Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 02:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b58f334e4a9ed6e76dc7b2c864332a78cc9eeba1af613f894c9a8b09602dd37d.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b58f334e4a9ed6e76dc7b2c864332a78cc9eeba1af613f894c9a8b09602dd37d.exe
-
Size
456KB
-
MD5
22485038899e682d2afcd01d723fd2ee
-
SHA1
1c115cf1b8496b6458a57447625a71152970d784
-
SHA256
b58f334e4a9ed6e76dc7b2c864332a78cc9eeba1af613f894c9a8b09602dd37d
-
SHA512
5975d92721c6917ce31dcbcf1b8f17c9ea95354fbe22f83755087b32f3ba82c2210018f8812b51a21d74d734458f8db6b1607d657f0324fb3b37a36b581d3a0b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2336-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-78-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2088-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-152-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1116-170-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2324-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-209-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2128-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-219-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2756-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/376-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-351-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2828-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-369-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2744-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1116-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-624-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2736-628-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1984-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-664-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1284-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-696-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2996-709-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2904-715-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1596-760-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2292-829-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2080-836-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2788-1120-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1048-1200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2520 vpjjd.exe 1704 xrflxfl.exe 1816 dvddp.exe 2268 ttnhtb.exe 2796 frrrffx.exe 2940 tnbhnn.exe 2024 llxlfxr.exe 2764 xxffrxl.exe 2768 3jvdd.exe 2088 hbbbnt.exe 2620 vpjvj.exe 1760 lfflxxx.exe 2892 7dvdp.exe 2020 xxrrxfx.exe 684 dvdjd.exe 1148 ppdjv.exe 2372 tnhhbb.exe 1116 vppdp.exe 3028 jdvvj.exe 2384 7pjpj.exe 2324 hbnthh.exe 2128 dvvpp.exe 1624 hhbhbb.exe 2668 7rlrxfr.exe 2756 bnhhtb.exe 2488 vpddj.exe 1520 jvjpp.exe 1852 xrfllff.exe 2228 9hbtbh.exe 376 vvpvj.exe 1200 xrlrrfr.exe 2016 jdpdv.exe 2492 7xxrlxl.exe 2352 1nhnbh.exe 1704 nhbntt.exe 2708 7pjpd.exe 2268 fxrrffl.exe 1800 tthnbb.exe 2840 tttbhb.exe 2660 3dvvj.exe 2828 3rfrxxf.exe 2764 nbnnbb.exe 2632 tnbntb.exe 3032 pjppd.exe 2556 flfrffr.exe 1480 9tbnth.exe 400 bttthn.exe 824 dvjpj.exe 1284 xlrxflr.exe 2868 3xllrrf.exe 2744 tnhtbb.exe 1636 1dvvv.exe 2372 rllrrlx.exe 2996 rfrxrxr.exe 1116 1nbbnn.exe 2200 dvppj.exe 2176 vjvvj.exe 2108 xrllrrx.exe 3068 ffrxffl.exe 2952 7hntbh.exe 2044 jjpjv.exe 1872 ffrfrrx.exe 1708 fxrxflx.exe 1648 tthtnt.exe -
