Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 06:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe
-
Size
454KB
-
MD5
f484a319108eca7ca1710eca7f592c02
-
SHA1
f0fbb191a4c381ac71ab372f64a47e93a118b917
-
SHA256
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855
-
SHA512
8e040a478bc96482d3196f9273d70677b20408b4176e052bd2bfee45de655eb8851993f5d086f3831a98696ac77b7fd39822f355be3d5e917df14206c164018b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2136-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-82-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2788-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-84-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2964-112-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2396-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/804-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/804-132-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/804-130-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2988-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-159-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2020-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-196-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1624-185-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3028-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1016-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-286-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/888-284-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2404-298-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2084-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-442-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/3020-440-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1200-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-470-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2516-483-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1560-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-504-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2312-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-631-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1868-643-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2672-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-680-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3048-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-778-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1620-839-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2976-964-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2404 dppjd.exe 740 ffrlfrx.exe 1080 3nnntb.exe 2248 bbhbhh.exe 2824 jdpvj.exe 2184 5lrlrrr.exe 2788 tttttt.exe 2964 xxlrffl.exe 2680 nnbbhn.exe 2656 llrrxxf.exe 2396 ddjvj.exe 684 1xfflfl.exe 804 bhtthn.exe 2696 bbbntn.exe 2988 rxrrrxf.exe 2008 llffrfr.exe 1068 hhnbth.exe 2020 btbttt.exe 1624 vvvvv.exe 3040 ddvvd.exe 1728 xxxlrxr.exe 1792 1tntnb.exe 3028 1vjjv.exe 1768 rxxfxlx.exe 1016 1rffrfl.exe 1816 tnnbht.exe 2440 