Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 19:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
04fe86872c8dd4b19378185ce6aead43f38a90fb8222283d0d3e2aa865c2672f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
04fe86872c8dd4b19378185ce6aead43f38a90fb8222283d0d3e2aa865c2672f.exe
-
Size
456KB
-
MD5
025868b73b36cfd494e17f00285473d0
-
SHA1
d56205cc485eaf9106f45f6205c7184a76d16b70
-
SHA256
04fe86872c8dd4b19378185ce6aead43f38a90fb8222283d0d3e2aa865c2672f
-
SHA512
8f2df192b1c123779e7a2eb7b69be02c6771e470352f5b23853514ccfe54d707d7db7ff41859df4afbba8682c50d90335a7dcb2e932761a7342673ee781d1dcd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRD:q7Tc2NYHUrAwfMp3CDRD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
resource yara_rule behavioral1/memory/2616-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-49-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2736-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-54-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2888-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-89-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1700-101-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2600-96-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1404-121-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1128-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-128-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1404-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-136-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2524-143-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2524-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-197-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2092-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-216-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2912-221-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1580-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-309-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2680-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-364-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1512-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-517-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2184-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-531-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2768-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-559-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1280-658-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1500-848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-868-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2700-887-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1920-888-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1784-968-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2108-987-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2108-1008-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2172-1062-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2484 lfxflrf.exe 2616 htnbnt.exe 2160 ddjpd.exe 2684 vvjpj.exe 2736 bbntht.exe 