Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 16:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe
-
Size
454KB
-
MD5
abeadc4604d342f50fdeaeb93ac58779
-
SHA1
793a6a31f2445e043257d4dc0f6f31a23fe385ee
-
SHA256
94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9
-
SHA512
7524c080e3eacaeb85e46bceda3039973b61211905d48eb22b1008f319e4a225d751ea54e4d32c5fb9f5b364f4254fd4faef86c05953ee7ad67b3a6c5d5ea9b2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2276-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-89-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2572-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-131-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2500-129-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2212-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-171-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2872-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/752-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-274-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1756-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-305-0x00000000773E0000-0x00000000774FF000-memory.dmp family_blackmoon behavioral1/memory/1652-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-345-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2620-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-428-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-460-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2800-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-606-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2984-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-641-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1780-872-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2408-881-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2980-895-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1980-897-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-975-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-1048-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2404 9pjjp.exe 2224 5lflxxf.exe 1980 hbhnhh.exe 2012 nhbntb.exe 1724 jdvdp.exe 2392 xfxlrxl.exe 2596 9thbhh.exe 2676 vvvvd.exe 2564 3rlllrr.exe 2572 hbtbhh.exe 2480 lfxfrfr.exe 2504 nnbnbb.exe 2500 rflrfrx.exe 2212 fxlrflr.exe 1596 dpjjv.exe 2792 frxrrrr.exe 2364 dpjpp.exe 1764 pdddp.exe 1924 vpdvp.exe 1036 lxfxxxf.exe 2872 vjvdd.exe 2856 tnhnbt.exe 3056 dvjvp.exe 1460 fflxxfl.exe 1600 vpdvj.exe 772 bthnbt.exe 1196 dddpd.exe 752 xrxlxxf.exe 2088 9thhnn.exe 2844 1pdvj.exe 1756 rlflrxf.exe 2064 hbbbnt.exe 2204 rfrrfxf.exe 2256 dpdjv.exe 2028 xrlrffr.exe 1652 jdvvj.exe 1668 xxxfrxx.exe 2072 7rfllrf.exe 2076 hnhtbb.exe 2396 5pdvj.exe 2648 ppjjd.exe 2644 1fxxffl.exe 2104 5bnttb.exe 2560 bthbhh.exe 2716 3vddj.exe 2668 frfffxf.exe 2620 rlxfllr.exe 2688 tthbhh.exe 2468 3jvdj.exe 2452 lfrrffl.exe 1492 xfxrxlf.exe 3040 nbnbhh.exe 2784 vvpvd.exe 2220 9dppv.exe 1648 lllrrxl.exe 1968 hbhhbt.exe 480 7pdvj.exe 1680 dppdd.exe 2800 7xrrxfl.exe 1036 llxlffr.exe 2852 7bnnbb.exe 2896 dpjdd.exe 3016 dpddj.exe 2888 9fxfllr.exe -
