Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 01:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe
-
Size
454KB
-
MD5
114e100b2c654b36c590d8ce7c024311
-
SHA1
ff2061252792bb59729fd0ac1b1c4fd63cf04842
-
SHA256
77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46
-
SHA512
789affbea2bb088847b8a189fad3cf6f54bc46f704bdee9fd9671422f19142d7203c9ffb934fbbe891f1a049fadf02d78a3f0fe337fb7a77dfc077a98b84cc6e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2236-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-89-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-107-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2624-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-128-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1988-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/340-195-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/304-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-264-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/572-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-325-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1584-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-336-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2908-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1180-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-419-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3020-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-555-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2056-560-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2560-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1200-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-940-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1048-947-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2708-984-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2996-991-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-1136-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/1720-1150-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2856-1263-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1900-1350-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2168 nnbhnn.exe 2320 hbtbhn.exe 1628 lllrfxl.exe 1044 lxxxrxl.exe 2764 jjvjp.exe 2948 1rllrxx.exe 2884 nnhntb.exe 1348 lfllxxl.exe 2788 bthhnt.exe 2636 pppvd.exe 1420 3llrffl.exe 2624 vvjpj.exe 1464 dvpjp.exe 1484 xlxflxl.exe 1988 7pdjj.exe 2828 hhthtb.exe 2312 hbnbnn.exe 1500 vpjjv.exe 2068 1thhnn.exe 2408 dpvvd.exe 340 jvvdj.exe 496 frffrxf.exe 292 nhthtn.exe 304 ffrflrx.exe 1144 nhbhnt.exe 276 vvvvp.exe 1564 pdvjv.exe 3060 fxfrfff.exe 2072 vpjpv.exe 2064 xrllrrf.exe 1724 tbnbnn.exe 572 3xrrrrl.exe 2300 tntntt.exe 2192 vvjdp.exe 2560 rflrxfl.exe 264 tbtthh.exe 1584 3nnhht.exe 2960 7djjj.exe 2724 lfrrxxf.exe 2908 btnnnn.exe 2744 nnhhtt.exe 2736 3vjpv.exe 3000 rfrrxrr.exe 1348 xrffrlf.exe 2760 3hbtbb.exe 2668 jvddd.exe 2052 9rfrxfr.exe 2112 xxrrxfr.exe 980 hbthnt.exe 1180 pvjdd.exe 3020 xxrrfxl.exe 1776 lflfffl.exe 2820 thtnbb.exe 2944 5vpvj.exe 2008 lfxxfll.exe 2000 fxlxlrx.exe 1500 nhbbbb.exe 1916 3dpjv.exe 2268 vpjpv.exe 2816 fxfllrr.exe 1184 ttnthh.exe 2600 ntthbb.exe 856 vpjjp.exe 1088 llfxlfr.exe -
