Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 01:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a0513790c80db293a82e9e71bcedc31618da52d7434ae9142fec4fc3a6048ec5.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a0513790c80db293a82e9e71bcedc31618da52d7434ae9142fec4fc3a6048ec5.exe
-
Size
453KB
-
MD5
1767a84134b8741183ff99cb91227d91
-
SHA1
ace019c2b92f5183dcc683aa302c2530018428df
-
SHA256
a0513790c80db293a82e9e71bcedc31618da52d7434ae9142fec4fc3a6048ec5
-
SHA512
397d2decccd1046f78848d8e5fcdce92ac2342ffca6e1a398edf86817484a83371d576467b88eb64af8c5acd93714b0915db90206edb3beeee9af220d8bc7053
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2076-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-69-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2608-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-107-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1132-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/576-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-181-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2376-200-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2376-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-205-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1708-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-242-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1692-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-427-0x0000000000280000-0x00000000002AA000-memory.dmp family_blackmoon behavioral1/memory/1144-433-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1340-441-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1448-454-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2116-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-489-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2156-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-593-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2432-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-671-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1140-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-719-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2944-756-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1672-814-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2788-945-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2348-1254-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2576 pjppv.exe 2684 5lrflll.exe 2164 bbhnnn.exe 2924 9xxrxrr.exe 2884 3httbt.exe 2316 dvvvv.exe 2608 nhtntb.exe 2636 xxffrrf.exe 2736 flrrxfl.exe 2596 pjjjj.exe 2768 rlxxxxf.exe 2204 nntthb.exe 2588 ddpjj.exe 1132 bbbbtt.exe 1340 9dppp.exe 668 pdjjp.exe 576 bbhhhh.exe 1076 rrfrfll.exe 2980 tthbhn.exe 2992 tnnnbh.exe 2376 xxlxffr.exe 2232 rlxxflr.exe 1708 xxxrrrx.exe 1240 ppddd.exe 1524 fxxrrxf.exe 3032 3dppd.exe 1692 xllfllr.exe 2120 dvddd.exe 1928 vvpjj.exe 3012 ttbbhh.exe 3064 pvjdd.exe 896 nnnhhh.exe 1888 pvddd.exe 2372 3lxfffx.exe 