resource yara_rule behavioral1/memory/2336-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/400-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-717-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1592-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-829-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2824-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-954-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-967-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-986-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-993-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-1151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-1200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-1225-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2520 2336 b58f334e4a9ed6e76dc7b2c864332a78cc9eeba1af613f894c9a8b09602dd37d.exe 31 PID 2336 wrote to memory of 2520 2336 b58f334e4a9ed6e76dc7b2c864332a78cc9eeba1af613f894c9a8b09602dd37d.exe 31 PID 2336 wrote to memory of 2520 2336 b58f334e4a9ed6e76dc7b2c864332a78cc9eeba1af613f894c9a8b09602dd37d.exe 31 PID 2336 wrote to memory of 2520 2336 b58f334e4a9ed6e76dc7b2c864332a78cc9eeba1af613f894c9a8b09602dd37d.exe 31 PID 2520 wrote to memory of 1704 2520 vpjjd.exe 32 PID 2520 wrote to memory of 1704 2520 vpjjd.exe 32 PID 2520 wrote to memory of 1704 2520 vpjjd.exe 32 PID 2520 wrote to memory of 1704 2520 vpjjd.exe 32 PID 1704 wrote to memory of 1816 1704 xrflxfl.exe 33 PID 1704 wrote to memory of 1816 1704 xrflxfl.exe 33 PID 1704 wrote to memory of 1816 1704 xrflxfl.exe 33 PID 1704 wrote to memory of 1816 1704 xrflxfl.exe 33 PID 1816 wrote to memory of 2268 1816 dvddp.exe 34 PID 1816 wrote to memory of 2268 1816 dvddp.exe 34 PID 1816 wrote to memory of 2268 1816 dvddp.exe 34 PID 1816 wrote to memory of 2268 1816 dvddp.exe 34 PID 2268 wrote to memory of 2796 2268 ttnhtb.exe 35 PID 2268 wrote to memory of 2796 2268 ttnhtb.exe 35 PID 2268 wrote to memory of 2796 2268 ttnhtb.exe 35 PID 2268 wrote to memory of 2796 2268 ttnhtb.exe 35 PID 2796 wrote to memory of 2940 2796 frrrffx.exe 36 PID 2796 wrote to memory of 2940 2796 frrrffx.exe 36 PID 2796 wrote to memory of 2940 2796 frrrffx.exe 36 PID 2796 wrote to memory of 2940 2796 frrrffx.exe 36 PID 2940 wrote to memory of 2024 2940 tnbhnn.exe 37 PID 2940 wrote to memory of 2024 2940 tnbhnn.exe 37 PID 2940 wrote to memory of 2024 2940 tnbhnn.exe 37 PID 2940 wrote to memory of 2024 2940 tnbhnn.exe 37 PID 2024 wrote to memory of 2764 2024 llxlfxr.exe 38 PID 2024 wrote to memory of 2764 2024 llxlfxr.exe 38 