Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 18:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe
-
Size
453KB
-
MD5
6ddd739ca86c64b9c9c20cd40c8652af
-
SHA1
5ee093278c2abffcd09e75eca3d39312437f1223
-
SHA256
4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3
-
SHA512
35110423cd7d00bb281a3ab17ac1863e5988c99995bc99cb1cfa251566db1312b7384cb0eb2dd64248106de357898604faecef9ad5f62856a3dac827430f46c9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2640-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-79-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3028-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1468-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-238-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1872-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-250-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1580-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/440-388-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/872-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/440-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-444-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/964-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-685-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2112-705-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2056-1105-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2700-1143-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2736-1166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3012-1192-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2380-1267-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/112-1304-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/876-1323-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1780 fxlrxxf.exe 2880 3xrfrlf.exe 2680 xrxxlfr.exe 2736 pjpdj.exe 2684 fxlfxlr.exe 2544 3ddvd.exe 324 pjdpd.exe 3028 thnthh.exe 2920 pjvvj.exe 1096 tnhnhh.exe 300 jddjv.exe 2952 5nbnnt.exe 2120 9vjjv.exe 2904 ttnntt.exe 2116 ddjpv.exe 2616 7httbb.exe 1768 vvjjv.exe 1772 hnhnhh.exe 2980 djdpj.exe 2240 nhbhtb.exe 1800 1dpvd.exe 2516 3hbntb.exe 1200 3tnbnt.exe 1468 fxrxlrf.exe 1872 nnhtht.exe 1364 lfrxflr.exe 1580 jjdjv.exe 2024 1frlxfx.exe 1404 nhbhtb.exe 1808 rfxxlxx.exe 884 3thtbn.exe 2988 pddpd.exe 2800 lfxfrrx.exe 2688 hbntnh.exe 2652 vpjjv.exe 2784 9xxfxxl.exe 2772 rrflxxl.exe 2680 ttnbtt.exe 2716 pjjdj.exe 2556 llfxxrf.exe 2548 5httbb.exe 3024 9btbbb.exe 1396 pjjjv.exe 1764 rrffrxf.exe 440 3htttn.exe 872 ddpvj.exe 2960 jjdpv.exe 1176 xrllffr.exe 1824 tnhnbh.exe 2916 3vppd.exe 1704 pjddp.exe 2636 rlffrxl.exe 2116 nnntbn.exe 2364 vvpdp.exe 2176 3vdvv.exe 2192 fxlfrxx.exe 2076 nbtbnn.exe 568 pjvdp.exe 964 3xrlrxf.exe 1576 fxfflrx.exe 904 9bthbb.exe 616 ppjdj.exe 968 rlfxllr.exe 1476 hbtttb.exe -