2312 xrrlffx.exe 1596 nthhtt.exe 2492 nthhtb.exe 2796 ddjpd.exe 2856 3rxlxfl.exe 2864 tbhhnn.exe 2292 tttnbh.exe 2732 7dvvv.exe 2904 xxffxfl.exe 2780 tbnntb.exe 2872 bnnhnh.exe 2604 jvjjp.exe 2612 llxflrx.exe 2644 hhnntt.exe 2240 5tnntt.exe 1680 ddpvd.exe 1140 llrlrrx.exe 380 llflxlx.exe 1144 nhnntn.exe 1340 vvjjp.exe 1736 xxfxxxf.exe 1448 xrrrrfx.exe 576 ntbbhn.exe 1108 pdpvj.exe 2940 5vddj.exe 2992 1lfxxxx.exe 2116 9nthhn.exe 2444 tntnnh.exe 2052 1jvvj.exe 292 rllrrxx.exe -
resource yara_rule behavioral1/memory/2076-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-107-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2588-126-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1132-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-181-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2232-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/560-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-851-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-1181-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2576 2076 a0513790c80db293a82e9e71bcedc31618da52d7434ae9142fec4fc3a6048ec5.exe 30 PID 2076 wrote to memory of 2576 2076 a0513790c80db293a82e9e71bcedc31618da52d7434ae9142fec4fc3a6048ec5.exe 30 PID 2076 wrote to memory of 2576 2076 a0513790c80db293a82e9e71bcedc31618da52d7434ae9142fec4fc3a6048ec5.exe 30 PID 2076 wrote to memory of 2576 2076 a0513790c80db293a82e9e71bcedc31618da52d7434ae9142fec4fc3a6048ec5.exe 30 PID 2576 wrote to memory of 2684 2576 pjppv.exe 31 PID 2576 wrote to memory of 2684 2576 pjppv.exe 31 PID 2576 wrote to memory of 2684 2576 pjppv.exe 31 PID 2576 wrote to memory of 2684 2576 pjppv.exe 31 PID 2684 wrote to memory of 2164 2684 5lrflll.exe 32 PID 2684 wrote to memory of 2164 2684 5lrflll.exe 32 PID 2684 wrote to memory of 2164 2684 5lrflll.exe 32 PID 2684 wrote to memory of 2164 2684 5lrflll.exe 32 PID 2164 wrote to memory of 2924 2164 bbhnnn.exe 33 PID 2164 wrote to memory of 2924 2164 bbhnnn.exe 33 PID 2164 wrote to memory of 2924 2164 bbhnnn.exe 33 PID 2164 wrote to memory of 2924 2164 bbhnnn.exe 33 PID 2924 wrote to memory of 2884 2924 9xxrxrr.exe 34 PID 2924 wrote to memory of 2884 2924 9xxrxrr.exe 34 PID 2924 wrote to memory of 2884 2924 9xxrxrr.exe 34 PID 2924 wrote to memory of 2884 2924 9xxrxrr.exe 34 PID 2884 wrote to memory of 2316 2884 3httbt.exe 35 PID 2884 wrote to memory of 2316 2884 3httbt.exe 35 PID 2884 wrote to memory of 2316 2884 3httbt.exe 35 PID 2884 wrote to memory of 2316 2884 3httbt.exe 35 PID 2316 wrote to memory of 2608 2316 dvvvv.exe 36 PID 2316 wrote to memory of 2608 2316 dvvvv.exe 36 PID 2316 wrote to memory of 2608 2316 dvvvv.exe 36 PID 2316 wrote to memory of 2608 2316 dvvvv.exe 36 PID 2608 wrote to memory of 2636 2608 nhtntb.exe 37 PID 2608 wrote to memory of 2636 2608 nhtntb.exe 37 PID 2608 wrote to memory of 2636 2608 nhtntb.exe 37 PID 2608 wrote to memory of 2636 2608 nhtntb.exe 37 PID 2636 wrote to memory