PID 2024 wrote to memory of 2764 2024 llxlfxr.exe 38 PID 2024 wrote to memory of 2764 2024 llxlfxr.exe 38 PID 2764 wrote to memory of 2768 2764 xxffrxl.exe 39 PID 2764 wrote to memory of 2768 2764 xxffrxl.exe 39 PID 2764 wrote to memory of 2768 2764 xxffrxl.exe 39 PID 2764 wrote to memory of 2768 2764 xxffrxl.exe 39 PID 2768 wrote to memory of 2088 2768 3jvdd.exe 40 PID 2768 wrote to memory of 2088 2768 3jvdd.exe 40 PID 2768 wrote to memory of 2088 2768 3jvdd.exe 40 PID 2768 wrote to memory of 2088 2768 3jvdd.exe 40 PID 2088 wrote to memory of 2620 2088 hbbbnt.exe 41 PID 2088 wrote to memory of 2620 2088 hbbbnt.exe 41 PID 2088 wrote to memory of 2620 2088 hbbbnt.exe 41 PID 2088 wrote to memory of 2620 2088 hbbbnt.exe 41 PID 2620 wrote to memory of 1760 2620 vpjvj.exe 42 PID 2620 wrote to memory of 1760 2620 vpjvj.exe 42 PID 2620 wrote to memory of 1760 2620 vpjvj.exe 42 PID 2620 wrote to memory of 1760 2620 vpjvj.exe 42 PID 1760 wrote to memory of 2892 1760 lfflxxx.exe 43 PID 1760 wrote to memory of 2892 1760 lfflxxx.exe 43 PID 1760 wrote to memory of 2892 1760 lfflxxx.exe 43 PID 1760 wrote to memory of 2892 1760 lfflxxx.exe 43 PID 2892 wrote to memory of 2020 2892 7dvdp.exe 44 PID 2892 wrote to memory of 2020 2892 7dvdp.exe 44 PID 2892 wrote to memory of 2020 2892 7dvdp.exe 44 PID 2892 wrote to memory of 2020 2892 7dvdp.exe 44 PID 2020 wrote to memory of 684 2020 xxrrxfx.exe 45 PID 2020 wrote to memory of 684 2020 xxrrxfx.exe 45 PID 2020 wrote to memory of 684 2020 xxrrxfx.exe 45 PID 2020 wrote to memory of 684 2020 xxrrxfx.exe 45 PID 684 wrote to memory of 1148 684 dvdjd.exe 46 PID 684 wrote to memory of 1148 684 dvdjd.exe 46 PID 684 wrote to memory of 1148 684 dvdjd.exe 46 PID 684 wrote to memory of 1148 684 dvdjd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\b58f334e4a9ed6e76dc7b2c864332a78cc9eeba1af613f894c9a8b09602dd37d.exe"C:\Users\Admin\AppData\Local\Temp\b58f334e4a9ed6e76dc7b2c864332a78cc9eeba1af613f894c9a8b09602dd37d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\vpjjd.exec:\vpjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\xrflxfl.exec:\xrflxfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\dvddp.exec:\dvddp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\ttnhtb.exec:\ttnhtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\frrrffx.exec:\frrrffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\tnbhnn.exec:\tnbhnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\llxlfxr.exec:\llxlfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\xxffrxl.exec:\xxffrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\3jvdd.exec:\3jvdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\hbbbnt.exec:\hbbbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\vpjvj.exec:\vpjvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\lfflxxx.exec:\lfflxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\7dvdp.exec:\7dvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\xxrrxfx.exec:\xxrrxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\dvdjd.exec:\dvdjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\ppdjv.exec:\ppdjv.exe17⤵
