Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 01:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe
-
Size
454KB
-
MD5
d6c7ca8f661870d68cfb895a1e895ad0
-
SHA1
909823040f9dc0eb0aa77877590b9d5ba37f59b8
-
SHA256
1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0
-
SHA512
3369effbbce41d1ce773a98614094fda057d74bb2e9e061c1d2af51b4cc353f3ebdf3b5d0727f361c9588e0325cb844309f5e6f08f30ac48b2db8a7c584b35a8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2348-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-25-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2468-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/688-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-81-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2612-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-263-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/1668-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-489-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2108-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-578-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2996-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-706-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1940-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-776-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1364-796-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2776-886-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1320-1048-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2436-1075-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1980 hhnbbn.exe 2468 dddjv.exe 2368 9ththh.exe 688 rlxxlfl.exe 796 bnnthn.exe 572 7frrxxf.exe 2776 1btnnh.exe 2736 7pvdd.exe 2852 lfrxfff.exe 2612 9jdpp.exe 2816 fxllrlx.exe 2632 3htnnn.exe 2120 bbbnbh.exe 1508 djpjp.exe 840 hbnhbb.exe 2904 tnbhnn.exe 1312 dvjpp.exe 2380 llrfffl.exe 1924 3djjp.exe 2988 dvjjv.exe 2416 thnnbb.exe 2208 rxlffxx.exe 1520 tthntt.exe 448 jddjj.exe 2196 7rflrrx.exe 900 tnhnbb.exe 1760 xrxfllr.exe 1668 thtbbh.exe 2336 djvpp.exe 1480 1lxlrxl.exe 2488 1jdvj.exe 3068 rrlxllx.exe 2500 bnhnhn.exe 1700 jvdpd.exe 2464 llfrflf.exe 2244 tnhnhn.exe 2176 jdpdd.exe 2684 flfrxxr.exe 2680 nnnbtn.exe 2776 pjdvj.exe 3004 dvvdj.exe 2608 fffrrxx.exe 1900 btbtbb.exe 684 jvppp.exe 2592 pdjpp.exe 2816 1lfrlrx.exe 2632 thtbbb.exe 2896 jdvjd.exe 2636 vvvdd.exe 2884 xrfxlrx.exe 1720 thtbhh.exe 1692 jdjjj.exe 496 dpjjp.exe 1148 1ffflrr.exe 1388 1bbnnn.exe 2948 3thhhh.exe 2972 jdvvd.exe 2200 7rlllfl.exe 2252 hbnbhn.exe 2184 pvpvv.exe 1468 vpvdj.exe 1244 9lxrllx.exe 448 htbtbt.exe 2108 1vdjj.exe -