2888 bbbhhn.exe 2848 9ddjv.exe 2580 tnbbhh.exe 2600 pjvvd.exe 1700 hhhnth.exe 1128 pjdjd.exe 1404 pjjjp.exe 1440 lrlxrfx.exe 2524 flxlxfr.exe 2776 bththh.exe 2024 3ppdp.exe 2576 llfxfrf.exe 2972 ddvdj.exe 2188 frlrfxr.exe 2092 vpjjv.exe 1720 ddvdp.exe 2912 hnnnbh.exe 1580 pppvj.exe 1096 5hhnbh.exe 1748 jjddp.exe 1804 rlffflr.exe 2496 5bntbh.exe 2064 9nnhnt.exe 2452 pppdp.exe 2304 tnhnbb.exe 2484 hhnbnh.exe 2072 fxrrxfr.exe 2680 hnhhbh.exe 2732 vjvvp.exe 2676 xxrfxfr.exe 2836 1hbnth.exe 2544 nnhtbh.exe 2564 jjdpd.exe 2864 lfxxlrx.exe 2560 7nhthh.exe 2584 3hbttt.exe 2588 pdvdd.exe 1368 xlxxlfr.exe 1488 xxxrrxr.exe 1640 nnbhtn.exe 1512 pdvpv.exe 2720 1vvdp.exe 276 5lllxlf.exe 2844 tnbhnt.exe 2712 btnhtb.exe 1836 ppdvj.exe 2624 rrllxfr.exe 2872 5tbnbn.exe 2980 hhbtnt.exe 2100 jpddp.exe 2124 lfxxlxf.exe 2188 9flrllr.exe 2516 httbnn.exe 2904 1vppp.exe 792 fffrllf.exe 2420 rrllrxf.exe 1952 ttnhth.exe 860 pjvpd.exe 1748 5dvdp.exe -
resource yara_rule behavioral1/memory/2616-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1128-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-479-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1760-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-658-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/2964-725-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1500-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-901-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-1062-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-1268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-1353-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3btbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2484 2488 04fe86872c8dd4b19378185ce6aead43f38a90fb8222283d0d3e2aa865c2672f.exe 31 PID 2488 wrote to memory of 2484 2488 04fe86872c8dd4b19378185ce6aead43f38a90fb8222283d0d3e2aa865c2672f.exe 31 PID 2488 wrote to memory of 2484 2488 04fe86872c8dd4b19378185ce6aead43f38a90fb8222283d0d3e2aa865c2672f.exe 31 PID 2488 wrote to memory of 2484 2488 04fe86872c8dd4b19378185ce6aead43f38a90fb8222283d0d3e2aa865c2672f.exe 31 PID 2484 wrote to memory of 2616 2484 lfxflrf.exe 32 PID 2484 wrote to memory of 2616 2484 lfxflrf.exe 32 PID 2484 wrote to memory of 2616 2484 lfxflrf.exe 32 PID 2484 wrote to memory of 2616 2484 lfxflrf.exe 32 PID 2616 wrote to memory of 2160 2616 htnbnt.exe 33 PID 2616 wrote to memory of 2160 2616 htnbnt.exe 33 PID 2616 wrote to memory of 2160 2616 htnbnt.exe 33 PID 2616 wrote to memory of 2160 2616 htnbnt.exe 33 PID 2160 wrote to memory of 2684 2160 ddjpd.exe 34 PID 2160 wrote to memory of 2684 2160 ddjpd.exe 34 PID 2160 wrote to memory of 2684 2160 ddjpd.exe 34 PID 2160 wrote to memory of 2684 2160 ddjpd.exe 34 PID 2684 wrote to memory of 2736 2684 vvjpj.exe 35 PID 2684 wrote to memory of 2736 2684 vvjpj.exe 35 PID 2684 wrote to memory of 2736 2684 vvjpj.exe 35 PID 2684 wrote to memory of 2736 2684 vvjpj.exe 35 PID 2736 wrote to memory of 2888 2736 bbntht.exe 36 PID 2736 wrote to memory of 2888 2736 bbntht.exe 36 PID 2736 wrote to memory of 2888 2736 bbntht.exe 36 PID 2736 wrote to memory