of 2736 2636 xxffrrf.exe 38 PID 2636 wrote to memory of 2736 2636 xxffrrf.exe 38 PID 2636 wrote to memory of 2736 2636 xxffrrf.exe 38 PID 2636 wrote to memory of 2736 2636 xxffrrf.exe 38 PID 2736 wrote to memory of 2596 2736 flrrxfl.exe 39 PID 2736 wrote to memory of 2596 2736 flrrxfl.exe 39 PID 2736 wrote to memory of 2596 2736 flrrxfl.exe 39 PID 2736 wrote to memory of 2596 2736 flrrxfl.exe 39 PID 2596 wrote to memory of 2768 2596 pjjjj.exe 40 PID 2596 wrote to memory of 2768 2596 pjjjj.exe 40 PID 2596 wrote to memory of 2768 2596 pjjjj.exe 40 PID 2596 wrote to memory of 2768 2596 pjjjj.exe 40 PID 2768 wrote to memory of 2204 2768 rlxxxxf.exe 41 PID 2768 wrote to memory of 2204 2768 rlxxxxf.exe 41 PID 2768 wrote to memory of 2204 2768 rlxxxxf.exe 41 PID 2768 wrote to memory of 2204 2768 rlxxxxf.exe 41 PID 2204 wrote to memory of 2588 2204 nntthb.exe 42 PID 2204 wrote to memory of 2588 2204 nntthb.exe 42 PID 2204 wrote to memory of 2588 2204 nntthb.exe 42 PID 2204 wrote to memory of 2588 2204 nntthb.exe 42 PID 2588 wrote to memory of 1132 2588 ddpjj.exe 43 PID 2588 wrote to memory of 1132 2588 ddpjj.exe 43 PID 2588 wrote to memory of 1132 2588 ddpjj.exe 43 PID 2588 wrote to memory of 1132 2588 ddpjj.exe 43 PID 1132 wrote to memory of 1340 1132 bbbbtt.exe 44 PID 1132 wrote to memory of 1340 1132 bbbbtt.exe 44 PID 1132 wrote to memory of 1340 1132 bbbbtt.exe 44 PID 1132 wrote to memory of 1340 1132 bbbbtt.exe 44 PID 1340 wrote to memory of 668 1340 9dppp.exe 45 PID 1340 wrote to memory of 668 1340 9dppp.exe 45 PID 1340 wrote to memory of 668 1340 9dppp.exe 45 PID 1340 wrote to memory of 668 1340 9dppp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0513790c80db293a82e9e71bcedc31618da52d7434ae9142fec4fc3a6048ec5.exe"C:\Users\Admin\AppData\Local\Temp\a0513790c80db293a82e9e71bcedc31618da52d7434ae9142fec4fc3a6048ec5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\pjppv.exec:\pjppv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\5lrflll.exec:\5lrflll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\bbhnnn.exec:\bbhnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\9xxrxrr.exec:\9xxrxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\3httbt.exec:\3httbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\dvvvv.exec:\dvvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\nhtntb.exec:\nhtntb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\xxffrrf.exec:\xxffrrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\flrrxfl.exec:\flrrxfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\pjjjj.exec:\pjjjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\rlxxxxf.exec:\rlxxxxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\nntthb.exec:\nntthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\ddpjj.exec:\ddpjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\bbbbtt.exec:\bbbbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\9dppp.exec:\9dppp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\pdjjp.exec:\pdjjp.exe17⤵