resource yara_rule behavioral1/memory/2236-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-81-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2636-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-107-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2624-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-264-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2064-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-336-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2908-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1180-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/616-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-991-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-1028-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-1098-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-1143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-1181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-1194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-1219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-1226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-1282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-1307-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2168 2236 77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe 30 PID 2236 wrote to memory of 2168 2236 77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe 30 PID 2236 wrote to memory of 2168 2236 77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe 30 PID 2236 wrote to memory of 2168 2236 77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe 30 PID 2168 wrote to memory of 2320 2168 nnbhnn.exe 31 PID 2168 wrote to memory of 2320 2168 nnbhnn.exe 31 PID 2168 wrote to memory of 2320 2168 nnbhnn.exe 31 PID 2168 wrote to memory of 2320 2168 nnbhnn.exe 31 PID 2320 wrote to memory of 1628 2320 hbtbhn.exe 32 PID 2320 wrote to memory of 1628 2320 hbtbhn.exe 32 PID 2320 wrote to memory of 1628 2320 hbtbhn.exe 32 PID 2320 wrote to memory of 1628 2320 hbtbhn.exe 32 PID 1628 wrote to memory of 1044 1628 lllrfxl.exe 33 PID 1628 wrote to memory of 1044 1628 lllrfxl.exe 33 PID 1628 wrote to memory of 1044 1628 lllrfxl.exe 33 PID 1628 wrote to memory of 1044 1628 lllrfxl.exe 33 PID 1044 wrote to memory of 2764 1044 lxxxrxl.exe 34 PID 1044 wrote to memory of 2764 1044 lxxxrxl.exe 34 PID 1044 wrote to memory of 2764 1044 lxxxrxl.exe 34 PID 1044 wrote to memory of 2764 1044 lxxxrxl.exe 34 PID 2764 wrote to memory of 2948 2764 jjvjp.exe 35 PID 2764 wrote to memory of 2948 2764 jjvjp.exe 35 PID 2764 wrote to memory of 2948 2764 jjvjp.exe 35 PID 2764 wrote to memory of 2948 2764 jjvjp.exe 35 PID 2948 wrote to memory of 2884 2948 1rllrxx.exe 36 PID 2948 wrote to memory of 2884 2948 1rllrxx.exe 36 PID 2948 wrote to memory of 2884 2948 