resource yara_rule behavioral1/memory/2348-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-578-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/300-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-810-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-997-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-1123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-1197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-1240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-1297-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1980 2348 1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe 30 PID 2348 wrote to memory of 1980 2348 1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe 30 PID 2348 wrote to memory of 1980 2348 1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe 30 PID 2348 wrote to memory of 1980 2348 1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe 30 PID 1980 wrote to memory of 2468 1980 hhnbbn.exe 31 PID 1980 wrote to memory of 2468 1980 hhnbbn.exe 31 PID 1980 wrote to memory of 2468 1980 hhnbbn.exe 31 PID 1980 wrote to memory of 2468 1980 hhnbbn.exe 31 PID 2468 wrote to memory of 2368 2468 dddjv.exe 32 PID 2468 wrote to memory of 2368 2468 dddjv.exe 32 PID 2468 wrote to memory of 2368 2468 dddjv.exe 32 PID 2468 wrote to memory of 2368 2468 dddjv.exe 32 PID 2368 wrote to memory of 688 2368 9ththh.exe 33 PID 2368 wrote to memory of 688 2368 9ththh.exe 33 PID 2368 wrote to memory of 688 2368 9ththh.exe 33 PID 2368 wrote to memory of 688 2368 9ththh.exe 33 PID 688 wrote to memory of 796 688 rlxxlfl.exe 34 PID 688 wrote to memory of 796 688 rlxxlfl.exe 34 PID 688 wrote to memory of 796 688 rlxxlfl.exe 34 PID 688 wrote to memory of 796 688 rlxxlfl.exe 34 PID 796 wrote to memory of 572 796 bnnthn.exe 35 PID 796 wrote to memory of 572 796 bnnthn.exe 35 PID 796 wrote to memory of 572 796 bnnthn.exe 35 PID 796 wrote to memory of 572 796 bnnthn.exe 35 PID 572 wrote to memory of 2776 572 7frrxxf.exe 36 PID 572 wrote to memory of 2776 572 7frrxxf.exe 36 PID 572 wrote to memory of 2776 572 7frrxxf.exe 36 PID 572 wrote to memory of 2776 572 7frrxxf.exe 36 PID 2776 wrote to memory of 2736 2776 1btnnh.exe 37 PID 2776 wrote to memory of 2736 2776 1btnnh.exe 37 PID 2776 wrote to memory of 2736 2776 1btnnh.exe 37 PID 2776 wrote to memory of 2736 2776 1btnnh.exe 37 PID 2736 wrote to memory of 2852 2736 7pvdd.exe 38 PID 2736 wrote to memory of 2852 2736 7pvdd.exe 38 PID 2736 wrote to memory of 2852 2736 7pvdd.exe 38 PID 2736 wrote to memory of 2852 2736 7pvdd.exe 38 PID 2852 wrote to memory of 2612 2852 lfrxfff.exe 39 PID 2852 wrote to memory of 2612 2852 lfrxfff.exe 39 PID 2852 wrote to memory of 2612 2852 lfrxfff.exe 39 PID 2852 wrote to memory of 2612 2852 lfrxfff.exe 39 PID 2612 wrote to memory of 2816 2612 9jdpp.exe 40 PID 2612 wrote to memory of 2816 2612 9jdpp.exe 40 PID 2612 wrote to memory of 