rrfrxxf.exe 1308 jjppv.exe 2232 ffflflx.exe 888 tbntbh.exe 1724 djvvd.exe 1608 bhbntb.exe 2220 nttthh.exe 2084 lxlrxfl.exe 1080 tbbtbh.exe 2840 thnnhh.exe 2824 pvdjj.exe 2732 llrrxlf.exe 2900 rrlrlrf.exe 2972 hnttth.exe 2964 pvjjv.exe 2792 vdjpv.exe 380 3xffxfl.exe 2468 7nbbnt.exe 2932 7btbnn.exe 352 jppdp.exe 3016 5rlrrxl.exe 2872 hhnttb.exe 2928 hhnnnt.exe 2016 vdppv.exe 1528 fxfxfxf.exe 3020 xfllrrx.exe 3024 nnbttt.exe 2180 dvddv.exe 1200 vvvpp.exe 1436 1frrlrf.exe 2064 7tbhnn.exe 2516 jvvpd.exe 1560 jjjjp.exe 1824 5xflrxf.exe 3028 9nbhnb.exe 1568 thbbhb.exe 544 vvdjj.exe 2312 fflfrlx.exe -
resource yara_rule behavioral1/memory/2136-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/804-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-160-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2020-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-196-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1624-185-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3028-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-237-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1816-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-284-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2084-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-650-0x00000000002C0000-0x00000000002EA000-memory.dmp upx behavioral1/memory/2672-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-921-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flffflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2404 2136 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 30 PID 2136 wrote to memory of 2404 2136 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 30 PID 2136 wrote to memory of 2404 2136 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 30 PID 2136 wrote to memory of 2404 2136 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 30 PID 2404 wrote to memory of 740 2404 dppjd.exe 31 PID 2404 wrote to memory of 740 2404 dppjd.exe 31 PID 2404 wrote to memory of 740 2404 dppjd.exe 31 PID 2404 wrote to memory of 740 2404 dppjd.exe 31 PID 740 wrote to memory of 1080 740 ffrlfrx.exe 32 PID 740 wrote to memory of 1080 740 ffrlfrx.exe 32 PID 740 wrote to memory of 1080 740 ffrlfrx.exe 32 PID 740 wrote to memory of 1080 740 ffrlfrx.exe 32 PID 1080 wrote to memory of 2248 1080 3nnntb.exe 33 PID 1080 wrote to memory of 2248 1080 3nnntb.exe 33 PID 1080 wrote to memory of 2248 1080 3nnntb.exe 33 PID 1080 wrote to memory of 2248 1080 3nnntb.exe 33 PID 2248 wrote to memory of 2824 2248 bbhbhh.exe 34 PID 2248 wrote to memory of 2824 2248 bbhbhh.exe 34 PID 2248 wrote to memory of 2824 2248 bbhbhh.exe 34 PID 2248 wrote to memory of 2824 2248 bbhbhh.exe 34 PID 2824 wrote to memory of 2184 2824 jdpvj.exe 35 PID 2824 wrote to memory of 2184 2824 jdpvj.exe 35 PID 2824 wrote to memory of 2184 2824 jdpvj.exe 35 PID 2824 wrote to memory of 2184 2824 jdpvj.exe 35 PID 2184 wrote to memory of 2788 2184 5lrlrrr.exe 36 PID 2184 wrote to memory of 2788 2184 5lrlrrr.exe 36 PID 2184 