1rllrxx.exe 36 PID 2948 wrote to memory of 2884 2948 1rllrxx.exe 36 PID 2884 wrote to memory of 1348 2884 nnhntb.exe 37 PID 2884 wrote to memory of 1348 2884 nnhntb.exe 37 PID 2884 wrote to memory of 1348 2884 nnhntb.exe 37 PID 2884 wrote to memory of 1348 2884 nnhntb.exe 37 PID 1348 wrote to memory of 2788 1348 lfllxxl.exe 38 PID 1348 wrote to memory of 2788 1348 lfllxxl.exe 38 PID 1348 wrote to memory of 2788 1348 lfllxxl.exe 38 PID 1348 wrote to memory of 2788 1348 lfllxxl.exe 38 PID 2788 wrote to memory of 2636 2788 bthhnt.exe 39 PID 2788 wrote to memory of 2636 2788 bthhnt.exe 39 PID 2788 wrote to memory of 2636 2788 bthhnt.exe 39 PID 2788 wrote to memory of 2636 2788 bthhnt.exe 39 PID 2636 wrote to memory of 1420 2636 pppvd.exe 40 PID 2636 wrote to memory of 1420 2636 pppvd.exe 40 PID 2636 wrote to memory of 1420 2636 pppvd.exe 40 PID 2636 wrote to memory of 1420 2636 pppvd.exe 40 PID 1420 wrote to memory of 2624 1420 3llrffl.exe 41 PID 1420 wrote to memory of 2624 1420 3llrffl.exe 41 PID 1420 wrote to memory of 2624 1420 3llrffl.exe 41 PID 1420 wrote to memory of 2624 1420 3llrffl.exe 41 PID 2624 wrote to memory of 1464 2624 vvjpj.exe 42 PID 2624 wrote to memory of 1464 2624 vvjpj.exe 42 PID 2624 wrote to memory of 1464 2624 vvjpj.exe 42 PID 2624 wrote to memory of 1464 2624 vvjpj.exe 42 PID 1464 wrote to memory of 1484 1464 dvpjp.exe 43 PID 1464 wrote to memory of 1484 1464 dvpjp.exe 43 PID 1464 wrote to memory of 1484 1464 dvpjp.exe 43 PID 1464 wrote to memory of 1484 1464 dvpjp.exe 43 PID 1484 wrote to memory of 1988 1484 xlxflxl.exe 44 PID 1484 wrote to memory of 1988 1484 xlxflxl.exe 44 PID 1484 wrote to memory of 1988 1484 xlxflxl.exe 44 PID 1484 wrote to memory of 1988 1484 xlxflxl.exe 44 PID 1988 wrote to memory of 2828 1988 7pdjj.exe 45 PID 1988 wrote to memory of 2828 1988 7pdjj.exe 45 PID 1988 wrote to memory of 2828 1988 7pdjj.exe 45 PID 1988 wrote to memory of 2828 1988 7pdjj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe"C:\Users\Admin\AppData\Local\Temp\77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\nnbhnn.exec:\nnbhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\hbtbhn.exec:\hbtbhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\lllrfxl.exec:\lllrfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\lxxxrxl.exec:\lxxxrxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\jjvjp.exec:\jjvjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\1rllrxx.exec:\1rllrxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\nnhntb.exec:\nnhntb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\lfllxxl.exec:\lfllxxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\bthhnt.exec:\bthhnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\pppvd.exec:\pppvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\3llrffl.exec:\3llrffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\vvjpj.exec:\vvjpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\dvpjp.exec:\dvpjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\xlxflxl.exec:\xlxflxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\7pdjj.exec:\7pdjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\hhthtb.exec:\hhthtb.exe17⤵
