote to memory of 2288 2508 9flrrlr.exe 31 PID 2508 wrote to memory of 2288 2508 9flrrlr.exe 31 PID 2508 wrote to memory of 2288 2508 9flrrlr.exe 31 PID 2288 wrote to memory of 3056 2288 vpjjp.exe 32 PID 2288 wrote to memory of 3056 2288 vpjjp.exe 32 PID 2288 wrote to memory of 3056 2288 vpjjp.exe 32 PID 2288 wrote to memory of 3056 2288 vpjjp.exe 32 PID 3056 wrote to memory of 2980 3056 lxllxlr.exe 33 PID 3056 wrote to memory of 2980 3056 lxllxlr.exe 33 PID 3056 wrote to memory of 2980 3056 lxllxlr.exe 33 PID 3056 wrote to memory of 2980 3056 lxllxlr.exe 33 PID 2980 wrote to memory of 2724 2980 vvjjp.exe 34 PID 2980 wrote to memory of 2724 2980 vvjjp.exe 34 PID 2980 wrote to memory of 2724 2980 vvjjp.exe 34 PID 2980 wrote to memory of 2724 2980 vvjjp.exe 34 PID 2724 wrote to memory of 2684 2724 ffrrxxf.exe 35 PID 2724 wrote to memory of 2684 2724 ffrrxxf.exe 35 PID 2724 wrote to memory of 2684 2724 ffrrxxf.exe 35 PID 2724 wrote to memory of 2684 2724 ffrrxxf.exe 35 PID 2684 wrote to memory of 768 2684 htbhhn.exe 36 PID 2684 wrote to memory of 768 2684 htbhhn.exe 36 PID 2684 wrote to memory of 768 2684 htbhhn.exe 36 PID 2684 wrote to memory of 768 2684 htbhhn.exe 36 PID 768 wrote to memory of 2108 768 dvdjj.exe 37 PID 768 wrote to memory of 2108 768 dvdjj.exe 37 PID 768 wrote to memory of 2108 768 dvdjj.exe 37 PID 768 wrote to memory of 2108 768 dvdjj.exe 37 PID 2108 wrote to memory of 2556 2108 3lxxffr.exe 38 PID 2108 wrote to memory of 2556 2108 3lxxffr.exe 38 PID 2108 wrote to memory of 2556 2108 3lxxffr.exe 38 PID 2108 wrote to memory of 2556 2108 3lxxffr.exe 38 PID 2556 wrote to memory of 2536 2556 nhbttn.exe 39 PID 2556 wrote to memory of 2536 2556 nhbttn.exe 39 PID 2556 wrote to memory of 2536 2556 nhbttn.exe 39 PID 2556 wrote to memory of 2536 2556 nhbttn.exe 39 PID 2536 wrote to memory of 2652 2536 vjvjp.exe 40 PID 2536 wrote to memory of 2652 2536 vjvjp.exe 40 PID 2536 wrote to memory of 2652 2536 vjvjp.exe 40 PID 2536 wrote to memory of 2652 2536 vjvjp.exe 40 PID 2652 wrote to memory of 2700 2652 3lrxxrx.exe 41 PID 2652 wrote to memory of 2700 2652 3lrxxrx.exe 41 PID 2652 wrote to memory of 2700 2652 3lrxxrx.exe 41 PID 2652 wrote to memory of 2700 2652 3lrxxrx.exe 41 PID 2700 wrote to memory of 1252 2700 dpvjj.exe 42 PID 2700 wrote to memory of 1252 2700 dpvjj.exe 42 PID 2700 wrote to memory of 1252 2700 dpvjj.exe 42 PID 2700 wrote to memory of 1252 2700 dpvjj.exe 42 PID 1252 wrote to memory of 2884 1252 ffrlrfl.exe 43 PID 1252 wrote to memory of 2884 1252 ffrlrfl.exe 43 PID 1252 wrote to memory of 2884 