wrote to memory of 2788 2184 5lrlrrr.exe 36 PID 2184 wrote to memory of 2788 2184 5lrlrrr.exe 36 PID 2788 wrote to memory of 2964 2788 tttttt.exe 37 PID 2788 wrote to memory of 2964 2788 tttttt.exe 37 PID 2788 wrote to memory of 2964 2788 tttttt.exe 37 PID 2788 wrote to memory of 2964 2788 tttttt.exe 37 PID 2964 wrote to memory of 2680 2964 xxlrffl.exe 38 PID 2964 wrote to memory of 2680 2964 xxlrffl.exe 38 PID 2964 wrote to memory of 2680 2964 xxlrffl.exe 38 PID 2964 wrote to memory of 2680 2964 xxlrffl.exe 38 PID 2680 wrote to memory of 2656 2680 nnbbhn.exe 39 PID 2680 wrote to memory of 2656 2680 nnbbhn.exe 39 PID 2680 wrote to memory of 2656 2680 nnbbhn.exe 39 PID 2680 wrote to memory of 2656 2680 nnbbhn.exe 39 PID 2656 wrote to memory of 2396 2656 llrrxxf.exe 40 PID 2656 wrote to memory of 2396 2656 llrrxxf.exe 40 PID 2656 wrote to memory of 2396 2656 llrrxxf.exe 40 PID 2656 wrote to memory of 2396 2656 llrrxxf.exe 40 PID 2396 wrote to memory of 684 2396 ddjvj.exe 41 PID 2396 wrote to memory of 684 2396 ddjvj.exe 41 PID 2396 wrote to memory of 684 2396 ddjvj.exe 41 PID 2396 wrote to memory of 684 2396 ddjvj.exe 41 PID 684 wrote to memory of 804 684 1xfflfl.exe 42 PID 684 wrote to memory of 804 684 1xfflfl.exe 42 PID 684 wrote to memory of 804 684 1xfflfl.exe 42 PID 684 wrote to memory of 804 684 1xfflfl.exe 42 PID 804 wrote to memory of 2696 804 bhtthn.exe 43 PID 804 wrote to memory of 2696 804 bhtthn.exe 43 PID 804 wrote to memory of 2696 804 bhtthn.exe 43 PID 804 wrote to memory of 2696 804 bhtthn.exe 43 PID 2696 wrote to memory of 2988 2696 bbbntn.exe 44 PID 2696 wrote to memory of 2988 2696 bbbntn.exe 44 PID 2696 wrote to memory of 2988 2696 bbbntn.exe 44 PID 2696 wrote to memory of 2988 2696 bbbntn.exe 44 PID 2988 wrote to memory of 2008 2988 rxrrrxf.exe 45 PID 2988 wrote to memory of 2008 2988 rxrrrxf.exe 45 PID 2988 wrote to memory of 2008 2988 rxrrrxf.exe 45 PID 2988 wrote to memory of 2008 2988 rxrrrxf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe"C:\Users\Admin\AppData\Local\Temp\5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\dppjd.exec:\dppjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\ffrlfrx.exec:\ffrlfrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\3nnntb.exec:\3nnntb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\bbhbhh.exec:\bbhbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\jdpvj.exec:\jdpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\5lrlrrr.exec:\5lrlrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\tttttt.exec:\tttttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\xxlrffl.exec:\xxlrffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\nnbbhn.exec:\nnbbhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\llrrxxf.exec:\llrrxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\ddjvj.exec:\ddjvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\1xfflfl.exec:\1xfflfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\bhtthn.exec:\bhtthn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\bbbntn.exec:\bbbntn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\rxrrrxf.exec:\rxrrrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\llffrfr.exec:\llffrfr.exe17⤵
