Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 23:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5b902e46cbc36ee7732f868ffab092554298d1f0455ba544144857e33e6b0fb6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5b902e46cbc36ee7732f868ffab092554298d1f0455ba544144857e33e6b0fb6.exe
-
Size
454KB
-
MD5
d6aa5031500dea3718fb575cf54fea22
-
SHA1
5a7051940a257c744cc15be8029a0e368c959a1f
-
SHA256
5b902e46cbc36ee7732f868ffab092554298d1f0455ba544144857e33e6b0fb6
-
SHA512
b399c0d09fcc7e58de8903ca749434fcba8fc8bdc9215d757511812aa8af984ea039b78006613210009195e9d1a145b56ae221f3ee9d1397ba5cb61caa0ab8d4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/1636-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-120-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2984-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-139-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/380-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-197-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1552-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-284-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1768-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-343-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-359-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2932-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-386-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/3056-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-553-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2748-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-799-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2316-1038-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-1045-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1628-1048-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1620-1061-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/908-1157-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1688-1160-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1860-1214-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1988-1221-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1720 lfxfllf.exe 2008 ddpvj.exe 2580 ppddp.exe 2940 5pddj.exe 2420 1jvdj.exe 1276 lffflrr.exe 3056 jddjp.exe 2640 bntnbh.exe 2792 jjdjv.exe 2172 ffxxlrf.exe 2796 dpdvd.exe 2544 fxllrxl.exe 2508 ddppd.exe 2984 3djvj.exe 852 tnhntt.exe 380 dpppv.exe 1472 nhbbnt.exe 1952 dvjpd.exe 1676 hhtbtb.exe 1208 7pjvp.exe 2824 3lffllr.exe 2564 ppddj.exe 2740 rrlxflx.exe 2844 hbnnbh.exe 2156 pjjvp.exe 1800 fxlrflr.exe 1716 lflrffr.exe 1552 1rllflx.exe 1212 ddjvp.exe 568 xrflxfl.exe 2920 jddjp.exe 1768 pppdp.exe 2168 bbttht.exe 2068 dpvvd.exe 1860 lxxxlfl.exe 1780 9nthnt.exe 1652 hbtnhh.exe 2312 dvpdv.exe 2472 lrfxxrl.exe 2964 5btnnb.exe 2932 ppjjv.exe 2248 djdpj.exe 2200 lfxxlrf.exe 1276 9hbhnn.exe 3056 1bhnhn.exe 2692 vvpvd.exe 2908 xlxxxxl.exe 2900 3lflrxf.exe 2524 7hhtbh.exe 2660 vpdjp.exe 2500 fxxrxxf.exe 2528 ffxfxfx.exe 764 bhbtht.exe 3004 9jddp.exe 676 pddpp.exe 1056 lrxxxxl.exe 2320 bbthtt.exe 2396 9htntb.exe 1524 7jjpp.exe 1944 rlrxrlr.exe 1948 lfrxffx.exe 2556 tnhbnt.exe 1208 vpjvp.exe 2764 jvjdd.exe -