1252 ffrlrfl.exe 43 PID 1252 wrote to memory of 2884 1252 ffrlrfl.exe 43 PID 2884 wrote to memory of 1792 2884 7htbhh.exe 44 PID 2884 wrote to memory of 1792 2884 7htbhh.exe 44 PID 2884 wrote to memory of 1792 2884 7htbhh.exe 44 PID 2884 wrote to memory of 1792 2884 7htbhh.exe 44 PID 1792 wrote to memory of 848 1792 ddvvj.exe 45 PID 1792 wrote to memory of 848 1792 ddvvj.exe 45 PID 1792 wrote to memory of 848 1792 ddvvj.exe 45 PID 1792 wrote to memory of 848 1792 ddvvj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\94ac157fc063f1744c7e36b975f09e18ff7fb8fe25f1ce2cc2388d4cfb137b0eN.exe"C:\Users\Admin\AppData\Local\Temp\94ac157fc063f1744c7e36b975f09e18ff7fb8fe25f1ce2cc2388d4cfb137b0eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\9flrrlr.exec:\9flrrlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\vpjjp.exec:\vpjjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\lxllxlr.exec:\lxllxlr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\vvjjp.exec:\vvjjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\ffrrxxf.exec:\ffrrxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\htbhhn.exec:\htbhhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\dvdjj.exec:\dvdjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\3lxxffr.exec:\3lxxffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\nhbttn.exec:\nhbttn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\vjvjp.exec:\vjvjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\3lrxxrx.exec:\3lrxxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\dpvjj.exec:\dpvjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\ffrlrfl.exec:\ffrlrfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\7htbhh.exec:\7htbhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\ddvvj.exec:\ddvvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\7rfxfff.exec:\7rfxfff.exe17⤵
- Executes dropped EXE
PID:848 -
\??\c:\hthhnt.exec:\hthhnt.exe18⤵
- Executes dropped EXE
PID:2948 -
\??\c:\vjddd.exec:\vjddd.exe19⤵
- Executes dropped EXE
PID:2896 -
\??\c:\9hbhtb.exec:\9hbhtb.exe20⤵
- Executes dropped EXE
PID:2968 -
\??\c:\9vppv.exec:\9vppv.exe21⤵
- Executes dropped EXE
PID:2188 -
\??\c:\7fflrrf.exec:\7fflrrf.exe22⤵
- Executes dropped EXE
PID:2064 -
\??\c:\hhhthh.exec:\hhhthh.exe23⤵
- Executes dropped EXE
PID:2120 -
\??\c:\nbtbnt.exec:\nbtbnt.exe24⤵
- Executes dropped EXE
PID:288 -
\??\c:\dvpvv.exec:\dvpvv.exe25⤵
- Executes dropped EXE
PID:1716 -
\??\c:\llxfxlr.exec:\llxfxlr.exe26⤵
- Executes dropped EXE
PID:1600 -
\??\c:\3bnthn.exec:\3bnthn.exe27⤵
- Executes dropped EXE