- Executes dropped EXE
PID:2008 -
\??\c:\hhnbth.exec:\hhnbth.exe18⤵
- Executes dropped EXE
PID:1068 -
\??\c:\btbttt.exec:\btbttt.exe19⤵
- Executes dropped EXE
PID:2020 -
\??\c:\vvvvv.exec:\vvvvv.exe20⤵
- Executes dropped EXE
PID:1624 -
\??\c:\ddvvd.exec:\ddvvd.exe21⤵
- Executes dropped EXE
PID:3040 -
\??\c:\xxxlrxr.exec:\xxxlrxr.exe22⤵
- Executes dropped EXE
PID:1728 -
\??\c:\1tntnb.exec:\1tntnb.exe23⤵
- Executes dropped EXE
PID:1792 -
\??\c:\1vjjv.exec:\1vjjv.exe24⤵
- Executes dropped EXE
PID:3028 -
\??\c:\rxxfxlx.exec:\rxxfxlx.exe25⤵
- Executes dropped EXE
PID:1768 -
\??\c:\1rffrfl.exec:\1rffrfl.exe26⤵
- Executes dropped EXE
PID:1016 -
\??\c:\tnnbht.exec:\tnnbht.exe27⤵
- Executes dropped EXE
PID:1816 -
\??\c:\rrfrxxf.exec:\rrfrxxf.exe28⤵
- Executes dropped EXE
PID:2440 -
\??\c:\jjppv.exec:\jjppv.exe29⤵
- Executes dropped EXE
PID:1308 -
\??\c:\ffflflx.exec:\ffflflx.exe30⤵
- Executes dropped EXE
PID:2232 -
\??\c:\tbntbh.exec:\tbntbh.exe31⤵
- Executes dropped EXE
PID:888 -
\??\c:\djvvd.exec:\djvvd.exe32⤵
- Executes dropped EXE
PID:1724 -
\??\c:\nnbttb.exec:\nnbttb.exe33⤵PID:2404
-
\??\c:\bhbntb.exec:\bhbntb.exe34⤵
- Executes dropped EXE
PID:1608 -
\??\c:\nttthh.exec:\nttthh.exe35⤵
- Executes dropped EXE
PID:2220 -
\??\c:\lxlrxfl.exec:\lxlrxfl.exe36⤵
- Executes dropped EXE
PID:2084 -
\??\c:\tbbtbh.exec:\tbbtbh.exe37⤵
- Executes dropped EXE
PID:1080 -
\??\c:\thnnhh.exec:\thnnhh.exe38⤵
- Executes dropped EXE
PID:2840 -
\??\c:\pvdjj.exec:\pvdjj.exe39⤵
- Executes dropped EXE
PID:2824 -
\??\c:\llrrxlf.exec:\llrrxlf.exe40⤵
- Executes dropped EXE
PID:2732 -
\??\c:\rrlrlrf.exec:\rrlrlrf.exe41⤵
- Executes dropped EXE
PID:2900 -
\??\c:\hnttth.exec:\hnttth.exe42⤵
- Executes dropped EXE
PID:2972 -
\??\c:\pvjjv.exec:\pvjjv.exe43⤵
- Executes dropped EXE
PID:2964 -
\??\c:\vdjpv.exec:\vdjpv.exe44⤵
- Executes dropped EXE
PID:2792 -
\??\c:\3xffxfl.exec:\3xffxfl.exe45⤵
- Executes dropped EXE
PID:380 -
\??\c:\7nbbnt.exec:\7nbbnt.exe46⤵
- Executes dropped EXE
PID:2468 -
\??\c:\7btbnn.exec:\7btbnn.exe47⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jppdp.exec:\jppdp.exe48⤵
- Executes dropped EXE
PID:352 -
\??\c:\5rlrrxl.exec:\5rlrrxl.exe49⤵
- Executes dropped EXE
PID:3016 -
\??\c:\hhnttb.exec:\hhnttb.exe50⤵
- Executes dropped EXE
PID:2872 -
\??\c:\hhnnnt.exec:\hhnnnt.exe51⤵
- Executes dropped EXE
PID:2928 -
\??\c:\vdppv.exec:\vdppv.exe52⤵
- Executes dropped EXE
PID:2016 -
\??\c:\fxfxfxf.exec:\fxfxfxf.exe53⤵
- Executes dropped EXE
PID:1528 -
\??\c:\xfllrrx.exec:\xfllrrx.exe54⤵
- Executes dropped EXE
PID:3020 -
\??\c:\nnbttt.exec:\nnbttt.exe55⤵
- Executes dropped EXE
PID:3024 -
\??\c:\dvddv.exec:\dvddv.exe56⤵
- Executes dropped EXE
PID:2180 -
\??\c:\vvvpp.exec:\vvvpp.exe57⤵
- Executes dropped EXE
PID:1200 -
\??\c:\1frrlrf.exec:\1frrlrf.exe58⤵
- Executes dropped EXE
PID:1436 -
\??\c:\7tbhnn.exec:\7tbhnn.exe59⤵