resource yara_rule behavioral1/memory/2276-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-274-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1756-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-473-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2800-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/984-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-895-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1980-897-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-1157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-1279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-1328-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2404 2276 94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe 28 PID 2276 wrote to memory of 2404 2276 94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe 28 PID 2276 wrote to memory of 2404 2276 94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe 28 PID 2276 wrote to memory of 2404 2276 94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe 28 PID 2404 wrote to memory of 2224 2404 9pjjp.exe 29 PID 2404 wrote to memory of 2224 2404 9pjjp.exe 29 PID 2404 wrote to memory of 2224 2404 9pjjp.exe 29 PID 2404 wrote to memory of 2224 2404 9pjjp.exe 29 PID 2224 wrote to memory of 1980 2224 5lflxxf.exe 30 PID 2224 wrote to memory of 1980 2224 5lflxxf.exe 30 PID 2224 wrote to memory of 1980 2224 5lflxxf.exe 30 PID 2224 wrote to memory of 1980 2224 5lflxxf.exe 30 PID 1980 wrote to memory of 2012 1980 hbhnhh.exe 31 PID 1980 wrote to memory of 2012 1980 hbhnhh.exe 31 PID 1980 wrote to memory of 2012 1980 hbhnhh.exe 31 PID 1980 wrote to memory of 2012 1980 hbhnhh.exe 31 PID 2012 wrote to memory of 1724 2012 nhbntb.exe 32 PID 2012 wrote to memory of 1724 2012 nhbntb.exe 32 PID 2012 wrote to memory of 1724 2012 nhbntb.exe 32 PID 2012 wrote to memory of 1724 2012 nhbntb.exe 32 PID 1724 wrote to memory of 2392 1724 jdvdp.exe 33 PID 1724 wrote to memory of 2392 1724 jdvdp.exe 33 PID 1724 wrote to memory of 2392 1724 jdvdp.exe 33 PID 1724 wrote to memory of 2392 1724 jdvdp.exe 33 PID 2392 wrote to memory of 2596 2392 xfxlrxl.exe 34 PID 2392 wrote to memory of 2596 2392 xfxlrxl.exe 34 PID 2392 wrote to memory of 2596 2392 xfxlrxl.exe 34 PID 2392 wrote to memory of 2596 2392 xfxlrxl.exe 34 PID 2596 wrote to memory of 2676 2596 9thbhh.exe 35 PID 2596 wrote to memory of 2676 2596 9thbhh.exe 35 PID 2596 wrote to memory of 2676 2596 9thbhh.exe 35 PID 2596 wrote to memory of 2676 2596 9thbhh.exe 35 PID 2676 wrote to memory of 2564 2676 vvvvd.exe 36 PID 2676 wrote to memory of 2564 2676 vvvvd.exe 36 PID 2676 wrote to memory of 2564 2676 vvvvd.exe 36 