PID:1500 -
\??\c:\dpvjp.exec:\dpvjp.exe28⤵
- Executes dropped EXE
PID:2124 -
\??\c:\nbbtnh.exec:\nbbtnh.exe29⤵
- Executes dropped EXE
PID:1800 -
\??\c:\pjvjp.exec:\pjvjp.exe30⤵
- Executes dropped EXE
PID:712 -
\??\c:\9rrflrx.exec:\9rrflrx.exe31⤵
- Executes dropped EXE
PID:1456 -
\??\c:\pjvdp.exec:\pjvdp.exe32⤵
- Executes dropped EXE
PID:2984 -
\??\c:\9rffrlx.exec:\9rffrlx.exe33⤵
- Executes dropped EXE
PID:2336 -
\??\c:\nhthnt.exec:\nhthnt.exe34⤵
- Executes dropped EXE
PID:2464 -
\??\c:\3dvjj.exec:\3dvjj.exe35⤵
- Executes dropped EXE
PID:2508 -
\??\c:\dvvjv.exec:\dvvjv.exe36⤵
- Executes dropped EXE
PID:3052 -
\??\c:\fxrfrfr.exec:\fxrfrfr.exe37⤵
- Executes dropped EXE
PID:2976 -
\??\c:\tntbnt.exec:\tntbnt.exe38⤵
- Executes dropped EXE
PID:2276 -
\??\c:\vvpdp.exec:\vvpdp.exe39⤵
- Executes dropped EXE
PID:2712 -
\??\c:\rlflxxl.exec:\rlflxxl.exe40⤵
- Executes dropped EXE
PID:2660 -
\??\c:\frlrfrx.exec:\frlrfrx.exe41⤵
- Executes dropped EXE
PID:820 -
\??\c:\1btttb.exec:\1btttb.exe42⤵
- Executes dropped EXE
PID:2112 -
\??\c:\1bnthh.exec:\1bnthh.exe43⤵
- Executes dropped EXE
PID:2828 -
\??\c:\1vpdv.exec:\1vpdv.exe44⤵
- Executes dropped EXE
PID:1972 -
\??\c:\rrllrxl.exec:\rrllrxl.exe45⤵
- Executes dropped EXE
PID:2532 -
\??\c:\hbbtnn.exec:\hbbtnn.exe46⤵
- Executes dropped EXE
PID:2596 -
\??\c:\tnnbbn.exec:\tnnbbn.exe47⤵
- Executes dropped EXE
PID:2196 -
\??\c:\vppvj.exec:\vppvj.exe48⤵
- Executes dropped EXE
PID:2004 -
\??\c:\frfllxr.exec:\frfllxr.exe49⤵
- Executes dropped EXE
PID:1328 -
\??\c:\bnbhnn.exec:\bnbhnn.exe50⤵
- Executes dropped EXE
PID:1380 -
\??\c:\hthhnt.exec:\hthhnt.exe51⤵
- Executes dropped EXE
PID:2940 -
\??\c:\jjvdd.exec:\jjvdd.exe52⤵
- Executes dropped EXE
PID:2436 -
\??\c:\3rfflxf.exec:\3rfflxf.exe53⤵
- Executes dropped EXE
PID:2592 -
\??\c:\3btbhn.exec:\3btbhn.exe54⤵
- Executes dropped EXE
PID:1452 -
\??\c:\7hbhnt.exec:\7hbhnt.exe55⤵
- Executes dropped EXE
PID:1192 -
\??\c:\ddpvj.exec:\ddpvj.exe56⤵
- Executes dropped EXE
PID:1840 -
\??\c:\jpvdv.exec:\jpvdv.exe57⤵
- Executes dropped EXE
PID:1756 -
\??\c:\lfxfllr.exec:\lfxfllr.exe58⤵
- Executes dropped EXE
PID:2956 -
\??\c:\3hbbhn.exec:\3hbbhn.exe59⤵
- Executes dropped EXE
PID:3048 -
\??\c:\tttbnt.exec:\tttbnt.exe60⤵
- Executes dropped EXE
PID:1980 -
\??\c:\pjvvj.exec:\pjvvj.exe61⤵
- Executes dropped EXE
PID:2384 -
\??\c:\llffrxl.exec:\llffrxl.exe62⤵
- Executes dropped EXE
PID:2252 -
\??\c:\lfffxlx.exec:\lfffxlx.exe63⤵
- Executes dropped EXE
PID:3060 -
\??\c:\ttttbt.exec:\ttttbt.exe64⤵
- Executes dropped EXE
PID:1712 -
\??\c:\3pdvp.exec:\3pdvp.exe65⤵