of 2888 2736 bbntht.exe 36 PID 2888 wrote to memory of 2848 2888 bbbhhn.exe 37 PID 2888 wrote to memory of 2848 2888 bbbhhn.exe 37 PID 2888 wrote to memory of 2848 2888 bbbhhn.exe 37 PID 2888 wrote to memory of 2848 2888 bbbhhn.exe 37 PID 2848 wrote to memory of 2580 2848 9ddjv.exe 38 PID 2848 wrote to memory of 2580 2848 9ddjv.exe 38 PID 2848 wrote to memory of 2580 2848 9ddjv.exe 38 PID 2848 wrote to memory of 2580 2848 9ddjv.exe 38 PID 2580 wrote to memory of 2600 2580 tnbbhh.exe 39 PID 2580 wrote to memory of 2600 2580 tnbbhh.exe 39 PID 2580 wrote to memory of 2600 2580 tnbbhh.exe 39 PID 2580 wrote to memory of 2600 2580 tnbbhh.exe 39 PID 2600 wrote to memory of 1700 2600 pjvvd.exe 40 PID 2600 wrote to memory of 1700 2600 pjvvd.exe 40 PID 2600 wrote to memory of 1700 2600 pjvvd.exe 40 PID 2600 wrote to memory of 1700 2600 pjvvd.exe 40 PID 1700 wrote to memory of 1128 1700 hhhnth.exe 41 PID 1700 wrote to memory of 1128 1700 hhhnth.exe 41 PID 1700 wrote to memory of 1128 1700 hhhnth.exe 41 PID 1700 wrote to memory of 1128 1700 hhhnth.exe 41 PID 1128 wrote to memory of 1404 1128 pjdjd.exe 42 PID 1128 wrote to memory of 1404 1128 pjdjd.exe 42 PID 1128 wrote to memory of 1404 1128 pjdjd.exe 42 PID 1128 wrote to memory of 1404 1128 pjdjd.exe 42 PID 1404 wrote to memory of 1440 1404 pjjjp.exe 43 PID 1404 wrote to memory of 1440 1404 pjjjp.exe 43 PID 1404 wrote to memory of 1440 1404 pjjjp.exe 43 PID 1404 wrote to memory of 1440 1404 pjjjp.exe 43 PID 1440 wrote to memory of 2524 1440 lrlxrfx.exe 44 PID 1440 wrote to memory of 2524 1440 lrlxrfx.exe 44 PID 1440 wrote to memory of 2524 1440 lrlxrfx.exe 44 PID 1440 wrote to memory of 2524 1440 lrlxrfx.exe 44 PID 2524 wrote to memory of 2776 2524 flxlxfr.exe 45 PID 2524 wrote to memory of 2776 2524 flxlxfr.exe 45 PID 2524 wrote to memory of 2776 2524 flxlxfr.exe 45 PID 2524 wrote to memory of 2776 2524 flxlxfr.exe 45 PID 2776 wrote to memory of 2024 2776 bththh.exe 46 PID 2776 wrote to memory of 2024 2776 bththh.exe 46 PID 2776 wrote to memory of 2024 2776 bththh.exe 46 PID 2776 wrote to memory of 2024 2776 bththh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\04fe86872c8dd4b19378185ce6aead43f38a90fb8222283d0d3e2aa865c2672f.exe"C:\Users\Admin\AppData\Local\Temp\04fe86872c8dd4b19378185ce6aead43f38a90fb8222283d0d3e2aa865c2672f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\lfxflrf.exec:\lfxflrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\htnbnt.exec:\htnbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\ddjpd.exec:\ddjpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\vvjpj.exec:\vvjpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\bbntht.exec:\bbntht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\bbbhhn.exec:\bbbhhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\9ddjv.exec:\9ddjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\tnbbhh.exec:\tnbbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\pjvvd.exec:\pjvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\hhhnth.exec:\hhhnth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\pjdjd.exec:\pjdjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\pjjjp.exec:\pjjjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\lrlxrfx.exec:\lrlxrfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\flxlxfr.exec:\flxlxfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\bththh.exec:\bththh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\3ppdp.exec:\3ppdp.exe17⤵
