Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 20:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe
-
Size
454KB
-
MD5
873ed953b77349630cabbfc03dc01e30
-
SHA1
94771f7a2cd63462f1c1433ac99be6c86f381933
-
SHA256
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191
-
SHA512
b61816461d63ccfdb1c0ad64af29f7ce8dbc3f6f72e3c3b8433f1621fd9a176c9308d4a40657deb18e3d88aa1cb5e1c1c05511298513ca0d0558e590f8c41a03
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2324-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1212-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/764-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-640-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2448-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1000-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-182-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2916-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-172-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/336-136-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1892-111-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-102-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-65-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2704-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-747-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2076-762-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1736-789-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/448-800-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-985-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1048-1124-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1456-1196-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1608-1211-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1928-1224-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2992 bhnnbh.exe 2372 rfrrflr.exe 2140 thbbnt.exe 2656 7jvpp.exe 2704 1xlrfrf.exe 2856 rfxxffr.exe 2920 bbtthh.exe 1212 btnhnt.exe 2600 xlxfflf.exe 2592 7hhhnt.exe 1892 jppvp.exe 2352 xxllfll.exe 2864 3frxrxl.exe 336 tnthtt.exe 2892 pvjpd.exe 764 dvppd.exe 2932 ffrrffl.exe 2916 pjdvv.exe 2168 lfllllr.exe 2056 lffxffl.exe 2472 7tntbb.exe 832 9pppv.exe 2976 ddppv.exe 372 llxfrrl.exe 1648 tbnnbh.exe 2076 vvdjd.exe 2780 fxxxffr.exe 2224 fxrrffl.exe 1000 nnhhbb.exe 2024 dpppv.exe 2336 7vpvp.exe 2184 lfrxflr.exe 2260 7bnhbn.exe 1864 vdjdj.exe 2384 xfrlrrx.exe 2676 htnthb.exe 2700 vjppp.exe 2788 jjvpv.exe 2240 fxlrxxf.exe 2544 nhbnhn.exe 2624 hthtbb.exe 2652 djdpd.exe 788 5pvvv.exe 2564 rlffxrf.exe 2860 fxrrffr.exe 2132 1nnntb.exe 2604 dvppv.exe 2812 pdvdp.exe 1412 1xrrrrx.exe 2892 nhbhnn.exe 1496 3nbbhh.exe 2848 dvppj.exe 2360 jjpvj.exe 2648 ffrxlxf.exe 2192 frffxrf.exe 1548 thnnbb.exe 620 5htbhh.exe 2088 jjvpv.exe 1500 pjddp.exe 1312 xlflfxl.exe 1544 xxxfrrx.exe 1660 bthhnn.exe 1156 bbbbnn.exe 2076 9pddj.exe -
resource yara_rule behavioral1/memory/2324-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-728-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2448-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1000-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-747-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1736-789-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/448-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-909-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-922-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-947-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/1792-978-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-985-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2356-986-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-1072-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-1124-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1932-1147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-1211-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1928-1224-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2396-1283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-1345-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llflxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2992 