- Executes dropped EXE
PID:1716 -
\??\c:\fxlfllf.exec:\fxlfllf.exe66⤵PID:1600
-
\??\c:\xxlrllr.exec:\xxlrllr.exe67⤵PID:2172
-
\??\c:\7tbhhn.exec:\7tbhhn.exe68⤵PID:2212
-
\??\c:\7jdpv.exec:\7jdpv.exe69⤵PID:812
-
\??\c:\rxlrfrl.exec:\rxlrfrl.exe70⤵PID:2128
-
\??\c:\xffrrxr.exec:\xffrrxr.exe71⤵PID:1888
-
\??\c:\hhtntb.exec:\hhtntb.exe72⤵PID:592
-
\??\c:\ddppd.exec:\ddppd.exe73⤵PID:2348
-
\??\c:\rlxxfrf.exec:\rlxxfrf.exe74⤵PID:1768
-
\??\c:\xfflxlr.exec:\xfflxlr.exe75⤵PID:2460
-
\??\c:\tnhnbh.exec:\tnhnbh.exe76⤵PID:1872
-
\??\c:\5jdpd.exec:\5jdpd.exe77⤵PID:1260
-
\??\c:\lfxflrf.exec:\lfxflrf.exe78⤵PID:2060
-
\??\c:\llflflx.exec:\llflflx.exe79⤵PID:2680
-
\??\c:\hbtbnb.exec:\hbtbnb.exe80⤵PID:2816
-
\??\c:\dvdjv.exec:\dvdjv.exe81⤵PID:2812
-
\??\c:\3jjvv.exec:\3jjvv.exe82⤵PID:2140
-
\??\c:\frflllr.exec:\frflllr.exe83⤵PID:2568
-
\??\c:\9bthbh.exec:\9bthbh.exe84⤵PID:2280
-
\??\c:\hbtbhn.exec:\hbtbhn.exe85⤵PID:2648
-
\??\c:\pvvdd.exec:\pvvdd.exe86⤵PID:2580
-
\??\c:\ffrfrrf.exec:\ffrfrrf.exe87⤵PID:1900
-
\??\c:\3ttthh.exec:\3ttthh.exe88⤵PID:1864
-
\??\c:\nnhnhn.exec:\nnhnhn.exe89⤵PID:1028
-
\??\c:\ddddp.exec:\ddddp.exe90⤵PID:2632
-
\??\c:\ffxffrf.exec:\ffxffrf.exe91⤵PID:1228
-
\??\c:\bbhhnt.exec:\bbhhnt.exe92⤵PID:2284
-
\??\c:\tnhnhn.exec:\tnhnhn.exe93⤵PID:2504
-
\??\c:\jjdjp.exec:\jjdjp.exe94⤵PID:1152
-
\??\c:\vvpvj.exec:\vvpvj.exe95⤵PID:2756
-
\??\c:\ffflrff.exec:\ffflrff.exe96⤵PID:2904
-
\??\c:\tnhhbb.exec:\tnhhbb.exe97⤵PID:1652
-
\??\c:\ppddp.exec:\ppddp.exe98⤵PID:1372
-
\??\c:\5jjjp.exec:\5jjjp.exe99⤵PID:2236
-
\??\c:\7lfrxfr.exec:\7lfrxfr.exe100⤵PID:2920
-
\??\c:\tttbtb.exec:\tttbtb.exe101⤵PID:1436
-
\??\c:\5htbht.exec:\5htbht.exe102⤵PID:2020
-
\??\c:\pppvd.exec:\pppvd.exe103⤵PID:1564
-
\??\c:\rrlxlrf.exec:\rrlxlrf.exe104⤵PID:1624
-
\??\c:\xxxlxxf.exec:\xxxlxxf.exe105⤵PID:852
-
\??\c:\bbtbbb.exec:\bbtbbb.exe106⤵PID:1644
-
\??\c:\dppvd.exec:\dppvd.exe107⤵PID:624
-
\??\c:\5xlflrf.exec:\5xlflrf.exe108⤵PID:268
-
\??\c:\lrrfxfx.exec:\lrrfxfx.exe109⤵PID:2300
-
\??\c:\bbtnbn.exec:\bbtnbn.exe110⤵PID:2204
-
\??\c:\nnnbnb.exec:\nnnbnb.exe111⤵PID:812
-
\??\c:\5ppdj.exec:\5ppdj.exe112⤵PID:2128
-
\??\c:\xxxfrfr.exec:\xxxfrfr.exe113⤵PID:1888
-
\??\c:\tnbtbh.exec:\tnbtbh.exe114⤵PID:1556
-
\??\c:\bbtbnt.exec:\bbtbnt.exe115⤵PID:2348
-
\??\c:\pjdjp.exec:\pjdjp.exe116⤵PID:1768
-
\??\c:\5dpvd.exec:\5dpvd.exe117⤵PID:3040
-
\??\c:\7ffrflf.exec:\7ffrflf.exe118⤵PID:1872
-
\??\c:\nhbnbn.exec:\nhbnbn.exe119⤵PID:2156
-
\??\c:\dvvdp.exec:\dvvdp.exe120⤵PID:2060
-
\??\c:\xllxrxr.exec:\xllxrxr.exe121⤵PID:2744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-