2816 2612 9jdpp.exe 40 PID 2612 wrote to memory of 2816 2612 9jdpp.exe 40 PID 2816 wrote to memory of 2632 2816 fxllrlx.exe 41 PID 2816 wrote to memory of 2632 2816 fxllrlx.exe 41 PID 2816 wrote to memory of 2632 2816 fxllrlx.exe 41 PID 2816 wrote to memory of 2632 2816 fxllrlx.exe 41 PID 2632 wrote to memory of 2120 2632 3htnnn.exe 42 PID 2632 wrote to memory of 2120 2632 3htnnn.exe 42 PID 2632 wrote to memory of 2120 2632 3htnnn.exe 42 PID 2632 wrote to memory of 2120 2632 3htnnn.exe 42 PID 2120 wrote to memory of 1508 2120 bbbnbh.exe 43 PID 2120 wrote to memory of 1508 2120 bbbnbh.exe 43 PID 2120 wrote to memory of 1508 2120 bbbnbh.exe 43 PID 2120 wrote to memory of 1508 2120 bbbnbh.exe 43 PID 1508 wrote to memory of 840 1508 djpjp.exe 44 PID 1508 wrote to memory of 840 1508 djpjp.exe 44 PID 1508 wrote to memory of 840 1508 djpjp.exe 44 PID 1508 wrote to memory of 840 1508 djpjp.exe 44 PID 840 wrote to memory of 2904 840 hbnhbb.exe 45 PID 840 wrote to memory of 2904 840 hbnhbb.exe 45 PID 840 wrote to memory of 2904 840 hbnhbb.exe 45 PID 840 wrote to memory of 2904 840 hbnhbb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe"C:\Users\Admin\AppData\Local\Temp\1d9344e544023089a6578cee380cd979d549757ec6b7f6fd0dda37a2fd3346f0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\hhnbbn.exec:\hhnbbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\dddjv.exec:\dddjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\9ththh.exec:\9ththh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\rlxxlfl.exec:\rlxxlfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
\??\c:\bnnthn.exec:\bnnthn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\7frrxxf.exec:\7frrxxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\1btnnh.exec:\1btnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\7pvdd.exec:\7pvdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\lfrxfff.exec:\lfrxfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\9jdpp.exec:\9jdpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\fxllrlx.exec:\fxllrlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\3htnnn.exec:\3htnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\bbbnbh.exec:\bbbnbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\djpjp.exec:\djpjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\hbnhbb.exec:\hbnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\tnbhnn.exec:\tnbhnn.exe17⤵
- Executes dropped EXE
PID:2904 -
\??\c:\dvjpp.exec:\dvjpp.exe18⤵
- Executes dropped EXE
PID:1312 -
\??\c:\llrfffl.exec:\llrfffl.exe19⤵
- Executes dropped EXE
PID:2380 -
\??\c:\3djjp.exec:\3djjp.exe20⤵
- Executes dropped EXE
PID:1924 -
\??\c:\dvjjv.exec:\dvjjv.exe21⤵
- Executes dropped EXE
PID:2988 -
\??\c:\thnnbb.exec:\thnnbb.exe22⤵