PID 2676 wrote to memory of 2564 2676 vvvvd.exe 36 PID 2564 wrote to memory of 2572 2564 3rlllrr.exe 37 PID 2564 wrote to memory of 2572 2564 3rlllrr.exe 37 PID 2564 wrote to memory of 2572 2564 3rlllrr.exe 37 PID 2564 wrote to memory of 2572 2564 3rlllrr.exe 37 PID 2572 wrote to memory of 2480 2572 hbtbhh.exe 38 PID 2572 wrote to memory of 2480 2572 hbtbhh.exe 38 PID 2572 wrote to memory of 2480 2572 hbtbhh.exe 38 PID 2572 wrote to memory of 2480 2572 hbtbhh.exe 38 PID 2480 wrote to memory of 2504 2480 lfxfrfr.exe 39 PID 2480 wrote to memory of 2504 2480 lfxfrfr.exe 39 PID 2480 wrote to memory of 2504 2480 lfxfrfr.exe 39 PID 2480 wrote to memory of 2504 2480 lfxfrfr.exe 39 PID 2504 wrote to memory of 2500 2504 nnbnbb.exe 40 PID 2504 wrote to memory of 2500 2504 nnbnbb.exe 40 PID 2504 wrote to memory of 2500 2504 nnbnbb.exe 40 PID 2504 wrote to memory of 2500 2504 nnbnbb.exe 40 PID 2500 wrote to memory of 2212 2500 rflrfrx.exe 41 PID 2500 wrote to memory of 2212 2500 rflrfrx.exe 41 PID 2500 wrote to memory of 2212 2500 rflrfrx.exe 41 PID 2500 wrote to memory of 2212 2500 rflrfrx.exe 41 PID 2212 wrote to memory of 1596 2212 fxlrflr.exe 42 PID 2212 wrote to memory of 1596 2212 fxlrflr.exe 42 PID 2212 wrote to memory of 1596 2212 fxlrflr.exe 42 PID 2212 wrote to memory of 1596 2212 fxlrflr.exe 42 PID 1596 wrote to memory of 2792 1596 dpjjv.exe 43 PID 1596 wrote to memory of 2792 1596 dpjjv.exe 43 PID 1596 wrote to memory of 2792 1596 dpjjv.exe 43 PID 1596 wrote to memory of 2792 1596 dpjjv.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe"C:\Users\Admin\AppData\Local\Temp\94e33468f4d090274c9aa9691e2091144e77090beaff1b8ff4de1df27feee5d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\9pjjp.exec:\9pjjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\5lflxxf.exec:\5lflxxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\hbhnhh.exec:\hbhnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\nhbntb.exec:\nhbntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\jdvdp.exec:\jdvdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\xfxlrxl.exec:\xfxlrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\9thbhh.exec:\9thbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\vvvvd.exec:\vvvvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\3rlllrr.exec:\3rlllrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\hbtbhh.exec:\hbtbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\lfxfrfr.exec:\lfxfrfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\nnbnbb.exec:\nnbnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\rflrfrx.exec:\rflrfrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\fxlrflr.exec:\fxlrflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\dpjjv.exec:\dpjjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\frxrrrr.exec:\frxrrrr.exe17⤵
- Executes dropped EXE
PID:2792 -
\??\c:\dpjpp.exec:\dpjpp.exe18⤵