resource yara_rule behavioral1/memory/1636-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-553-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1552-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-941-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-1048-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1620-1061-0x0000000000340000-0x000000000036A000-memory.dmp upx behavioral1/memory/640-1138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-1189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-1214-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2964-1234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-1247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-1296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-1358-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1720 1636 5b902e46cbc36ee7732f868ffab092554298d1f0455ba544144857e33e6b0fb6.exe 28 PID 1636 wrote to memory of 1720 1636 5b902e46cbc36ee7732f868ffab092554298d1f0455ba544144857e33e6b0fb6.exe 28 PID 1636 wrote to memory of 1720 1636 5b902e46cbc36ee7732f868ffab092554298d1f0455ba544144857e33e6b0fb6.exe 28 PID 1636 wrote to memory of 1720 1636 5b902e46cbc36ee7732f868ffab092554298d1f0455ba544144857e33e6b0fb6.exe 28 PID 1720 wrote to memory of 2008 1720 lfxfllf.exe 29 PID 1720 wrote to memory of 2008 1720 lfxfllf.exe 29 PID 1720 wrote to memory of 2008 1720 lfxfllf.exe 29 PID 1720 wrote to memory of 2008 1720 lfxfllf.exe 29 PID 2008 wrote to memory of 2580 2008 ddpvj.exe 30 PID 2008 wrote to memory of 2580 2008 ddpvj.exe 30 PID 2008 wrote to memory of 2580 2008 ddpvj.exe 30 PID 2008 wrote to memory of 2580 2008 ddpvj.exe 30 PID 2580 wrote to memory of 2940 2580 ppddp.exe 31 PID 2580 wrote to memory of 2940 2580 ppddp.exe 31 PID 2580 wrote to memory of 2940 2580 ppddp.exe 31 PID 2580 wrote to memory of 2940 2580 ppddp.exe 31 PID 2940 wrote to memory of 2420 2940 5pddj.exe 32 PID 2940 wrote to memory of 2420 2940 5pddj.exe 32 PID 2940 wrote to memory of 2420 2940 5pddj.exe 32 PID 2940 wrote to memory of 2420 2940 5pddj.exe 32 PID 2420 wrote to memory of 1276 2420 1jvdj.exe 33 PID 2420 wrote to memory of 1276 2420 1jvdj.exe 33 PID 2420 wrote to memory of 1276 2420 1jvdj.exe 33 PID 2420 wrote to memory of 1276 2420 1jvdj.exe 33 PID 1276 wrote to memory of 3056 1276 lffflrr.exe 34 PID 1276 wrote to memory of 3056 1276 lffflrr.exe 34 PID 1276 wrote to memory of 3056 1276 lffflrr.exe 34 PID 1276 wrote to memory of 3056 1276 lffflrr.exe 34 PID 3056 wrote to memory of 2640 3056 jddjp.exe 35 PID 3056 wrote to memory of 2640 3056 jddjp.exe 35 PID 3056 wrote to memory of 2640 3056 jddjp.exe 35 PID 3056 wrote to memory of 2640 3056 jddjp.exe 35 PID 2640 wrote to memory of 