- Executes dropped EXE
PID:2416 -
\??\c:\rxlffxx.exec:\rxlffxx.exe23⤵
- Executes dropped EXE
PID:2208 -
\??\c:\tthntt.exec:\tthntt.exe24⤵
- Executes dropped EXE
PID:1520 -
\??\c:\jddjj.exec:\jddjj.exe25⤵
- Executes dropped EXE
PID:448 -
\??\c:\7rflrrx.exec:\7rflrrx.exe26⤵
- Executes dropped EXE
PID:2196 -
\??\c:\tnhnbb.exec:\tnhnbb.exe27⤵
- Executes dropped EXE
PID:900 -
\??\c:\xrxfllr.exec:\xrxfllr.exe28⤵
- Executes dropped EXE
PID:1760 -
\??\c:\thtbbh.exec:\thtbbh.exe29⤵
- Executes dropped EXE
PID:1668 -
\??\c:\djvpp.exec:\djvpp.exe30⤵
- Executes dropped EXE
PID:2336 -
\??\c:\1lxlrxl.exec:\1lxlrxl.exe31⤵
- Executes dropped EXE
PID:1480 -
\??\c:\1jdvj.exec:\1jdvj.exe32⤵
- Executes dropped EXE
PID:2488 -
\??\c:\rrlxllx.exec:\rrlxllx.exe33⤵
- Executes dropped EXE
PID:3068 -
\??\c:\bnhnhn.exec:\bnhnhn.exe34⤵
- Executes dropped EXE
PID:2500 -
\??\c:\jvdpd.exec:\jvdpd.exe35⤵
- Executes dropped EXE
PID:1700 -
\??\c:\llfrflf.exec:\llfrflf.exe36⤵
- Executes dropped EXE
PID:2464 -
\??\c:\tnhnhn.exec:\tnhnhn.exe37⤵
- Executes dropped EXE
PID:2244 -
\??\c:\jdpdd.exec:\jdpdd.exe38⤵
- Executes dropped EXE
PID:2176 -
\??\c:\flfrxxr.exec:\flfrxxr.exe39⤵
- Executes dropped EXE
PID:2684 -
\??\c:\nnnbtn.exec:\nnnbtn.exe40⤵
- Executes dropped EXE
PID:2680 -
\??\c:\pjdvj.exec:\pjdvj.exe41⤵
- Executes dropped EXE
PID:2776 -
\??\c:\dvvdj.exec:\dvvdj.exe42⤵
- Executes dropped EXE
PID:3004 -
\??\c:\fffrrxx.exec:\fffrrxx.exe43⤵
- Executes dropped EXE
PID:2608 -
\??\c:\btbtbb.exec:\btbtbb.exe44⤵
- Executes dropped EXE
PID:1900 -
\??\c:\jvppp.exec:\jvppp.exe45⤵
- Executes dropped EXE
PID:684 -
\??\c:\pdjpp.exec:\pdjpp.exe46⤵
- Executes dropped EXE
PID:2592 -
\??\c:\1lfrlrx.exec:\1lfrlrx.exe47⤵
- Executes dropped EXE
PID:2816 -
\??\c:\thtbbb.exec:\thtbbb.exe48⤵
- Executes dropped EXE
PID:2632 -
\??\c:\jdvjd.exec:\jdvjd.exe49⤵
- Executes dropped EXE
PID:2896 -
\??\c:\vvvdd.exec:\vvvdd.exe50⤵
- Executes dropped EXE
PID:2636 -
\??\c:\xrfxlrx.exec:\xrfxlrx.exe51⤵
- Executes dropped EXE
PID:2884 -
\??\c:\thtbhh.exec:\thtbhh.exe52⤵
- Executes dropped EXE
PID:1720 -
\??\c:\jdjjj.exec:\jdjjj.exe53⤵
- Executes dropped EXE
PID:1692 -
\??\c:\dpjjp.exec:\dpjjp.exe54⤵
- Executes dropped EXE
PID:496 -
\??\c:\1ffflrr.exec:\1ffflrr.exe55⤵
- Executes dropped EXE
PID:1148 -
\??\c:\1bbnnn.exec:\1bbnnn.exe56⤵
- Executes dropped EXE
PID:1388 -
\??\c:\3thhhh.exec:\3thhhh.exe57⤵
- Executes dropped EXE
PID:2948 -
\??\c:\jdvvd.exec:\jdvvd.exe58⤵
- Executes dropped EXE
PID:2972 -
\??\c:\7rlllfl.exec:\7rlllfl.exe59⤵
- Executes dropped EXE
PID:2200 -
\??\c:\hbnbhn.exec:\hbnbhn.exe60⤵
- Executes dropped EXE
PID:2252 -
\??\c:\pvpvv.exec:\pvpvv.exe61⤵
- Executes dropped EXE
PID:2184 -
\??\c:\vpvdj.exec:\vpvdj.exe62⤵
- Executes dropped EXE
PID:1468 -