2324 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 31 PID 2324 wrote to memory of 2992 2324 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 31 PID 2324 wrote to memory of 2992 2324 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 31 PID 2324 wrote to memory of 2992 2324 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 31 PID 2992 wrote to memory of 2372 2992 bhnnbh.exe 102 PID 2992 wrote to memory of 2372 2992 bhnnbh.exe 102 PID 2992 wrote to memory of 2372 2992 bhnnbh.exe 102 PID 2992 wrote to memory of 2372 2992 bhnnbh.exe 102 PID 2372 wrote to memory of 2140 2372 rfrrflr.exe 33 PID 2372 wrote to memory of 2140 2372 rfrrflr.exe 33 PID 2372 wrote to memory of 2140 2372 rfrrflr.exe 33 PID 2372 wrote to memory of 2140 2372 rfrrflr.exe 33 PID 2140 wrote to memory of 2656 2140 thbbnt.exe 34 PID 2140 wrote to memory of 2656 2140 thbbnt.exe 34 PID 2140 wrote to memory of 2656 2140 thbbnt.exe 34 PID 2140 wrote to memory of 2656 2140 thbbnt.exe 34 PID 2656 wrote to memory of 2704 2656 7jvpp.exe 35 PID 2656 wrote to memory of 2704 2656 7jvpp.exe 35 PID 2656 wrote to memory of 2704 2656 7jvpp.exe 35 PID 2656 wrote to memory of 2704 2656 7jvpp.exe 35 PID 2704 wrote to memory of 2856 2704 1xlrfrf.exe 122 PID 2704 wrote to memory of 2856 2704 1xlrfrf.exe 122 PID 2704 wrote to memory of 2856 2704 1xlrfrf.exe 122 PID 2704 wrote to memory of 2856 2704 1xlrfrf.exe 122 PID 2856 wrote to memory of 2920 2856 rfxxffr.exe 37 PID 2856 wrote to memory of 2920 2856 rfxxffr.exe 37 PID 2856 wrote to memory of 2920 2856 rfxxffr.exe 37 PID 2856 wrote to memory of 2920 2856 rfxxffr.exe 37 PID 2920 wrote to memory of 1212 2920 bbtthh.exe 38 PID 2920 wrote to memory of 1212 2920 bbtthh.exe 38 PID 2920 wrote to memory of 1212 2920 bbtthh.exe 38 PID 2920 wrote to memory of 1212 2920 bbtthh.exe 38 PID 1212 wrote to memory of 2600 1212 btnhnt.exe 39 PID 1212 wrote to memory of 2600 1212 btnhnt.exe 39 PID 1212 wrote to memory of 2600 1212 btnhnt.exe 39 PID 1212 wrote to memory of 2600 1212 btnhnt.exe 39 PID 2600 wrote to memory of 2592 2600 xlxfflf.exe 40 PID 2600 wrote to memory of 2592 2600 xlxfflf.exe 40 PID 2600 wrote to memory of 2592 2600 xlxfflf.exe 40 PID 2600 wrote to memory of 2592 2600 xlxfflf.exe 40 PID 2592 wrote to memory of 1892 2592 7hhhnt.exe 41 PID 2592 wrote to memory of 1892 2592 7hhhnt.exe 41 PID 2592 wrote to memory of 1892 2592 7hhhnt.exe 41 PID 2592 wrote to memory of 1892 2592 7hhhnt.exe 41 PID 1892 wrote to memory of 2352 1892 jppvp.exe 42 PID 1892 wrote to memory of 2352 1892 jppvp.exe 42 PID 1892 wrote to memory of 2352 1892 jppvp.exe 42 PID 1892 wrote to memory of 2352 1892 jppvp.exe 42 PID 2352 wrote to memory of 2864 2352 xxllfll.exe 43 PID 2352 wrote to memory of 2864 2352 xxllfll.exe 43 PID 2352 wrote to memory of 2864 2352 xxllfll.exe 43 PID 2352 wrote to memory of 2864 2352 xxllfll.exe 43 PID 2864 wrote to memory of 336 2864 3frxrxl.exe 44 PID 2864 wrote to memory of 336 2864 3frxrxl.exe 44 PID 2864 wrote to memory of 336 2864 3frxrxl.exe 44 PID 2864 wrote to memory of 336 2864 3frxrxl.exe 44 PID 336 wrote to memory of 2892 336 tnthtt.exe 45 PID 336 wrote to memory of 2892 336 tnthtt.exe 45 PID 336 wrote to memory of 2892 336 tnthtt.exe 45 PID 336 wrote to memory of 2892 336 tnthtt.exe 45 PID 2892 wrote to memory of 764 2892 pvjpd.exe 46 PID 2892 wrote to memory of 764 2892 pvjpd.exe 46 PID 2892 wrote to memory of 764 2892 pvjpd.exe 46 PID 2892 wrote to memory of 764 2892 