- Executes dropped EXE
PID:668 -
\??\c:\bbhhhh.exec:\bbhhhh.exe18⤵
- Executes dropped EXE
PID:576 -
\??\c:\rrfrfll.exec:\rrfrfll.exe19⤵
- Executes dropped EXE
PID:1076 -
\??\c:\tthbhn.exec:\tthbhn.exe20⤵
- Executes dropped EXE
PID:2980 -
\??\c:\tnnnbh.exec:\tnnnbh.exe21⤵
- Executes dropped EXE
PID:2992 -
\??\c:\xxlxffr.exec:\xxlxffr.exe22⤵
- Executes dropped EXE
PID:2376 -
\??\c:\rlxxflr.exec:\rlxxflr.exe23⤵
- Executes dropped EXE
PID:2232 -
\??\c:\xxxrrrx.exec:\xxxrrrx.exe24⤵
- Executes dropped EXE
PID:1708 -
\??\c:\ppddd.exec:\ppddd.exe25⤵
- Executes dropped EXE
PID:1240 -
\??\c:\fxxrrxf.exec:\fxxrrxf.exe26⤵
- Executes dropped EXE
PID:1524 -
\??\c:\3dppd.exec:\3dppd.exe27⤵
- Executes dropped EXE
PID:3032 -
\??\c:\xllfllr.exec:\xllfllr.exe28⤵
- Executes dropped EXE
PID:1692 -
\??\c:\dvddd.exec:\dvddd.exe29⤵
- Executes dropped EXE
PID:2120 -
\??\c:\vvpjj.exec:\vvpjj.exe30⤵
- Executes dropped EXE
PID:1928 -
\??\c:\ttbbhh.exec:\ttbbhh.exe31⤵
- Executes dropped EXE
PID:3012 -
\??\c:\pvjdd.exec:\pvjdd.exe32⤵
- Executes dropped EXE
PID:3064 -
\??\c:\nnnhhh.exec:\nnnhhh.exe33⤵
- Executes dropped EXE
PID:896 -
\??\c:\pvddd.exec:\pvddd.exe34⤵
- Executes dropped EXE
PID:1888 -
\??\c:\3lxfffx.exec:\3lxfffx.exe35⤵
- Executes dropped EXE
PID:2372 -
\??\c:\xrrlffx.exec:\xrrlffx.exe36⤵
- Executes dropped EXE
PID:2312 -
\??\c:\nthhtt.exec:\nthhtt.exe37⤵
- Executes dropped EXE
PID:1596 -
\??\c:\nthhtb.exec:\nthhtb.exe38⤵
- Executes dropped EXE
PID:2492 -
\??\c:\ddjpd.exec:\ddjpd.exe39⤵
- Executes dropped EXE
PID:2796 -
\??\c:\3rxlxfl.exec:\3rxlxfl.exe40⤵
- Executes dropped EXE
PID:2856 -
\??\c:\tbhhnn.exec:\tbhhnn.exe41⤵
- Executes dropped EXE
PID:2864 -
\??\c:\tttnbh.exec:\tttnbh.exe42⤵
- Executes dropped EXE
PID:2292 -
\??\c:\7dvvv.exec:\7dvvv.exe43⤵
- Executes dropped EXE
PID:2732 -
\??\c:\xxffxfl.exec:\xxffxfl.exe44⤵
- Executes dropped EXE
PID:2904 -
\??\c:\tbnntb.exec:\tbnntb.exe45⤵
- Executes dropped EXE
PID:2780 -
\??\c:\bnnhnh.exec:\bnnhnh.exe46⤵
- Executes dropped EXE
PID:2872 -
\??\c:\jvjjp.exec:\jvjjp.exe47⤵
- Executes dropped EXE
PID:2604 -
\??\c:\llxflrx.exec:\llxflrx.exe48⤵
- Executes dropped EXE
PID:2612 -
\??\c:\hhnntt.exec:\hhnntt.exe49⤵
- Executes dropped EXE
PID:2644 -
\??\c:\5tnntt.exec:\5tnntt.exe50⤵
- Executes dropped EXE
PID:2240 -
\??\c:\ddpvd.exec:\ddpvd.exe51⤵
- Executes dropped EXE
PID:1680 -
\??\c:\llrlrrx.exec:\llrlrrx.exe52⤵
- Executes dropped EXE
PID:1140 -
\??\c:\llflxlx.exec:\llflxlx.exe53⤵
- Executes dropped EXE
PID:380 -
\??\c:\nhnntn.exec:\nhnntn.exe54⤵
- Executes dropped EXE
PID:1144 -
\??\c:\vvjjp.exec:\vvjjp.exe55⤵
- Executes dropped EXE
PID:1340 -
\??\c:\xxfxxxf.exec:\xxfxxxf.exe56⤵
- Executes dropped EXE
PID:1736 -
\??\c:\xrrrrfx.exec:\xrrrrfx.exe57⤵
- Executes dropped EXE
PID:1448 -
\??\c:\ntbbhn.exec:\ntbbhn.exe58⤵
- Executes dropped EXE
PID:576 -
\??\c:\pdpvj.exec:\pdpvj.exe59⤵
- Executes dropped EXE