- Executes dropped EXE
PID:1148 -
\??\c:\tnhhbb.exec:\tnhhbb.exe18⤵
- Executes dropped EXE
PID:2372 -
\??\c:\vppdp.exec:\vppdp.exe19⤵
- Executes dropped EXE
PID:1116 -
\??\c:\jdvvj.exec:\jdvvj.exe20⤵
- Executes dropped EXE
PID:3028 -
\??\c:\7pjpj.exec:\7pjpj.exe21⤵
- Executes dropped EXE
PID:2384 -
\??\c:\hbnthh.exec:\hbnthh.exe22⤵
- Executes dropped EXE
PID:2324 -
\??\c:\dvvpp.exec:\dvvpp.exe23⤵
- Executes dropped EXE
PID:2128 -
\??\c:\hhbhbb.exec:\hhbhbb.exe24⤵
- Executes dropped EXE
PID:1624 -
\??\c:\7rlrxfr.exec:\7rlrxfr.exe25⤵
- Executes dropped EXE
PID:2668 -
\??\c:\bnhhtb.exec:\bnhhtb.exe26⤵
- Executes dropped EXE
PID:2756 -
\??\c:\vpddj.exec:\vpddj.exe27⤵
- Executes dropped EXE
PID:2488 -
\??\c:\jvjpp.exec:\jvjpp.exe28⤵
- Executes dropped EXE
PID:1520 -
\??\c:\xrfllff.exec:\xrfllff.exe29⤵
- Executes dropped EXE
PID:1852 -
\??\c:\9hbtbh.exec:\9hbtbh.exe30⤵
- Executes dropped EXE
PID:2228 -
\??\c:\vvpvj.exec:\vvpvj.exe31⤵
- Executes dropped EXE
PID:376 -
\??\c:\xrlrrfr.exec:\xrlrrfr.exe32⤵
- Executes dropped EXE
PID:1200 -
\??\c:\jdpdv.exec:\jdpdv.exe33⤵
- Executes dropped EXE
PID:2016 -
\??\c:\7xxrlxl.exec:\7xxrlxl.exe34⤵
- Executes dropped EXE
PID:2492 -
\??\c:\1nhnbh.exec:\1nhnbh.exe35⤵
- Executes dropped EXE
PID:2352 -
\??\c:\nhbntt.exec:\nhbntt.exe36⤵
- Executes dropped EXE
PID:1704 -
\??\c:\7pjpd.exec:\7pjpd.exe37⤵
- Executes dropped EXE
PID:2708 -
\??\c:\fxrrffl.exec:\fxrrffl.exe38⤵
- Executes dropped EXE
PID:2268 -
\??\c:\tthnbb.exec:\tthnbb.exe39⤵
- Executes dropped EXE
PID:1800 -
\??\c:\tttbhb.exec:\tttbhb.exe40⤵
- Executes dropped EXE
PID:2840 -
\??\c:\3dvvj.exec:\3dvvj.exe41⤵
- Executes dropped EXE
PID:2660 -
\??\c:\3rfrxxf.exec:\3rfrxxf.exe42⤵
- Executes dropped EXE
PID:2828 -
\??\c:\nbnnbb.exec:\nbnnbb.exe43⤵
- Executes dropped EXE
PID:2764 -
\??\c:\tnbntb.exec:\tnbntb.exe44⤵
- Executes dropped EXE
PID:2632 -
\??\c:\pjppd.exec:\pjppd.exe45⤵
- Executes dropped EXE
PID:3032 -
\??\c:\flfrffr.exec:\flfrffr.exe46⤵
- Executes dropped EXE
PID:2556 -
\??\c:\9tbnth.exec:\9tbnth.exe47⤵
- Executes dropped EXE
PID:1480 -
\??\c:\bttthn.exec:\bttthn.exe48⤵
- Executes dropped EXE
PID:400 -
\??\c:\dvjpj.exec:\dvjpj.exe49⤵
- Executes dropped EXE
PID:824 -
\??\c:\xlrxflr.exec:\xlrxflr.exe50⤵
- Executes dropped EXE
PID:1284 -
\??\c:\3xllrrf.exec:\3xllrrf.exe51⤵
- Executes dropped EXE
PID:2868 -
\??\c:\tnhtbb.exec:\tnhtbb.exe52⤵
- Executes dropped EXE
PID:2744 -
\??\c:\1dvvv.exec:\1dvvv.exe53⤵
- Executes dropped EXE
PID:1636 -
\??\c:\rllrrlx.exec:\rllrrlx.exe54⤵
- Executes dropped EXE
PID:2372 -
\??\c:\rfrxrxr.exec:\rfrxrxr.exe55⤵
- Executes dropped EXE
PID:2996 -
\??\c:\1nbbnn.exec:\1nbbnn.exe56⤵
- Executes dropped EXE
PID:1116 -
\??\c:\dvppj.exec:\dvppj.exe57⤵
- Executes dropped EXE
PID:2200 -
\??\c:\vjvvj.exec:\vjvvj.exe58⤵
- Executes dropped EXE
PID:2176 -
\??\c:\xrllrrx.exec:\xrllrrx.exe59⤵