- Executes dropped EXE
PID:2024 -
\??\c:\llfxfrf.exec:\llfxfrf.exe18⤵
- Executes dropped EXE
PID:2576 -
\??\c:\ddvdj.exec:\ddvdj.exe19⤵
- Executes dropped EXE
PID:2972 -
\??\c:\frlrfxr.exec:\frlrfxr.exe20⤵
- Executes dropped EXE
PID:2188 -
\??\c:\vpjjv.exec:\vpjjv.exe21⤵
- Executes dropped EXE
PID:2092 -
\??\c:\ddvdp.exec:\ddvdp.exe22⤵
- Executes dropped EXE
PID:1720 -
\??\c:\hnnnbh.exec:\hnnnbh.exe23⤵
- Executes dropped EXE
PID:2912 -
\??\c:\pppvj.exec:\pppvj.exe24⤵
- Executes dropped EXE
PID:1580 -
\??\c:\5hhnbh.exec:\5hhnbh.exe25⤵
- Executes dropped EXE
PID:1096 -
\??\c:\jjddp.exec:\jjddp.exe26⤵
- Executes dropped EXE
PID:1748 -
\??\c:\rlffflr.exec:\rlffflr.exe27⤵
- Executes dropped EXE
PID:1804 -
\??\c:\5bntbh.exec:\5bntbh.exe28⤵
- Executes dropped EXE
PID:2496 -
\??\c:\9nnhnt.exec:\9nnhnt.exe29⤵
- Executes dropped EXE
PID:2064 -
\??\c:\pppdp.exec:\pppdp.exe30⤵
- Executes dropped EXE
PID:2452 -
\??\c:\tnhnbb.exec:\tnhnbb.exe31⤵
- Executes dropped EXE
PID:2304 -
\??\c:\hhnbnh.exec:\hhnbnh.exe32⤵
- Executes dropped EXE
PID:2484 -
\??\c:\fxrrxfr.exec:\fxrrxfr.exe33⤵
- Executes dropped EXE
PID:2072 -
\??\c:\hnhhbh.exec:\hnhhbh.exe34⤵
- Executes dropped EXE
PID:2680 -
\??\c:\vjvvp.exec:\vjvvp.exe35⤵
- Executes dropped EXE
PID:2732 -
\??\c:\xxrfxfr.exec:\xxrfxfr.exe36⤵
- Executes dropped EXE
PID:2676 -
\??\c:\1hbnth.exec:\1hbnth.exe37⤵
- Executes dropped EXE
PID:2836 -
\??\c:\nnhtbh.exec:\nnhtbh.exe38⤵
- Executes dropped EXE
PID:2544 -
\??\c:\jjdpd.exec:\jjdpd.exe39⤵
- Executes dropped EXE
PID:2564 -
\??\c:\lfxxlrx.exec:\lfxxlrx.exe40⤵
- Executes dropped EXE
PID:2864 -
\??\c:\7nhthh.exec:\7nhthh.exe41⤵
- Executes dropped EXE
PID:2560 -
\??\c:\3hbttt.exec:\3hbttt.exe42⤵
- Executes dropped EXE
PID:2584 -
\??\c:\pdvdd.exec:\pdvdd.exe43⤵
- Executes dropped EXE
PID:2588 -
\??\c:\xlxxlfr.exec:\xlxxlfr.exe44⤵
- Executes dropped EXE
PID:1368 -
\??\c:\xxxrrxr.exec:\xxxrrxr.exe45⤵
- Executes dropped EXE
PID:1488 -
\??\c:\nnbhtn.exec:\nnbhtn.exe46⤵
- Executes dropped EXE
PID:1640 -
\??\c:\pdvpv.exec:\pdvpv.exe47⤵
- Executes dropped EXE
PID:1512 -
\??\c:\1vvdp.exec:\1vvdp.exe48⤵
- Executes dropped EXE
PID:2720 -
\??\c:\5lllxlf.exec:\5lllxlf.exe49⤵
- Executes dropped EXE
PID:276 -
\??\c:\tnbhnt.exec:\tnbhnt.exe50⤵
- Executes dropped EXE
PID:2844 -
\??\c:\btnhtb.exec:\btnhtb.exe51⤵
- Executes dropped EXE
PID:2712 -
\??\c:\ppdvj.exec:\ppdvj.exe52⤵
- Executes dropped EXE
PID:1836 -
\??\c:\rrllxfr.exec:\rrllxfr.exe53⤵
- Executes dropped EXE
PID:2624 -
\??\c:\5tbnbn.exec:\5tbnbn.exe54⤵
- Executes dropped EXE
PID:2872 -
\??\c:\hhbtnt.exec:\hhbtnt.exe55⤵
- Executes dropped EXE
PID:2980 -
\??\c:\jpddp.exec:\jpddp.exe56⤵
- Executes dropped EXE
PID:2100 -
\??\c:\lfxxlxf.exec:\lfxxlxf.exe57⤵
- Executes dropped EXE