resource yara_rule behavioral1/memory/2640-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/440-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1176-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/964-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-704-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1168-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-910-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-1143-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1664-1217-0x0000000000320000-0x000000000034A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 1780 2640 4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe 30 PID 2640 wrote to memory of 1780 2640 4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe 30 PID 2640 wrote to memory of 1780 2640 4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe 30 PID 2640 wrote to memory of 1780 2640 4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe 30 PID 1780 wrote to memory of 2880 1780 fxlrxxf.exe 31 PID 1780 wrote to memory of 2880 1780 fxlrxxf.exe 31 PID 1780 wrote to memory of 2880 1780 fxlrxxf.exe 31 PID 1780 wrote to memory of 2880 1780 fxlrxxf.exe 31 PID 2880 wrote to memory of 2680 2880 3xrfrlf.exe 32 PID 2880 wrote to memory of 2680 2880 3xrfrlf.exe 32 PID 2880 wrote to memory of 2680 2880 3xrfrlf.exe 32 PID 2880 wrote to memory of 2680 2880 3xrfrlf.exe 32 PID 2680 wrote to memory of 2736 2680 xrxxlfr.exe 33 PID 2680 wrote to memory of 2736 2680 xrxxlfr.exe 33 PID 2680 wrote to memory of 2736 2680 xrxxlfr.exe 33 PID 2680 wrote to memory of 2736 2680 xrxxlfr.exe 33 PID 2736 wrote to memory of 2684 2736 pjpdj.exe 34 PID 2736 wrote to memory of 2684 2736 pjpdj.exe 34 PID 2736 wrote to memory of 2684 2736 pjpdj.exe 34 PID 2736 wrote to memory of 2684 2736 pjpdj.exe 34 PID 2684 wrote to memory of 2544 2684 fxlfxlr.exe 35 PID 2684 wrote to memory of 2544 2684 fxlfxlr.exe 35 PID 2684 wrote to memory of 2544 2684 fxlfxlr.exe 35 PID 2684 wrote to memory of 2544 2684 fxlfxlr.exe 35 PID 2544 wrote to memory of 324 2544 3ddvd.exe 36 PID 2544 wrote to memory of 324 2544 3ddvd.exe 36 PID 2544 wrote to memory of 324 2544 3ddvd.exe 36 PID 2544 wrote to memory of 324 2544 3ddvd.exe 36 PID 324 wrote to memory of 3028 324 pjdpd.exe 37 PID 324 wrote to memory of 3028 324 pjdpd.exe 37 PID 324 wrote to memory of 3028 324 pjdpd.exe 37 PID 324 wrote to memory of 3028 324 pjdpd.exe 37 PID 3028 wrote to memory of 2920 3028 thnthh.exe 38 PID 3028 wrote to memory of 2920 3028 thnthh.exe 38 PID 3028 wrote to memory of 2920 3028 thnthh.exe 38 PID 3028 wrote to memory of 2920 3028 thnthh.exe 38 PID 2920 wrote to memory of 1096 2920 pjvvj.exe 39 PID 2920 wrote to memory of 1096 2920 pjvvj.exe 39 PID 2920 wrote to memory