- Executes dropped EXE
PID:2364 -
\??\c:\pdddp.exec:\pdddp.exe19⤵
- Executes dropped EXE
PID:1764 -
\??\c:\vpdvp.exec:\vpdvp.exe20⤵
- Executes dropped EXE
PID:1924 -
\??\c:\lxfxxxf.exec:\lxfxxxf.exe21⤵
- Executes dropped EXE
PID:1036 -
\??\c:\vjvdd.exec:\vjvdd.exe22⤵
- Executes dropped EXE
PID:2872 -
\??\c:\tnhnbt.exec:\tnhnbt.exe23⤵
- Executes dropped EXE
PID:2856 -
\??\c:\dvjvp.exec:\dvjvp.exe24⤵
- Executes dropped EXE
PID:3056 -
\??\c:\fflxxfl.exec:\fflxxfl.exe25⤵
- Executes dropped EXE
PID:1460 -
\??\c:\vpdvj.exec:\vpdvj.exe26⤵
- Executes dropped EXE
PID:1600 -
\??\c:\bthnbt.exec:\bthnbt.exe27⤵
- Executes dropped EXE
PID:772 -
\??\c:\dddpd.exec:\dddpd.exe28⤵
- Executes dropped EXE
PID:1196 -
\??\c:\xrxlxxf.exec:\xrxlxxf.exe29⤵
- Executes dropped EXE
PID:752 -
\??\c:\9thhnn.exec:\9thhnn.exe30⤵
- Executes dropped EXE
PID:2088 -
\??\c:\1pdvj.exec:\1pdvj.exe31⤵
- Executes dropped EXE
PID:2844 -
\??\c:\rlflrxf.exec:\rlflrxf.exe32⤵
- Executes dropped EXE
PID:1756 -
\??\c:\hbbbnt.exec:\hbbbnt.exe33⤵
- Executes dropped EXE
PID:2064 -
\??\c:\rfrrfxf.exec:\rfrrfxf.exe34⤵
- Executes dropped EXE
PID:2204 -
\??\c:\1hbbnt.exec:\1hbbnt.exe35⤵PID:1588
-
\??\c:\dpdjv.exec:\dpdjv.exe36⤵
- Executes dropped EXE
PID:2256 -
\??\c:\xrlrffr.exec:\xrlrffr.exe37⤵
- Executes dropped EXE
PID:2028 -
\??\c:\jdvvj.exec:\jdvvj.exe38⤵
- Executes dropped EXE
PID:1652 -
\??\c:\xxxfrxx.exec:\xxxfrxx.exe39⤵
- Executes dropped EXE
PID:1668 -
\??\c:\7rfllrf.exec:\7rfllrf.exe40⤵
- Executes dropped EXE
PID:2072 -
\??\c:\hnhtbb.exec:\hnhtbb.exe41⤵
- Executes dropped EXE
PID:2076 -
\??\c:\5pdvj.exec:\5pdvj.exe42⤵
- Executes dropped EXE
PID:2396 -
\??\c:\ppjjd.exec:\ppjjd.exe43⤵
- Executes dropped EXE
PID:2648 -
\??\c:\1fxxffl.exec:\1fxxffl.exe44⤵
- Executes dropped EXE
PID:2644 -
\??\c:\5bnttb.exec:\5bnttb.exe45⤵
- Executes dropped EXE
PID:2104 -
\??\c:\bthbhh.exec:\bthbhh.exe46⤵
- Executes dropped EXE
PID:2560 -
\??\c:\3vddj.exec:\3vddj.exe47⤵
- Executes dropped EXE
PID:2716 -
\??\c:\frfffxf.exec:\frfffxf.exe48⤵
- Executes dropped EXE
PID:2668 -
\??\c:\rlxfllr.exec:\rlxfllr.exe49⤵
- Executes dropped EXE
PID:2620 -
\??\c:\tthbhh.exec:\tthbhh.exe50⤵
- Executes dropped EXE
PID:2688 -
\??\c:\3jvdj.exec:\3jvdj.exe51⤵
- Executes dropped EXE
PID:2468 -
\??\c:\lfrrffl.exec:\lfrrffl.exe52⤵
- Executes dropped EXE
PID:2452 -
\??\c:\xfxrxlf.exec:\xfxrxlf.exe53⤵
- Executes dropped EXE
PID:1492 -
\??\c:\nbnbhh.exec:\nbnbhh.exe54⤵
- Executes dropped EXE
PID:3040 -
\??\c:\vvpvd.exec:\vvpvd.exe55⤵
- Executes dropped EXE
PID:2784 -
\??\c:\9dppv.exec:\9dppv.exe56⤵
- Executes dropped EXE
PID:2220 -
\??\c:\lllrrxl.exec:\lllrrxl.exe57⤵
- Executes dropped EXE
PID:1648 -
\??\c:\hbhhbt.exec:\hbhhbt.exe58⤵
- Executes dropped EXE
PID:1968 -
\??\c:\7pdvj.exec:\7pdvj.exe59⤵
- Executes dropped EXE
PID:480 -
\??\c:\dppdd.exec:\dppdd.exe60⤵
- Executes dropped EXE
PID:1680 -