PID:1108 -
\??\c:\5vddj.exec:\5vddj.exe60⤵
- Executes dropped EXE
PID:2940 -
\??\c:\1lfxxxx.exec:\1lfxxxx.exe61⤵
- Executes dropped EXE
PID:2992 -
\??\c:\9nthhn.exec:\9nthhn.exe62⤵
- Executes dropped EXE
PID:2116 -
\??\c:\tntnnh.exec:\tntnnh.exe63⤵
- Executes dropped EXE
PID:2444 -
\??\c:\1jvvj.exec:\1jvvj.exe64⤵
- Executes dropped EXE
PID:2052 -
\??\c:\rllrrxx.exec:\rllrrxx.exe65⤵
- Executes dropped EXE
PID:292 -
\??\c:\xxrllll.exec:\xxrllll.exe66⤵PID:2976
-
\??\c:\5nnnnt.exec:\5nnnnt.exe67⤵PID:1824
-
\??\c:\djvvv.exec:\djvvv.exe68⤵PID:1672
-
\??\c:\dvjjj.exec:\dvjjj.exe69⤵PID:760
-
\??\c:\llxxffl.exec:\llxxffl.exe70⤵PID:1008
-
\??\c:\hhnhnt.exec:\hhnhnt.exe71⤵PID:936
-
\??\c:\tttttt.exec:\tttttt.exe72⤵PID:2016
-
\??\c:\jpppv.exec:\jpppv.exe73⤵PID:1752
-
\??\c:\lllfxrr.exec:\lllfxrr.exe74⤵PID:2532
-
\??\c:\1frllrl.exec:\1frllrl.exe75⤵PID:2156
-
\??\c:\nhnbbt.exec:\nhnbbt.exe76⤵PID:1644
-
\??\c:\vvpjp.exec:\vvpjp.exe77⤵PID:2008
-
\??\c:\vvvdd.exec:\vvvdd.exe78⤵PID:2504
-
\??\c:\rxlllll.exec:\rxlllll.exe79⤵PID:1888
-
\??\c:\1lrlrll.exec:\1lrlrll.exe80⤵PID:2272
-
\??\c:\ttbtnn.exec:\ttbtnn.exe81⤵PID:2312
-
\??\c:\djpvd.exec:\djpvd.exe82⤵PID:2148
-
\??\c:\1jvpj.exec:\1jvpj.exe83⤵PID:2432
-
\??\c:\9frxxff.exec:\9frxxff.exe84⤵PID:2880
-
\??\c:\hbnnnh.exec:\hbnnnh.exe85⤵PID:2140
-
\??\c:\nntbnn.exec:\nntbnn.exe86⤵PID:2864
-
\??\c:\lflfffl.exec:\lflfffl.exe87⤵PID:2916
-
\??\c:\llxrxxr.exec:\llxrxxr.exe88⤵PID:2892
-
\??\c:\7hnbbn.exec:\7hnbbn.exe89⤵PID:2928
-
\??\c:\tttbhh.exec:\tttbhh.exe90⤵PID:2780
-
\??\c:\pvdpp.exec:\pvdpp.exe91⤵PID:2656
-
\??\c:\xxrflrx.exec:\xxrflrx.exe92⤵PID:2604
-
\??\c:\rlrllff.exec:\rlrllff.exe93⤵PID:2596
-
\??\c:\1nbbhh.exec:\1nbbhh.exe94⤵PID:2360
-
\??\c:\vdjpv.exec:\vdjpv.exe95⤵PID:2240
-
\??\c:\jjjpv.exec:\jjjpv.exe96⤵PID:812
-
\??\c:\rrrrlrx.exec:\rrrrlrx.exe97⤵PID:1140
-
\??\c:\nthhnh.exec:\nthhnh.exe98⤵PID:2828
-
\??\c:\vjpjp.exec:\vjpjp.exe99⤵PID:836
-
\??\c:\lflllxl.exec:\lflllxl.exe100⤵PID:2104
-
\??\c:\hnhhth.exec:\hnhhth.exe101⤵PID:1120
-
\??\c:\7dvdp.exec:\7dvdp.exe102⤵PID:1868
-
\??\c:\9dvpp.exec:\9dvpp.exe103⤵PID:576
-
\??\c:\flrfflf.exec:\flrfflf.exe104⤵PID:2944
-
\??\c:\thbbhh.exec:\thbbhh.exe105⤵PID:2940
-
\??\c:\hnttbh.exec:\hnttbh.exe106⤵PID:2992
-
\??\c:\jpjjj.exec:\jpjjj.exe107⤵PID:560
-
\??\c:\3rxxxrf.exec:\3rxxxrf.exe108⤵PID:2232
-
\??\c:\9llfflx.exec:\9llfflx.exe109⤵PID:544
-
\??\c:\7tbbnn.exec:\7tbbnn.exe110⤵PID:1040
-
\??\c:\5nbhhn.exec:\5nbhhn.exe111⤵PID:2824
-
\??\c:\3pdvv.exec:\3pdvv.exe112⤵PID:3056
-
\??\c:\llrxrxx.exec:\llrxrxx.exe113⤵PID:1672
-
\??\c:\fffxxxx.exec:\fffxxxx.exe114⤵PID:760
-
\??\c:\bbhhhb.exec:\bbhhhb.exe115⤵PID:1692
-
\??\c:\djjjp.exec:\djjjp.exe116⤵PID:1924
-
\??\c:\ddjpv.exec:\ddjpv.exe117⤵PID:2016
-
\??\c:\lfxrfll.exec:\lfxrfll.exe118⤵PID:736
-
\??\c:\nhhbhh.exec:\nhhbhh.exe119⤵PID:2532
-
\??\c:\bbhbnn.exec:\bbhbnn.exe120⤵PID:2156
-
\??\c:\3dpvj.exec:\3dpvj.exe121⤵PID:1644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-