of 1096 2920 pjvvj.exe 39 PID 2920 wrote to memory of 1096 2920 pjvvj.exe 39 PID 1096 wrote to memory of 300 1096 tnhnhh.exe 40 PID 1096 wrote to memory of 300 1096 tnhnhh.exe 40 PID 1096 wrote to memory of 300 1096 tnhnhh.exe 40 PID 1096 wrote to memory of 300 1096 tnhnhh.exe 40 PID 300 wrote to memory of 2952 300 jddjv.exe 41 PID 300 wrote to memory of 2952 300 jddjv.exe 41 PID 300 wrote to memory of 2952 300 jddjv.exe 41 PID 300 wrote to memory of 2952 300 jddjv.exe 41 PID 2952 wrote to memory of 2120 2952 5nbnnt.exe 42 PID 2952 wrote to memory of 2120 2952 5nbnnt.exe 42 PID 2952 wrote to memory of 2120 2952 5nbnnt.exe 42 PID 2952 wrote to memory of 2120 2952 5nbnnt.exe 42 PID 2120 wrote to memory of 2904 2120 9vjjv.exe 43 PID 2120 wrote to memory of 2904 2120 9vjjv.exe 43 PID 2120 wrote to memory of 2904 2120 9vjjv.exe 43 PID 2120 wrote to memory of 2904 2120 9vjjv.exe 43 PID 2904 wrote to memory of 2116 2904 ttnntt.exe 44 PID 2904 wrote to memory of 2116 2904 ttnntt.exe 44 PID 2904 wrote to memory of 2116 2904 ttnntt.exe 44 PID 2904 wrote to memory of 2116 2904 ttnntt.exe 44 PID 2116 wrote to memory of 2616 2116 ddjpv.exe 45 PID 2116 wrote to memory of 2616 2116 ddjpv.exe 45 PID 2116 wrote to memory of 2616 2116 ddjpv.exe 45 PID 2116 wrote to memory of 2616 2116 ddjpv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe"C:\Users\Admin\AppData\Local\Temp\4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\3xrfrlf.exec:\3xrfrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\xrxxlfr.exec:\xrxxlfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\pjpdj.exec:\pjpdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\fxlfxlr.exec:\fxlfxlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\3ddvd.exec:\3ddvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\pjdpd.exec:\pjdpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\thnthh.exec:\thnthh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\pjvvj.exec:\pjvvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\tnhnhh.exec:\tnhnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\jddjv.exec:\jddjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:300 -
\??\c:\5nbnnt.exec:\5nbnnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\9vjjv.exec:\9vjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\ttnntt.exec:\ttnntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\ddjpv.exec:\ddjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\7httbb.exec:\7httbb.exe17⤵
- Executes dropped EXE
PID:2616 -
\??\c:\vvjjv.exec:\vvjjv.exe18⤵
- Executes dropped EXE
PID:1768 -
\??\c:\hnhnhh.exec:\hnhnhh.exe19⤵
- Executes dropped EXE
PID:1772 -
\??\c:\djdpj.exec:\djdpj.exe20⤵
- Executes dropped EXE
PID:2980 -
\??\c:\nhbhtb.exec:\nhbhtb.exe21⤵
- Executes dropped EXE