\??\c:\9lxrllx.exec:\9lxrllx.exe63⤵
- Executes dropped EXE
PID:1244 -
\??\c:\htbtbt.exec:\htbtbt.exe64⤵
- Executes dropped EXE
PID:448 -
\??\c:\1vdjj.exec:\1vdjj.exe65⤵
- Executes dropped EXE
PID:2108 -
\??\c:\7dpjp.exec:\7dpjp.exe66⤵PID:1320
-
\??\c:\xfxrfrl.exec:\xfxrfrl.exe67⤵PID:900
-
\??\c:\bbnnnt.exec:\bbnnnt.exe68⤵PID:2064
-
\??\c:\jdddd.exec:\jdddd.exe69⤵PID:1636
-
\??\c:\1xlrrrr.exec:\1xlrrrr.exe70⤵PID:2336
-
\??\c:\rrfffxl.exec:\rrfffxl.exe71⤵PID:2428
-
\??\c:\9hbhtt.exec:\9hbhtt.exe72⤵PID:2016
-
\??\c:\5vppd.exec:\5vppd.exe73⤵PID:300
-
\??\c:\7jpjv.exec:\7jpjv.exe74⤵PID:2104
-
\??\c:\frxxffx.exec:\frxxffx.exe75⤵PID:1596
-
\??\c:\3nhbbh.exec:\3nhbbh.exe76⤵PID:2500
-
\??\c:\7hbthb.exec:\7hbthb.exe77⤵PID:2996
-
\??\c:\jdvpv.exec:\jdvpv.exe78⤵PID:2188
-
\??\c:\1xrxxxf.exec:\1xrxxxf.exe79⤵PID:796
-
\??\c:\httttb.exec:\httttb.exe80⤵PID:2388
-
\??\c:\btnbhn.exec:\btnbhn.exe81⤵PID:2720
-
\??\c:\vdvvv.exec:\vdvvv.exe82⤵PID:2784
-
\??\c:\lrfrffr.exec:\lrfrffr.exe83⤵PID:2708
-
\??\c:\nhttbb.exec:\nhttbb.exe84⤵PID:2736
-
\??\c:\vpdpd.exec:\vpdpd.exe85⤵PID:2756
-
\??\c:\5pdvd.exec:\5pdvd.exe86⤵PID:2752
-
\??\c:\lfllrrf.exec:\lfllrrf.exe87⤵PID:2688
-
\??\c:\5tnthh.exec:\5tnthh.exe88⤵PID:1860
-
\??\c:\hbbthn.exec:\hbbthn.exe89⤵PID:2640
-
\??\c:\vpvdp.exec:\vpvdp.exe90⤵PID:2120
-
\??\c:\ffrllrr.exec:\ffrllrr.exe91⤵PID:1528
-
\??\c:\fxlrxfr.exec:\fxlrxfr.exe92⤵PID:2836
-
\??\c:\1nbbbh.exec:\1nbbbh.exe93⤵PID:840
-
\??\c:\7thbnn.exec:\7thbnn.exe94⤵PID:2888
-
\??\c:\jjdjv.exec:\jjdjv.exe95⤵PID:1580
-
\??\c:\lxfffll.exec:\lxfffll.exe96⤵PID:1984
-
\??\c:\9lffxxl.exec:\9lffxxl.exe97⤵PID:2380
-
\??\c:\3tntbn.exec:\3tntbn.exe98⤵PID:2308
-
\??\c:\jvdjp.exec:\jvdjp.exe99⤵PID:2964
-
\??\c:\xxrxlxl.exec:\xxrxlxl.exe100⤵PID:2192
-
\??\c:\3bbbnn.exec:\3bbbnn.exe101⤵PID:1976
-
\??\c:\ttthhn.exec:\ttthhn.exe102⤵PID:332
-
\??\c:\dvdjj.exec:\dvdjj.exe103⤵PID:1196
-
\??\c:\9rrlrrx.exec:\9rrlrrx.exe104⤵PID:1240
-
\??\c:\frxxfff.exec:\frxxfff.exe105⤵PID:1940
-
\??\c:\bbtbnh.exec:\bbtbnh.exe106⤵PID:1288
-
\??\c:\djpdp.exec:\djpdp.exe107⤵PID:1364
-
\??\c:\rrllxxr.exec:\rrllxxr.exe108⤵PID:1768
-
\??\c:\7bnntt.exec:\7bnntt.exe109⤵PID:2656
-
\??\c:\1btthh.exec:\1btthh.exe110⤵PID:560
-
\??\c:\jvddj.exec:\jvddj.exe111⤵PID:1544
-
\??\c:\xrllrxf.exec:\xrllrxf.exe112⤵PID:2312
-
\??\c:\lrffrrx.exec:\lrffrrx.exe113⤵PID:2228
-
\??\c:\1nbhnn.exec:\1nbhnn.exe114⤵PID:292
-
\??\c:\dvjjp.exec:\dvjjp.exe115⤵PID:300
-
\??\c:\rrfrffr.exec:\rrfrffr.exe116⤵PID:2288
-
\??\c:\fxfxrrx.exec:\fxfxrrx.exe117⤵PID:1596
-
\??\c:\htthtt.exec:\htthtt.exe118⤵PID:2500
-
\??\c:\1tttbb.exec:\1tttbb.exe119⤵PID:1660
-
\??\c:\jdvjv.exec:\jdvjv.exe120⤵PID:1904
-
\??\c:\9rffxxf.exec:\9rffxxf.exe121⤵PID:2168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-