\??\c:\7xrrxfl.exec:\7xrrxfl.exe61⤵
- Executes dropped EXE
PID:2800 -
\??\c:\llxlffr.exec:\llxlffr.exe62⤵
- Executes dropped EXE
PID:1036 -
\??\c:\7bnnbb.exec:\7bnnbb.exe63⤵
- Executes dropped EXE
PID:2852 -
\??\c:\dpjdd.exec:\dpjdd.exe64⤵
- Executes dropped EXE
PID:2896 -
\??\c:\dpddj.exec:\dpddj.exe65⤵
- Executes dropped EXE
PID:3016 -
\??\c:\9fxfllr.exec:\9fxfllr.exe66⤵
- Executes dropped EXE
PID:2888 -
\??\c:\hbbhnn.exec:\hbbhnn.exe67⤵PID:1960
-
\??\c:\bnhtbt.exec:\bnhtbt.exe68⤵PID:2836
-
\??\c:\dvpdp.exec:\dvpdp.exe69⤵PID:924
-
\??\c:\lxllxxf.exec:\lxllxxf.exe70⤵PID:772
-
\??\c:\frfrxfl.exec:\frfrxfl.exe71⤵PID:896
-
\??\c:\hhttbb.exec:\hhttbb.exe72⤵PID:1660
-
\??\c:\jvjpv.exec:\jvjpv.exe73⤵PID:2300
-
\??\c:\pjvdp.exec:\pjvdp.exe74⤵PID:2088
-
\??\c:\frllrfl.exec:\frllrfl.exe75⤵PID:2136
-
\??\c:\7nhhhh.exec:\7nhhhh.exe76⤵PID:888
-
\??\c:\vjjjp.exec:\vjjjp.exe77⤵PID:2060
-
\??\c:\5pvpd.exec:\5pvpd.exe78⤵PID:2176
-
\??\c:\9xlxffr.exec:\9xlxffr.exe79⤵PID:2204
-
\??\c:\bnhhhh.exec:\bnhhhh.exe80⤵PID:1664
-
\??\c:\7nbhtt.exec:\7nbhtt.exe81⤵PID:1540
-
\??\c:\7dppd.exec:\7dppd.exe82⤵PID:1788
-
\??\c:\rrlfrrf.exec:\rrlfrrf.exe83⤵PID:2984
-
\??\c:\hhbnbb.exec:\hhbnbb.exe84⤵PID:1668
-
\??\c:\pjdjp.exec:\pjdjp.exe85⤵PID:2372
-
\??\c:\vjddj.exec:\vjddj.exe86⤵PID:2076
-
\??\c:\fxrxlll.exec:\fxrxlll.exe87⤵PID:2396
-
\??\c:\9nhhtn.exec:\9nhhtn.exe88⤵PID:2112
-
\??\c:\bbhhnt.exec:\bbhhnt.exe89⤵PID:2644
-
\??\c:\pvjpd.exec:\pvjpd.exe90⤵PID:2416
-
\??\c:\3fxxxfl.exec:\3fxxxfl.exe91⤵PID:2560
-
\??\c:\rffxlll.exec:\rffxlll.exe92⤵PID:2572
-
\??\c:\bthhnt.exec:\bthhnt.exe93⤵PID:2708
-
\??\c:\9vddj.exec:\9vddj.exe94⤵PID:2512
-
\??\c:\vvjjv.exec:\vvjjv.exe95⤵PID:2816
-
\??\c:\rlxfrrf.exec:\rlxfrrf.exe96⤵PID:2476
-
\??\c:\htbhhh.exec:\htbhhh.exe97⤵PID:2472
-
\??\c:\nhbthb.exec:\nhbthb.exe98⤵PID:2000
-
\??\c:\pjdpv.exec:\pjdpv.exe99⤵PID:1200
-
\??\c:\rrrlxfr.exec:\rrrlxfr.exe100⤵PID:2260
-
\??\c:\5frfrxf.exec:\5frfrxf.exe101⤵PID:1716
-
\??\c:\hhhhnn.exec:\hhhhnn.exe102⤵PID:2732
-
\??\c:\hhthhh.exec:\hhthhh.exe103⤵PID:344
-
\??\c:\jdddp.exec:\jdddp.exe104⤵PID:776
-
\??\c:\fxrfllf.exec:\fxrfllf.exe105⤵PID:1988
-
\??\c:\rrlxlrx.exec:\rrlxlrx.exe106⤵PID:1924
-
\??\c:\5bnttb.exec:\5bnttb.exe107⤵PID:2812
-
\??\c:\pjvdp.exec:\pjvdp.exe108⤵PID:2848
-
\??\c:\9vjjv.exec:\9vjjv.exe109⤵PID:2908
-
\??\c:\xrfflrx.exec:\xrfflrx.exe110⤵PID:3064
-
\??\c:\9fxxflr.exec:\9fxxflr.exe111⤵PID:2880
-
\??\c:\btnnnn.exec:\btnnnn.exe112⤵PID:2888
-
\??\c:\jjdjv.exec:\jjdjv.exe113⤵PID:1960
-
\??\c:\dpdjj.exec:\dpdjj.exe114⤵PID:2836
-
\??\c:\fxllrrx.exec:\fxllrrx.exe115⤵PID:924
-
\??\c:\ttnntt.exec:\ttnntt.exe116⤵PID:1196
-
\??\c:\tnhhtn.exec:\tnhhtn.exe117⤵PID:896
-
\??\c:\5vjpp.exec:\5vjpp.exe118⤵PID:1660
-
\??\c:\llffflx.exec:\llffflx.exe119⤵PID:2300
-
\??\c:\7frrrrx.exec:\7frrrrx.exe120⤵PID:984
-
\??\c:\ttnthh.exec:\ttnthh.exe121⤵PID:1592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-