PID:2240 -
\??\c:\1dpvd.exec:\1dpvd.exe22⤵
- Executes dropped EXE
PID:1800 -
\??\c:\3hbntb.exec:\3hbntb.exe23⤵
- Executes dropped EXE
PID:2516 -
\??\c:\3tnbnt.exec:\3tnbnt.exe24⤵
- Executes dropped EXE
PID:1200 -
\??\c:\fxrxlrf.exec:\fxrxlrf.exe25⤵
- Executes dropped EXE
PID:1468 -
\??\c:\nnhtht.exec:\nnhtht.exe26⤵
- Executes dropped EXE
PID:1872 -
\??\c:\lfrxflr.exec:\lfrxflr.exe27⤵
- Executes dropped EXE
PID:1364 -
\??\c:\jjdjv.exec:\jjdjv.exe28⤵
- Executes dropped EXE
PID:1580 -
\??\c:\1frlxfx.exec:\1frlxfx.exe29⤵
- Executes dropped EXE
PID:2024 -
\??\c:\nhbhtb.exec:\nhbhtb.exe30⤵
- Executes dropped EXE
PID:1404 -
\??\c:\rfxxlxx.exec:\rfxxlxx.exe31⤵
- Executes dropped EXE
PID:1808 -
\??\c:\3thtbn.exec:\3thtbn.exe32⤵
- Executes dropped EXE
PID:884 -
\??\c:\pddpd.exec:\pddpd.exe33⤵
- Executes dropped EXE
PID:2988 -
\??\c:\lfxfrrx.exec:\lfxfrrx.exe34⤵
- Executes dropped EXE
PID:2800 -
\??\c:\hbntnh.exec:\hbntnh.exe35⤵
- Executes dropped EXE
PID:2688 -
\??\c:\vpjjv.exec:\vpjjv.exe36⤵
- Executes dropped EXE
PID:2652 -
\??\c:\9xxfxxl.exec:\9xxfxxl.exe37⤵
- Executes dropped EXE
PID:2784 -
\??\c:\rrflxxl.exec:\rrflxxl.exe38⤵
- Executes dropped EXE
PID:2772 -
\??\c:\ttnbtt.exec:\ttnbtt.exe39⤵
- Executes dropped EXE
PID:2680 -
\??\c:\pjjdj.exec:\pjjdj.exe40⤵
- Executes dropped EXE
PID:2716 -
\??\c:\llfxxrf.exec:\llfxxrf.exe41⤵
- Executes dropped EXE
PID:2556 -
\??\c:\5httbb.exec:\5httbb.exe42⤵
- Executes dropped EXE
PID:2548 -
\??\c:\9btbbb.exec:\9btbbb.exe43⤵
- Executes dropped EXE
PID:3024 -
\??\c:\pjjjv.exec:\pjjjv.exe44⤵
- Executes dropped EXE
PID:1396 -
\??\c:\rrffrxf.exec:\rrffrxf.exe45⤵
- Executes dropped EXE
PID:1764 -
\??\c:\3htttn.exec:\3htttn.exe46⤵
- Executes dropped EXE
PID:440 -
\??\c:\ddpvj.exec:\ddpvj.exe47⤵
- Executes dropped EXE
PID:872 -
\??\c:\jjdpv.exec:\jjdpv.exe48⤵
- Executes dropped EXE
PID:2960 -
\??\c:\xrllffr.exec:\xrllffr.exe49⤵
- Executes dropped EXE
PID:1176 -
\??\c:\tnhnbh.exec:\tnhnbh.exe50⤵
- Executes dropped EXE
PID:1824 -
\??\c:\3vppd.exec:\3vppd.exe51⤵
- Executes dropped EXE
PID:2916 -
\??\c:\pjddp.exec:\pjddp.exe52⤵
- Executes dropped EXE
PID:1704 -
\??\c:\rlffrxl.exec:\rlffrxl.exe53⤵
- Executes dropped EXE
PID:2636 -
\??\c:\nnntbn.exec:\nnntbn.exe54⤵
- Executes dropped EXE
PID:2116 -
\??\c:\vvpdp.exec:\vvpdp.exe55⤵
- Executes dropped EXE
PID:2364 -
\??\c:\3vdvv.exec:\3vdvv.exe56⤵
- Executes dropped EXE
PID:2176 -
\??\c:\fxlfrxx.exec:\fxlfrxx.exe57⤵
- Executes dropped EXE
PID:2192 -
\??\c:\nbtbnn.exec:\nbtbnn.exe58⤵
- Executes dropped EXE
PID:2076 -
\??\c:\pjvdp.exec:\pjvdp.exe59⤵
- Executes dropped EXE
PID:568 -
\??\c:\3xrlrxf.exec:\3xrlrxf.exe60⤵
- Executes dropped EXE
PID:964 -
\??\c:\fxfflrx.exec:\fxfflrx.exe61⤵
- Executes dropped EXE
PID:1576 -
\??\c:\9bthbb.exec:\9bthbb.exe62⤵