- Executes dropped EXE
PID:2828 -
\??\c:\hbnbnn.exec:\hbnbnn.exe18⤵
- Executes dropped EXE
PID:2312 -
\??\c:\vpjjv.exec:\vpjjv.exe19⤵
- Executes dropped EXE
PID:1500 -
\??\c:\1thhnn.exec:\1thhnn.exe20⤵
- Executes dropped EXE
PID:2068 -
\??\c:\dpvvd.exec:\dpvvd.exe21⤵
- Executes dropped EXE
PID:2408 -
\??\c:\jvvdj.exec:\jvvdj.exe22⤵
- Executes dropped EXE
PID:340 -
\??\c:\frffrxf.exec:\frffrxf.exe23⤵
- Executes dropped EXE
PID:496 -
\??\c:\nhthtn.exec:\nhthtn.exe24⤵
- Executes dropped EXE
PID:292 -
\??\c:\ffrflrx.exec:\ffrflrx.exe25⤵
- Executes dropped EXE
PID:304 -
\??\c:\nhbhnt.exec:\nhbhnt.exe26⤵
- Executes dropped EXE
PID:1144 -
\??\c:\vvvvp.exec:\vvvvp.exe27⤵
- Executes dropped EXE
PID:276 -
\??\c:\pdvjv.exec:\pdvjv.exe28⤵
- Executes dropped EXE
PID:1564 -
\??\c:\fxfrfff.exec:\fxfrfff.exe29⤵
- Executes dropped EXE
PID:3060 -
\??\c:\vpjpv.exec:\vpjpv.exe30⤵
- Executes dropped EXE
PID:2072 -
\??\c:\xrllrrf.exec:\xrllrrf.exe31⤵
- Executes dropped EXE
PID:2064 -
\??\c:\tbnbnn.exec:\tbnbnn.exe32⤵
- Executes dropped EXE
PID:1724 -
\??\c:\3xrrrrl.exec:\3xrrrrl.exe33⤵
- Executes dropped EXE
PID:572 -
\??\c:\tntntt.exec:\tntntt.exe34⤵
- Executes dropped EXE
PID:2300 -
\??\c:\vvjdp.exec:\vvjdp.exe35⤵
- Executes dropped EXE
PID:2192 -
\??\c:\rflrxfl.exec:\rflrxfl.exe36⤵
- Executes dropped EXE
PID:2560 -
\??\c:\tbtthh.exec:\tbtthh.exe37⤵
- Executes dropped EXE
PID:264 -
\??\c:\3nnhht.exec:\3nnhht.exe38⤵
- Executes dropped EXE
PID:1584 -
\??\c:\7djjj.exec:\7djjj.exe39⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lfrrxxf.exec:\lfrrxxf.exe40⤵
- Executes dropped EXE
PID:2724 -
\??\c:\btnnnn.exec:\btnnnn.exe41⤵
- Executes dropped EXE
PID:2908 -
\??\c:\nnhhtt.exec:\nnhhtt.exe42⤵
- Executes dropped EXE
PID:2744 -
\??\c:\3vjpv.exec:\3vjpv.exe43⤵
- Executes dropped EXE
PID:2736 -
\??\c:\rfrrxrr.exec:\rfrrxrr.exe44⤵
- Executes dropped EXE
PID:3000 -
\??\c:\xrffrlf.exec:\xrffrlf.exe45⤵
- Executes dropped EXE
PID:1348 -
\??\c:\3hbtbb.exec:\3hbtbb.exe46⤵
- Executes dropped EXE
PID:2760 -
\??\c:\jvddd.exec:\jvddd.exe47⤵
- Executes dropped EXE
PID:2668 -
\??\c:\9rfrxfr.exec:\9rfrxfr.exe48⤵
- Executes dropped EXE
PID:2052 -
\??\c:\xxrrxfr.exec:\xxrrxfr.exe49⤵
- Executes dropped EXE
PID:2112 -
\??\c:\hbthnt.exec:\hbthnt.exe50⤵
- Executes dropped EXE
PID:980 -
\??\c:\pvjdd.exec:\pvjdd.exe51⤵
- Executes dropped EXE
PID:1180 -
\??\c:\xxrrfxl.exec:\xxrrfxl.exe52⤵
- Executes dropped EXE
PID:3020 -
\??\c:\lflfffl.exec:\lflfffl.exe53⤵
- Executes dropped EXE
PID:1776 -
\??\c:\thtnbb.exec:\thtnbb.exe54⤵
- Executes dropped EXE
PID:2820 -
\??\c:\5vpvj.exec:\5vpvj.exe55⤵
- Executes dropped EXE
PID:2944 -
\??\c:\lfxxfll.exec:\lfxxfll.exe56⤵
- Executes dropped EXE
PID:2008 -
\??\c:\fxlxlrx.exec:\fxlxlrx.exe57⤵
- Executes dropped EXE
PID:2000 -
\??\c:\nhbbbb.exec:\nhbbbb.exe58⤵
- Executes dropped EXE
PID:1500 -