2792 2640 bntnbh.exe 36 PID 2640 wrote to memory of 2792 2640 bntnbh.exe 36 PID 2640 wrote to memory of 2792 2640 bntnbh.exe 36 PID 2640 wrote to memory of 2792 2640 bntnbh.exe 36 PID 2792 wrote to memory of 2172 2792 jjdjv.exe 37 PID 2792 wrote to memory of 2172 2792 jjdjv.exe 37 PID 2792 wrote to memory of 2172 2792 jjdjv.exe 37 PID 2792 wrote to memory of 2172 2792 jjdjv.exe 37 PID 2172 wrote to memory of 2796 2172 ffxxlrf.exe 38 PID 2172 wrote to memory of 2796 2172 ffxxlrf.exe 38 PID 2172 wrote to memory of 2796 2172 ffxxlrf.exe 38 PID 2172 wrote to memory of 2796 2172 ffxxlrf.exe 38 PID 2796 wrote to memory of 2544 2796 dpdvd.exe 39 PID 2796 wrote to memory of 2544 2796 dpdvd.exe 39 PID 2796 wrote to memory of 2544 2796 dpdvd.exe 39 PID 2796 wrote to memory of 2544 2796 dpdvd.exe 39 PID 2544 wrote to memory of 2508 2544 fxllrxl.exe 40 PID 2544 wrote to memory of 2508 2544 fxllrxl.exe 40 PID 2544 wrote to memory of 2508 2544 fxllrxl.exe 40 PID 2544 wrote to memory of 2508 2544 fxllrxl.exe 40 PID 2508 wrote to memory of 2984 2508 ddppd.exe 41 PID 2508 wrote to memory of 2984 2508 ddppd.exe 41 PID 2508 wrote to memory of 2984 2508 ddppd.exe 41 PID 2508 wrote to memory of 2984 2508 ddppd.exe 41 PID 2984 wrote to memory of 852 2984 3djvj.exe 42 PID 2984 wrote to memory of 852 2984 3djvj.exe 42 PID 2984 wrote to memory of 852 2984 3djvj.exe 42 PID 2984 wrote to memory of 852 2984 3djvj.exe 42 PID 852 wrote to memory of 380 852 tnhntt.exe 43 PID 852 wrote to memory of 380 852 tnhntt.exe 43 PID 852 wrote to memory of 380 852 tnhntt.exe 43 PID 852 wrote to memory of 380 852 tnhntt.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b902e46cbc36ee7732f868ffab092554298d1f0455ba544144857e33e6b0fb6.exe"C:\Users\Admin\AppData\Local\Temp\5b902e46cbc36ee7732f868ffab092554298d1f0455ba544144857e33e6b0fb6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\lfxfllf.exec:\lfxfllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\ddpvj.exec:\ddpvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\ppddp.exec:\ppddp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\5pddj.exec:\5pddj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\1jvdj.exec:\1jvdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\lffflrr.exec:\lffflrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\jddjp.exec:\jddjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\bntnbh.exec:\bntnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\jjdjv.exec:\jjdjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\ffxxlrf.exec:\ffxxlrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\dpdvd.exec:\dpdvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\fxllrxl.exec:\fxllrxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\ddppd.exec:\ddppd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\3djvj.exec:\3djvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\tnhntt.exec:\tnhntt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\dpppv.exec:\dpppv.exe17⤵