- Executes dropped EXE
PID:2064 -
\??\c:\jvvpd.exec:\jvvpd.exe60⤵
- Executes dropped EXE
PID:2516 -
\??\c:\jjjjp.exec:\jjjjp.exe61⤵
- Executes dropped EXE
PID:1560 -
\??\c:\5xflrxf.exec:\5xflrxf.exe62⤵
- Executes dropped EXE
PID:1824 -
\??\c:\9nbhnb.exec:\9nbhnb.exe63⤵
- Executes dropped EXE
PID:3028 -
\??\c:\thbbhb.exec:\thbbhb.exe64⤵
- Executes dropped EXE
PID:1568 -
\??\c:\vvdjj.exec:\vvdjj.exe65⤵
- Executes dropped EXE
PID:544 -
\??\c:\fflfrlx.exec:\fflfrlx.exe66⤵
- Executes dropped EXE
PID:2312 -
\??\c:\7bhhbb.exec:\7bhhbb.exe67⤵PID:1592
-
\??\c:\tthbhh.exec:\tthbhh.exe68⤵PID:1732
-
\??\c:\1jdpp.exec:\1jdpp.exe69⤵PID:1308
-
\??\c:\lxllrxl.exec:\lxllrxl.exe70⤵PID:2156
-
\??\c:\frxxxff.exec:\frxxxff.exe71⤵PID:764
-
\??\c:\nhtbbh.exec:\nhtbbh.exe72⤵PID:1208
-
\??\c:\7dppv.exec:\7dppv.exe73⤵PID:1632
-
\??\c:\5jddp.exec:\5jddp.exe74⤵PID:2384
-
\??\c:\lrxflxx.exec:\lrxflxx.exe75⤵PID:2952
-
\??\c:\hhtnth.exec:\hhtnth.exe76⤵PID:2216
-
\??\c:\ntbbnn.exec:\ntbbnn.exe77⤵PID:2812
-
\??\c:\djvdv.exec:\djvdv.exe78⤵PID:2248
-
\??\c:\9lxxlll.exec:\9lxxlll.exe79⤵PID:2204
-
\??\c:\fffffff.exec:\fffffff.exe80⤵PID:2632
-
\??\c:\bhbtbb.exec:\bhbtbb.exe81⤵PID:2868
-
\??\c:\djpjj.exec:\djpjj.exe82⤵PID:2804
-
\??\c:\vdpdj.exec:\vdpdj.exe83⤵PID:2852
-
\??\c:\rrrlxff.exec:\rrrlxff.exe84⤵PID:1444
-
\??\c:\lxlfllx.exec:\lxlfllx.exe85⤵PID:1868
-
\??\c:\nnbbhn.exec:\nnbbhn.exe86⤵PID:2704
-
\??\c:\jppdv.exec:\jppdv.exe87⤵PID:2672
-
\??\c:\9xrxfxf.exec:\9xrxfxf.exe88⤵PID:2320
-
\??\c:\rlxrxrr.exec:\rlxrxrr.exe89⤵PID:3008
-
\??\c:\nhbbnn.exec:\nhbbnn.exe90⤵PID:2960
-
\??\c:\ddvdd.exec:\ddvdd.exe91⤵PID:2612
-
\??\c:\jdvpd.exec:\jdvpd.exe92⤵PID:3004
-
\??\c:\xlxfllx.exec:\xlxfllx.exe93⤵PID:2928
-
\??\c:\bhbbnh.exec:\bhbbnh.exe94⤵PID:2588
-
\??\c:\pjjpv.exec:\pjjpv.exe95⤵PID:3032
-
\??\c:\vvdvv.exec:\vvdvv.exe96⤵PID:3020
-
\??\c:\xxfrrrl.exec:\xxfrrrl.exe97⤵PID:3044
-
\??\c:\nhbbhb.exec:\nhbbhb.exe98⤵PID:3048
-
\??\c:\nntbtb.exec:\nntbtb.exe99⤵PID:2480
-
\??\c:\dvvpp.exec:\dvvpp.exe100⤵PID:2484
-
\??\c:\9lrllfl.exec:\9lrllfl.exe101⤵PID:2160
-
\??\c:\xfllrrx.exec:\xfllrrx.exe102⤵PID:932
-
\??\c:\hhbthh.exec:\hhbthh.exe103⤵PID:2436
-
\??\c:\hbbbbt.exec:\hbbbbt.exe104⤵PID:1116
-
\??\c:\jvpjd.exec:\jvpjd.exe105⤵PID:984
-
\??\c:\rfllrrx.exec:\rfllrrx.exe106⤵PID:3028
-
\??\c:\xxxrllf.exec:\xxxrllf.exe107⤵PID:1716
-
\??\c:\ttbtbb.exec:\ttbtbb.exe108⤵PID:1500
-
\??\c:\pjpjv.exec:\pjpjv.exe109⤵PID:2312
-
\??\c:\dvvpp.exec:\dvvpp.exe110⤵PID:2100
-
\??\c:\3xfxxfx.exec:\3xfxxfx.exe111⤵PID:2440
-
\??\c:\llxrrrx.exec:\llxrrrx.exe112⤵PID:760
-
\??\c:\nhhbbb.exec:\nhhbbb.exe113⤵PID:2172
-
\??\c:\5dpvv.exec:\5dpvv.exe114⤵PID:2364
-
\??\c:\jvjjj.exec:\jvjjj.exe115⤵PID:1804
-
\??\c:\llrlrrl.exec:\llrlrrl.exe116⤵PID:1620
-
\??\c:\tnbbhh.exec:\tnbbhh.exe117⤵PID:2404
-
\??\c:\3ntttt.exec:\3ntttt.exe118⤵PID:2460
-
\??\c:\jjppv.exec:\jjppv.exe119⤵PID:2756
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe120⤵PID:2244
-
\??\c:\5llllrl.exec:\5llllrl.exe121⤵PID:2888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-