- Executes dropped EXE
PID:904 -
\??\c:\ppjdj.exec:\ppjdj.exe63⤵
- Executes dropped EXE
PID:616 -
\??\c:\rlfxllr.exec:\rlfxllr.exe64⤵
- Executes dropped EXE
PID:968 -
\??\c:\hbtttb.exec:\hbtttb.exe65⤵
- Executes dropped EXE
PID:1476 -
\??\c:\7htttt.exec:\7htttt.exe66⤵PID:1192
-
\??\c:\pjdpd.exec:\pjdpd.exe67⤵PID:1152
-
\??\c:\9rxxfxf.exec:\9rxxfxf.exe68⤵PID:2408
-
\??\c:\rfllxrx.exec:\rfllxrx.exe69⤵PID:2308
-
\??\c:\1ntbhn.exec:\1ntbhn.exe70⤵PID:2100
-
\??\c:\pjvvj.exec:\pjvvj.exe71⤵PID:2024
-
\??\c:\lxrrxxl.exec:\lxrrxxl.exe72⤵PID:2272
-
\??\c:\llfllrf.exec:\llfllrf.exe73⤵PID:1972
-
\??\c:\5tthhn.exec:\5tthhn.exe74⤵PID:2480
-
\??\c:\pdjvp.exec:\pdjvp.exe75⤵PID:884
-
\??\c:\jjdvv.exec:\jjdvv.exe76⤵PID:1496
-
\??\c:\5fxlrrr.exec:\5fxlrrr.exe77⤵PID:1644
-
\??\c:\hbnnbb.exec:\hbnnbb.exe78⤵PID:2816
-
\??\c:\tnhhnb.exec:\tnhhnb.exe79⤵PID:2672
-
\??\c:\3pddp.exec:\3pddp.exe80⤵PID:2708
-
\??\c:\7xrxllf.exec:\7xrxllf.exe81⤵PID:2552
-
\??\c:\5xrxfll.exec:\5xrxfll.exe82⤵PID:2720
-
\??\c:\bthhnh.exec:\bthhnh.exe83⤵PID:2576
-
\??\c:\dvjjd.exec:\dvjjd.exe84⤵PID:2620
-
\??\c:\7rrrxll.exec:\7rrrxll.exe85⤵PID:2068
-
\??\c:\9xlllrx.exec:\9xlllrx.exe86⤵PID:1552
-
\??\c:\tnbbtt.exec:\tnbbtt.exe87⤵PID:2848
-
\??\c:\vpdvv.exec:\vpdvv.exe88⤵PID:2028
-
\??\c:\dvddj.exec:\dvddj.exe89⤵PID:1240
-
\??\c:\1rllrrl.exec:\1rllrrl.exe90⤵PID:2840
-
\??\c:\lfxxxfl.exec:\lfxxxfl.exe91⤵PID:2972
-
\??\c:\hhbhnt.exec:\hhbhnt.exe92⤵PID:2964
-
\??\c:\ddpvj.exec:\ddpvj.exe93⤵PID:2128
-
\??\c:\xxrxflx.exec:\xxrxflx.exe94⤵PID:2852
-
\??\c:\9rfrffr.exec:\9rfrffr.exe95⤵PID:2112
-
\??\c:\nnbbhh.exec:\nnbbhh.exe96⤵PID:2912
-
\??\c:\jjdjv.exec:\jjdjv.exe97⤵PID:2828
-
\??\c:\pjjdj.exec:\pjjdj.exe98⤵PID:796
-
\??\c:\xxxxflr.exec:\xxxxflr.exe99⤵PID:2316
-
\??\c:\3bttbh.exec:\3bttbh.exe100⤵PID:1960
-
\??\c:\bthtbb.exec:\bthtbb.exe101⤵PID:3064
-
\??\c:\pdppv.exec:\pdppv.exe102⤵PID:2264
-
\??\c:\xlxxfxl.exec:\xlxxfxl.exe103⤵PID:2424
-
\??\c:\7xrrxxf.exec:\7xrrxxf.exe104⤵PID:988
-
\??\c:\htnnbb.exec:\htnnbb.exe105⤵PID:1720
-
\??\c:\pjvdd.exec:\pjvdd.exe106⤵PID:2000
-
\??\c:\ffxrlrl.exec:\ffxrlrl.exe107⤵PID:1168
-
\??\c:\1frrxxl.exec:\1frrxxl.exe108⤵PID:1248
-
\??\c:\tttbnn.exec:\tttbnn.exe109⤵PID:1456
-
\??\c:\hhbbtb.exec:\hhbbtb.exe110⤵PID:1956
-
\??\c:\3ddpv.exec:\3ddpv.exe111⤵PID:2208
-
\??\c:\lfrxrxf.exec:\lfrxrxf.exe112⤵PID:1364
-
\??\c:\nhbtnh.exec:\nhbtnh.exe113⤵PID:2300
-
\??\c:\nhbnbt.exec:\nhbnbt.exe114⤵PID:3040
-
\??\c:\dvddj.exec:\dvddj.exe115⤵PID:2044
-
\??\c:\lfrrfxl.exec:\lfrrfxl.exe116⤵PID:896
-
\??\c:\xrffrlr.exec:\xrffrlr.exe117⤵PID:1884
-
\??\c:\btnntn.exec:\btnntn.exe118⤵PID:3068
-
\??\c:\jdvjd.exec:\jdvjd.exe119⤵PID:1728
-
\??\c:\7dvvd.exec:\7dvvd.exe120⤵PID:2804
-
\??\c:\rrllrrf.exec:\rrllrrf.exe121⤵PID:2700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-