- Executes dropped EXE
PID:380 -
\??\c:\nhbbnt.exec:\nhbbnt.exe18⤵
- Executes dropped EXE
PID:1472 -
\??\c:\dvjpd.exec:\dvjpd.exe19⤵
- Executes dropped EXE
PID:1952 -
\??\c:\hhtbtb.exec:\hhtbtb.exe20⤵
- Executes dropped EXE
PID:1676 -
\??\c:\7pjvp.exec:\7pjvp.exe21⤵
- Executes dropped EXE
PID:1208 -
\??\c:\3lffllr.exec:\3lffllr.exe22⤵
- Executes dropped EXE
PID:2824 -
\??\c:\ppddj.exec:\ppddj.exe23⤵
- Executes dropped EXE
PID:2564 -
\??\c:\rrlxflx.exec:\rrlxflx.exe24⤵
- Executes dropped EXE
PID:2740 -
\??\c:\hbnnbh.exec:\hbnnbh.exe25⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pjjvp.exec:\pjjvp.exe26⤵
- Executes dropped EXE
PID:2156 -
\??\c:\fxlrflr.exec:\fxlrflr.exe27⤵
- Executes dropped EXE
PID:1800 -
\??\c:\lflrffr.exec:\lflrffr.exe28⤵
- Executes dropped EXE
PID:1716 -
\??\c:\1rllflx.exec:\1rllflx.exe29⤵
- Executes dropped EXE
PID:1552 -
\??\c:\ddjvp.exec:\ddjvp.exe30⤵
- Executes dropped EXE
PID:1212 -
\??\c:\xrflxfl.exec:\xrflxfl.exe31⤵
- Executes dropped EXE
PID:568 -
\??\c:\jddjp.exec:\jddjp.exe32⤵
- Executes dropped EXE
PID:2920 -
\??\c:\pppdp.exec:\pppdp.exe33⤵
- Executes dropped EXE
PID:1768 -
\??\c:\bbttht.exec:\bbttht.exe34⤵
- Executes dropped EXE
PID:2168 -
\??\c:\dpvvd.exec:\dpvvd.exe35⤵
- Executes dropped EXE
PID:2068 -
\??\c:\lxxxlfl.exec:\lxxxlfl.exe36⤵
- Executes dropped EXE
PID:1860 -
\??\c:\9nthnt.exec:\9nthnt.exe37⤵
- Executes dropped EXE
PID:1780 -
\??\c:\hbtnhh.exec:\hbtnhh.exe38⤵
- Executes dropped EXE
PID:1652 -
\??\c:\dvpdv.exec:\dvpdv.exe39⤵
- Executes dropped EXE
PID:2312 -
\??\c:\lrfxxrl.exec:\lrfxxrl.exe40⤵
- Executes dropped EXE
PID:2472 -
\??\c:\5btnnb.exec:\5btnnb.exe41⤵
- Executes dropped EXE
PID:2964 -
\??\c:\ppjjv.exec:\ppjjv.exe42⤵
- Executes dropped EXE
PID:2932 -
\??\c:\djdpj.exec:\djdpj.exe43⤵
- Executes dropped EXE
PID:2248 -
\??\c:\lfxxlrf.exec:\lfxxlrf.exe44⤵
- Executes dropped EXE
PID:2200 -
\??\c:\9hbhnn.exec:\9hbhnn.exe45⤵
- Executes dropped EXE
PID:1276 -
\??\c:\1bhnhn.exec:\1bhnhn.exe46⤵
- Executes dropped EXE
PID:3056 -
\??\c:\vvpvd.exec:\vvpvd.exe47⤵
- Executes dropped EXE
PID:2692 -
\??\c:\xlxxxxl.exec:\xlxxxxl.exe48⤵
- Executes dropped EXE
PID:2908 -
\??\c:\3lflrxf.exec:\3lflrxf.exe49⤵
- Executes dropped EXE
PID:2900 -
\??\c:\7hhtbh.exec:\7hhtbh.exe50⤵
- Executes dropped EXE
PID:2524 -
\??\c:\vpdjp.exec:\vpdjp.exe51⤵
- Executes dropped EXE
PID:2660 -
\??\c:\fxxrxxf.exec:\fxxrxxf.exe52⤵
- Executes dropped EXE
PID:2500 -
\??\c:\ffxfxfx.exec:\ffxfxfx.exe53⤵
- Executes dropped EXE
PID:2528 -
\??\c:\bhbtht.exec:\bhbtht.exe54⤵
- Executes dropped EXE
PID:764 -
\??\c:\9jddp.exec:\9jddp.exe55⤵
- Executes dropped EXE
PID:3004 -
\??\c:\pddpp.exec:\pddpp.exe56⤵
- Executes dropped EXE
PID:676 -
\??\c:\lrxxxxl.exec:\lrxxxxl.exe57⤵
- Executes dropped EXE
PID:1056 -
\??\c:\bbthtt.exec:\bbthtt.exe58⤵
- Executes dropped EXE
PID:2320 -
\??\c:\9htntb.exec:\9htntb.exe59⤵
- Executes dropped EXE
PID:2396 -