- Executes dropped EXE
PID:2108 -
\??\c:\ffrxffl.exec:\ffrxffl.exe60⤵
- Executes dropped EXE
PID:3068 -
\??\c:\7hntbh.exec:\7hntbh.exe61⤵
- Executes dropped EXE
PID:2952 -
\??\c:\jjpjv.exec:\jjpjv.exe62⤵
- Executes dropped EXE
PID:2044 -
\??\c:\ffrfrrx.exec:\ffrfrrx.exe63⤵
- Executes dropped EXE
PID:1872 -
\??\c:\fxrxflx.exec:\fxrxflx.exe64⤵
- Executes dropped EXE
PID:1708 -
\??\c:\tthtnt.exec:\tthtnt.exe65⤵
- Executes dropped EXE
PID:1648 -
\??\c:\pjpdp.exec:\pjpdp.exe66⤵PID:996
-
\??\c:\7dpvd.exec:\7dpvd.exe67⤵PID:2244
-
\??\c:\xrlxflr.exec:\xrlxflr.exe68⤵PID:2084
-
\??\c:\xxrxflx.exec:\xxrxflx.exe69⤵PID:2152
-
\??\c:\hbtbtn.exec:\hbtbtn.exe70⤵PID:2432
-
\??\c:\dvjpd.exec:\dvjpd.exe71⤵PID:896
-
\??\c:\pdppd.exec:\pdppd.exe72⤵PID:2436
-
\??\c:\rflllrx.exec:\rflllrx.exe73⤵PID:1692
-
\??\c:\hthhnt.exec:\hthhnt.exe74⤵PID:1200
-
\??\c:\3hbbnh.exec:\3hbbnh.exe75⤵PID:2480
-
\??\c:\vvpjp.exec:\vvpjp.exe76⤵PID:2752
-
\??\c:\rfxxffl.exec:\rfxxffl.exe77⤵PID:972
-
\??\c:\frfrxxx.exec:\frfrxxx.exe78⤵PID:2772
-
\??\c:\hbnbhn.exec:\hbnbhn.exe79⤵PID:2948
-
\??\c:\vvpvv.exec:\vvpvv.exe80⤵PID:2816
-
\??\c:\1dddp.exec:\1dddp.exe81⤵PID:2276
-
\??\c:\xllrrrx.exec:\xllrrrx.exe82⤵PID:2888
-
\??\c:\9btbhn.exec:\9btbhn.exe83⤵PID:2592
-
\??\c:\bbbhtt.exec:\bbbhtt.exe84⤵PID:2844
-
\??\c:\pjvdj.exec:\pjvdj.exe85⤵PID:2584
-
\??\c:\3fxlrrx.exec:\3fxlrrx.exe86⤵PID:2736
-
\??\c:\1xxlrrl.exec:\1xxlrrl.exe87⤵PID:2240
-
\??\c:\nhbbhn.exec:\nhbbhn.exe88⤵PID:1044
-
\??\c:\ddvjj.exec:\ddvjj.exe89⤵PID:1984
-
\??\c:\vjvpv.exec:\vjvpv.exe90⤵PID:1480
-
\??\c:\llxlffl.exec:\llxlffl.exe91⤵PID:1980
-
\??\c:\nnhhbb.exec:\nnhhbb.exe92⤵PID:824
-
\??\c:\btbntt.exec:\btbntt.exe93⤵PID:1284
-
\??\c:\jdjjd.exec:\jdjjd.exe94⤵PID:1280
-
\??\c:\rlxxffl.exec:\rlxxffl.exe95⤵PID:2744
-
\??\c:\hbtbtb.exec:\hbtbtb.exe96⤵PID:1636
-
\??\c:\tnthnn.exec:\tnthnn.exe97⤵PID:548
-
\??\c:\pdpjp.exec:\pdpjp.exe98⤵PID:2996
-
\??\c:\3vjpd.exec:\3vjpd.exe99⤵PID:2904
-
\??\c:\xlffllx.exec:\xlffllx.exe100⤵PID:2456
-
\??\c:\7hbthh.exec:\7hbthh.exe101⤵PID:2224
-
\??\c:\tthbhh.exec:\tthbhh.exe102⤵PID:2064
-
\??\c:\7vddp.exec:\7vddp.exe103⤵PID:2880
-
\??\c:\9lxlrrx.exec:\9lxlrrx.exe104⤵PID:352
-
\??\c:\xrfrxxl.exec:\xrfrxxl.exe105⤵PID:1624
-
\??\c:\9htthh.exec:\9htthh.exe106⤵PID:1596
-
\??\c:\vpdjj.exec:\vpdjj.exe107⤵PID:1708
-
\??\c:\3vpvp.exec:\3vpvp.exe108⤵PID:1492
-
\??\c:\rlrfrrr.exec:\rlrfrrr.exe109⤵PID:2356
-
\??\c:\3httbh.exec:\3httbh.exe110⤵PID:2524
-
\??\c:\hbnnbh.exec:\hbnnbh.exe111⤵PID:1632
-
\??\c:\jdvvv.exec:\jdvvv.exe112⤵PID:1592
-
\??\c:\fxrfrxl.exec:\fxrfrxl.exe113⤵PID:2348
-
\??\c:\lfflxfl.exec:\lfflxfl.exe114⤵PID:2972
-
\??\c:\7btttt.exec:\7btttt.exe115⤵PID:276
-
\??\c:\vpddj.exec:\vpddj.exe116⤵PID:852
-
\??\c:\dpjjv.exec:\dpjjv.exe117⤵PID:2292
-
\??\c:\7xxfrrr.exec:\7xxfrrr.exe118⤵PID:2080
-
\??\c:\1frxlrx.exec:\1frxlrx.exe119⤵PID:2792
-
\??\c:\nbttbt.exec:\nbttbt.exe120⤵PID:2824
-
\??\c:\pjvdv.exec:\pjvdv.exe121⤵PID:2812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-