\??\c:\3dpjv.exec:\3dpjv.exe59⤵
- Executes dropped EXE
PID:1916 -
\??\c:\vpjpv.exec:\vpjpv.exe60⤵
- Executes dropped EXE
PID:2268 -
\??\c:\fxfllrr.exec:\fxfllrr.exe61⤵
- Executes dropped EXE
PID:2816 -
\??\c:\ttnthh.exec:\ttnthh.exe62⤵
- Executes dropped EXE
PID:1184 -
\??\c:\ntthbb.exec:\ntthbb.exe63⤵
- Executes dropped EXE
PID:2600 -
\??\c:\vpjjp.exec:\vpjjp.exe64⤵
- Executes dropped EXE
PID:856 -
\??\c:\llfxlfr.exec:\llfxlfr.exe65⤵
- Executes dropped EXE
PID:1088 -
\??\c:\7tbbhh.exec:\7tbbhh.exe66⤵PID:304
-
\??\c:\tthtbh.exec:\tthtbh.exe67⤵PID:2024
-
\??\c:\dvjvv.exec:\dvjvv.exe68⤵PID:916
-
\??\c:\5frxrxx.exec:\5frxrxx.exe69⤵PID:2756
-
\??\c:\lfrlxfr.exec:\lfrlxfr.exe70⤵PID:1900
-
\??\c:\bbtnhn.exec:\bbtnhn.exe71⤵PID:2084
-
\??\c:\3vpdp.exec:\3vpdp.exe72⤵PID:1172
-
\??\c:\vpjjv.exec:\vpjjv.exe73⤵PID:1072
-
\??\c:\rlrrxrf.exec:\rlrrxrf.exe74⤵PID:2056
-
\??\c:\nhbbbb.exec:\nhbbbb.exe75⤵PID:988
-
\??\c:\7hnhnn.exec:\7hnhnn.exe76⤵PID:2412
-
\??\c:\dvdpv.exec:\dvdpv.exe77⤵PID:2164
-
\??\c:\frlfllr.exec:\frlfllr.exe78⤵PID:1952
-
\??\c:\1rxrxrx.exec:\1rxrxrx.exe79⤵PID:2204
-
\??\c:\bthhnt.exec:\bthhnt.exe80⤵PID:2560
-
\??\c:\1vpvd.exec:\1vpvd.exe81⤵PID:2340
-
\??\c:\vpjjp.exec:\vpjjp.exe82⤵PID:2500
-
\??\c:\3rffllr.exec:\3rffllr.exe83⤵PID:2748
-
\??\c:\bbbbhn.exec:\bbbbhn.exe84⤵PID:2924
-
\??\c:\nnhnbb.exec:\nnhnbb.exe85⤵PID:2776
-
\??\c:\3jvvd.exec:\3jvvd.exe86⤵PID:2896
-
\??\c:\1lxlxxf.exec:\1lxlxxf.exe87⤵PID:2784
-
\??\c:\tthbhh.exec:\tthbhh.exe88⤵PID:2792
-
\??\c:\bttbbt.exec:\bttbbt.exe89⤵PID:2876
-
\??\c:\jdvdj.exec:\jdvdj.exe90⤵PID:2696
-
\??\c:\fxrlfxl.exec:\fxrlfxl.exe91⤵PID:2116
-
\??\c:\frlfxfl.exec:\frlfxfl.exe92⤵PID:2404
-
\??\c:\bbtbnh.exec:\bbtbnh.exe93⤵PID:1028
-
\??\c:\hhbtbt.exec:\hhbtbt.exe94⤵PID:1200
-
\??\c:\jddpv.exec:\jddpv.exe95⤵PID:1668
-
\??\c:\lflrrxx.exec:\lflrrxx.exe96⤵PID:2472
-
\??\c:\hntbhn.exec:\hntbhn.exe97⤵PID:2848
-
\??\c:\5bhnbh.exec:\5bhnbh.exe98⤵PID:2824
-
\??\c:\jdvvd.exec:\jdvvd.exe99⤵PID:3004
-
\??\c:\xfxrxfl.exec:\xfxrxfl.exe100⤵PID:2212
-
\??\c:\xrfxffr.exec:\xrfxffr.exe101⤵PID:2008
-
\??\c:\nbbhnt.exec:\nbbhnt.exe102⤵PID:1912
-
\??\c:\pjpdj.exec:\pjpdj.exe103⤵PID:2368
-
\??\c:\lrfrxff.exec:\lrfrxff.exe104⤵PID:2140
-
\??\c:\bbnthn.exec:\bbnthn.exe105⤵PID:2268
-
\??\c:\bthbhh.exec:\bthbhh.exe106⤵PID:2816
-
\??\c:\jjdvj.exec:\jjdvj.exe107⤵PID:1184
-
\??\c:\rxlrxxl.exec:\rxlrxxl.exe108⤵PID:1292
-
\??\c:\3hbntn.exec:\3hbntn.exe109⤵PID:856
-
\??\c:\nnntht.exec:\nnntht.exe110⤵PID:1956
-
\??\c:\vpjpv.exec:\vpjpv.exe111⤵PID:1612
-
\??\c:\xfxlxxl.exec:\xfxlxxl.exe112⤵PID:276
-
\??\c:\htbbnn.exec:\htbbnn.exe113⤵PID:1876
-
\??\c:\ttnbtb.exec:\ttnbtb.exe114⤵PID:616
-
\??\c:\pdjjp.exec:\pdjjp.exe115⤵PID:2964
-
\??\c:\lxlfffl.exec:\lxlfffl.exe116⤵PID:2060
-
\??\c:\ntnbnb.exec:\ntnbnb.exe117⤵PID:2588
-
\??\c:\bthtnt.exec:\bthtnt.exe118⤵PID:1688
-
\??\c:\3pdjp.exec:\3pdjp.exe119⤵PID:2548
-
\??\c:\7lxffrr.exec:\7lxffrr.exe120⤵PID:2280
-
\??\c:\xrlrfrf.exec:\xrlrfrf.exe121⤵PID:2196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-