\??\c:\7jjpp.exec:\7jjpp.exe60⤵
- Executes dropped EXE
PID:1524 -
\??\c:\rlrxrlr.exec:\rlrxrlr.exe61⤵
- Executes dropped EXE
PID:1944 -
\??\c:\lfrxffx.exec:\lfrxffx.exe62⤵
- Executes dropped EXE
PID:1948 -
\??\c:\tnhbnt.exec:\tnhbnt.exe63⤵
- Executes dropped EXE
PID:2556 -
\??\c:\vpjvp.exec:\vpjvp.exe64⤵
- Executes dropped EXE
PID:1208 -
\??\c:\jvjdd.exec:\jvjdd.exe65⤵
- Executes dropped EXE
PID:2764 -
\??\c:\llllrfl.exec:\llllrfl.exe66⤵PID:2876
-
\??\c:\hhbntb.exec:\hhbntb.exe67⤵PID:816
-
\??\c:\vjddp.exec:\vjddp.exe68⤵PID:1008
-
\??\c:\llxxfxx.exec:\llxxfxx.exe69⤵PID:2840
-
\??\c:\1lxflxf.exec:\1lxflxf.exe70⤵PID:2144
-
\??\c:\nbntbb.exec:\nbntbb.exe71⤵PID:1884
-
\??\c:\jdjjj.exec:\jdjjj.exe72⤵PID:864
-
\??\c:\5rlxfll.exec:\5rlxfll.exe73⤵PID:3060
-
\??\c:\5rllxrl.exec:\5rllxrl.exe74⤵PID:1552
-
\??\c:\nbnbht.exec:\nbnbht.exe75⤵PID:2748
-
\??\c:\dvpvj.exec:\dvpvj.exe76⤵PID:2372
-
\??\c:\3vjvj.exec:\3vjvj.exe77⤵PID:2224
-
\??\c:\9rfxffr.exec:\9rfxffr.exe78⤵PID:2216
-
\??\c:\hbbhnn.exec:\hbbhnn.exe79⤵PID:1172
-
\??\c:\hbbhnt.exec:\hbbhnt.exe80⤵PID:1888
-
\??\c:\1dvvv.exec:\1dvvv.exe81⤵PID:1804
-
\??\c:\3fxfrrf.exec:\3fxfrrf.exe82⤵PID:1604
-
\??\c:\9llrffr.exec:\9llrffr.exe83⤵PID:2292
-
\??\c:\nbhbnn.exec:\nbhbnn.exe84⤵PID:1988
-
\??\c:\dvjjj.exec:\dvjjj.exe85⤵PID:1268
-
\??\c:\rrflrrl.exec:\rrflrrl.exe86⤵PID:2312
-
\??\c:\3fxffxl.exec:\3fxffxl.exe87⤵PID:3016
-
\??\c:\hbhbnh.exec:\hbhbnh.exe88⤵PID:3024
-
\??\c:\vpdpp.exec:\vpdpp.exe89⤵PID:1732
-
\??\c:\vvjvj.exec:\vvjvj.exe90⤵PID:2932
-
\??\c:\lfrxxlf.exec:\lfrxxlf.exe91⤵PID:2996
-
\??\c:\nnbbbb.exec:\nnbbbb.exe92⤵PID:2604
-
\??\c:\vddpd.exec:\vddpd.exe93⤵PID:1276
-
\??\c:\vpjpj.exec:\vpjpj.exe94⤵PID:3056
-
\??\c:\lfxrlrx.exec:\lfxrlrx.exe95⤵PID:2620
-
\??\c:\3ntthh.exec:\3ntthh.exe96⤵PID:2792
-
\??\c:\hbbhnt.exec:\hbbhnt.exe97⤵PID:2732
-
\??\c:\3jjvv.exec:\3jjvv.exe98⤵PID:3008
-
\??\c:\9dvdv.exec:\9dvdv.exe99⤵PID:860
-
\??\c:\frlxlfr.exec:\frlxlfr.exe100⤵PID:2492
-
\??\c:\hbbntb.exec:\hbbntb.exe101⤵PID:1648
-
\??\c:\jppvj.exec:\jppvj.exe102⤵PID:764
-
\??\c:\djjpp.exec:\djjpp.exe103⤵PID:3004
-
\??\c:\lxrxrfr.exec:\lxrxrfr.exe104⤵PID:1772
-
\??\c:\bbtbtn.exec:\bbtbtn.exe105⤵PID:1368
-
\??\c:\9hbnhh.exec:\9hbnhh.exe106⤵PID:848
-
\??\c:\jjdpv.exec:\jjdpv.exe107⤵PID:1252
-
\??\c:\xlllrxl.exec:\xlllrxl.exe108⤵PID:1952
-
\??\c:\lxlrflx.exec:\lxlrflx.exe109⤵PID:1676
-
\??\c:\tnntbh.exec:\tnntbh.exe110⤵PID:2012
-
\??\c:\hthhbh.exec:\hthhbh.exe111⤵PID:2772
-
\??\c:\5jdjv.exec:\5jdjv.exe112⤵PID:2736
-
\??\c:\xffxrrf.exec:\xffxrrf.exe113⤵PID:2872
-
\??\c:\1hnntb.exec:\1hnntb.exe114⤵PID:2596
-
\??\c:\hbnbhb.exec:\hbnbhb.exe115⤵PID:1756
-
\??\c:\pjdpv.exec:\pjdpv.exe116⤵PID:1160
-
\??\c:\5lffrrr.exec:\5lffrrr.exe117⤵PID:1936
-
\??\c:\bbtbhn.exec:\bbtbhn.exe118⤵PID:1700
-
\??\c:\hbhhtt.exec:\hbhhtt.exe119⤵PID:1800
-
\??\c:\dvpvj.exec:\dvpvj.exe120⤵PID:1716
-
\??\c:\frllfxr.exec:\frllfxr.exe121⤵PID:1844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-