PID:2124 -
\??\c:\9flrllr.exec:\9flrllr.exe58⤵
- Executes dropped EXE
PID:2188 -
\??\c:\httbnn.exec:\httbnn.exe59⤵
- Executes dropped EXE
PID:2516 -
\??\c:\1vppp.exec:\1vppp.exe60⤵
- Executes dropped EXE
PID:2904 -
\??\c:\fffrllf.exec:\fffrllf.exe61⤵
- Executes dropped EXE
PID:792 -
\??\c:\rrllrxf.exec:\rrllrxf.exe62⤵
- Executes dropped EXE
PID:2420 -
\??\c:\ttnhth.exec:\ttnhth.exe63⤵
- Executes dropped EXE
PID:1952 -
\??\c:\pjvpd.exec:\pjvpd.exe64⤵
- Executes dropped EXE
PID:860 -
\??\c:\5dvdp.exec:\5dvdp.exe65⤵
- Executes dropped EXE
PID:1748 -
\??\c:\fxlfrxf.exec:\fxlfrxf.exe66⤵PID:1760
-
\??\c:\ntbnbh.exec:\ntbnbh.exe67⤵PID:2184
-
\??\c:\jppdv.exec:\jppdv.exe68⤵PID:2768
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe69⤵PID:1752
-
\??\c:\5rlrlxf.exec:\5rlrlxf.exe70⤵PID:1076
-
\??\c:\hhbbtb.exec:\hhbbtb.exe71⤵PID:2452
-
\??\c:\jjjvd.exec:\jjjvd.exe72⤵PID:320
-
\??\c:\7rffxlr.exec:\7rffxlr.exe73⤵PID:1996
-
\??\c:\llfxrfr.exec:\llfxrfr.exe74⤵PID:1500
-
\??\c:\tthhth.exec:\tthhth.exe75⤵PID:2072
-
\??\c:\jjdjv.exec:\jjdjv.exe76⤵PID:2680
-
\??\c:\lrlrllf.exec:\lrlrllf.exe77⤵PID:2640
-
\??\c:\rlllxfx.exec:\rlllxfx.exe78⤵PID:2676
-
\??\c:\9thnth.exec:\9thnth.exe79⤵PID:2736
-
\??\c:\5vpdd.exec:\5vpdd.exe80⤵PID:2828
-
\??\c:\pdpdj.exec:\pdpdj.exe81⤵PID:2804
-
\??\c:\rxxlxfx.exec:\rxxlxfx.exe82⤵PID:2592
-
\??\c:\nthnth.exec:\nthnth.exe83⤵PID:2612
-
\??\c:\nhbhbn.exec:\nhbhbn.exe84⤵PID:576
-
\??\c:\jjddp.exec:\jjddp.exe85⤵PID:2608
-
\??\c:\ffrxrxl.exec:\ffrxrxl.exe86⤵PID:1560
-
\??\c:\7httbb.exec:\7httbb.exe87⤵PID:1280
-
\??\c:\9hnthb.exec:\9hnthb.exe88⤵PID:2856
-
\??\c:\jpjpd.exec:\jpjpd.exe89⤵PID:1164
-
\??\c:\lfffllx.exec:\lfffllx.exe90⤵PID:1980
-
\??\c:\xfflxxx.exec:\xfflxxx.exe91⤵PID:2596
-
\??\c:\tnntbt.exec:\tnntbt.exe92⤵PID:1928
-
\??\c:\dvjjv.exec:\dvjjv.exe93⤵PID:1816
-
\??\c:\vvvvp.exec:\vvvvp.exe94⤵PID:2964
-
\??\c:\xrlrffl.exec:\xrlrffl.exe95⤵PID:396
-
\??\c:\ffxrxxf.exec:\ffxrxxf.exe96⤵PID:2128
-
\??\c:\tbbnhn.exec:\tbbnhn.exe97⤵PID:2872
-
\??\c:\pvvdp.exec:\pvvdp.exe98⤵PID:1820
-
\??\c:\3dpjp.exec:\3dpjp.exe99⤵PID:1240
-
\??\c:\ffxlrxl.exec:\ffxlrxl.exe100⤵PID:2124
-
\??\c:\ntnnht.exec:\ntnnht.exe101⤵PID:2080
-
\??\c:\3pdjd.exec:\3pdjd.exe102⤵PID:2156
-
\??\c:\xlxfflr.exec:\xlxfflr.exe103⤵PID:1364
-
\??\c:\fxlrlrx.exec:\fxlrlrx.exe104⤵PID:2004
-
\??\c:\1tnnnh.exec:\1tnnnh.exe105⤵PID:1956
-
\??\c:\jdddp.exec:\jdddp.exe106⤵PID:2228
-
\??\c:\1jvpd.exec:\1jvpd.exe107⤵PID:2424
-
\??\c:\rlflxlx.exec:\rlflxlx.exe108⤵PID:844
-
\??\c:\3tnnbb.exec:\3tnnbb.exe109⤵PID:2408
-
\??\c:\pvvjd.exec:\pvvjd.exe110⤵PID:1684
-
\??\c:\pppvj.exec:\pppvj.exe111⤵PID:2932
-
\??\c:\fffrlxf.exec:\fffrlxf.exe112⤵PID:1256
-
\??\c:\tthhnn.exec:\tthhnn.exe113⤵PID:2940
-
\??\c:\hbnntt.exec:\hbnntt.exe114⤵PID:2504
-
\??\c:\jdvpd.exec:\jdvpd.exe115⤵PID:2400
-
\??\c:\rlrfxfr.exec:\rlrfxfr.exe116⤵PID:320
-
\??\c:\xrxflxx.exec:\xrxflxx.exe117⤵PID:1996
-
\??\c:\tnbnth.exec:\tnbnth.exe118⤵PID:1500
-
\??\c:\5pddv.exec:\5pddv.exe119⤵PID:2072
-
\??\c:\9pdjv.exec:\9pdjv.exe120⤵PID:2680
-
\??\c:\9lrxlxr.exec:\9lrxlxr.exe121⤵PID:1920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-