pvjpd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe"C:\Users\Admin\AppData\Local\Temp\1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\bhnnbh.exec:\bhnnbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\rfrrflr.exec:\rfrrflr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\thbbnt.exec:\thbbnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\7jvpp.exec:\7jvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\1xlrfrf.exec:\1xlrfrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\rfxxffr.exec:\rfxxffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\bbtthh.exec:\bbtthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\btnhnt.exec:\btnhnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\xlxfflf.exec:\xlxfflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\7hhhnt.exec:\7hhhnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\jppvp.exec:\jppvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\xxllfll.exec:\xxllfll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\3frxrxl.exec:\3frxrxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\tnthtt.exec:\tnthtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\pvjpd.exec:\pvjpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\dvppd.exec:\dvppd.exe17⤵
- Executes dropped EXE
PID:764 -
\??\c:\ffrrffl.exec:\ffrrffl.exe18⤵
- Executes dropped EXE
PID:2932 -
\??\c:\pjdvv.exec:\pjdvv.exe19⤵
- Executes dropped EXE
PID:2916 -
\??\c:\lfllllr.exec:\lfllllr.exe20⤵
- Executes dropped EXE
PID:2168 -
\??\c:\lffxffl.exec:\lffxffl.exe21⤵
- Executes dropped EXE
PID:2056 -
\??\c:\7tntbb.exec:\7tntbb.exe22⤵
- Executes dropped EXE
PID:2472 -
\??\c:\9pppv.exec:\9pppv.exe23⤵
- Executes dropped EXE
PID:832 -
\??\c:\ddppv.exec:\ddppv.exe24⤵
- Executes dropped EXE
PID:2976 -
\??\c:\llxfrrl.exec:\llxfrrl.exe25⤵
- Executes dropped EXE
PID:372 -
\??\c:\tbnnbh.exec:\tbnnbh.exe26⤵
- Executes dropped EXE
PID:1648 -
\??\c:\vvdjd.exec:\vvdjd.exe27⤵
- Executes dropped EXE
PID:2076 -
\??\c:\fxxxffr.exec:\fxxxffr.exe28⤵
- Executes dropped EXE
PID:2780 -
\??\c:\fxrrffl.exec:\fxrrffl.exe29⤵
- Executes dropped EXE
PID:2224 -
\??\c:\nnhhbb.exec:\nnhhbb.exe30⤵
- Executes dropped EXE
PID:1000 -
\??\c:\dpppv.exec:\dpppv.exe31⤵
- Executes dropped EXE
PID:2024 -
\??\c:\7vpvp.exec:\7vpvp.exe32⤵
- Executes dropped EXE
PID:2336 -
\??\c:\lfrxflr.exec:\lfrxflr.exe33⤵
- Executes dropped EXE
PID:2184 -
\??\c:\7bnhbn.exec:\7bnhbn.exe34⤵
- Executes dropped EXE
PID:2260 -
\??\c:\vdjdj.exec:\vdjdj.exe35⤵
- Executes dropped EXE
PID:1864 -
\??\c:\xfrlrrx.exec:\xfrlrrx.exe36⤵
- Executes dropped EXE
PID:2384 -
\??\c:\htnthb.exec:\htnthb.exe37⤵
- Executes dropped EXE
PID:2676 -
\??\c:\vjppp.exec:\vjppp.exe38⤵
- Executes dropped EXE
PID:2700 -
\??\c:\jjvpv.exec:\jjvpv.exe39⤵
- Executes dropped EXE
PID:2788 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe40⤵
- Executes dropped EXE
PID:2240 -
\??\c:\nhbnhn.exec:\nhbnhn.exe41⤵
- Executes dropped EXE
PID:2544 -
\??\c:\hthtbb.exec:\hthtbb.exe42⤵
- Executes dropped EXE
PID:2624 -
\??\c:\djdpd.exec:\djdpd.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\5pvvv.exec:\5pvvv.exe44⤵
- Executes dropped EXE
PID:788 -
\??\c:\rlffxrf.exec:\rlffxrf.exe45⤵
- Executes dropped EXE
PID:2564 -
\??\c:\fxrrffr.exec:\fxrrffr.exe46⤵
- Executes dropped EXE
PID:2860 -
\??\c:\1nnntb.exec:\1nnntb.exe47⤵
- Executes dropped EXE
PID:2132 -
\??\c:\dvppv.exec:\dvppv.exe48⤵
- Executes dropped EXE
PID:2604 -
\??\c:\pdvdp.exec:\pdvdp.exe49⤵
- Executes dropped EXE
PID:2812 -
\??\c:\1xrrrrx.exec:\1xrrrrx.exe50⤵
- Executes dropped EXE
PID:1412 -
\??\c:\nhbhnn.exec:\nhbhnn.exe51⤵
- Executes dropped EXE
PID:2892 -
\??\c:\3nbbhh.exec:\3nbbhh.exe52⤵
- Executes dropped EXE
PID:1496 -
\??\c:\dvppj.exec:\dvppj.exe53⤵
- Executes dropped EXE
PID:2848 -
\??\c:\jjpvj.exec:\jjpvj.exe54⤵
- Executes dropped EXE
PID:2360 -
\??\c:\ffrxlxf.exec:\ffrxlxf.exe55⤵
- Executes dropped EXE
PID:2648 -
\??\c:\frffxrf.exec:\frffxrf.exe56⤵
- Executes dropped EXE
PID:2192 -
\??\c:\thnnbb.exec:\thnnbb.exe57⤵
- Executes dropped EXE
PID:1548 -
\??\c:\5htbhh.exec:\5htbhh.exe58⤵
- Executes dropped EXE
PID:620 -
\??\c:\jjvpv.exec:\jjvpv.exe59⤵
- Executes dropped EXE
PID:2088 -
\??\c:\pjddp.exec:\pjddp.exe60⤵
- Executes dropped EXE
PID:1500 -
\??\c:\xlflfxl.exec:\xlflfxl.exe61⤵
- Executes dropped EXE
PID:1312 -
\??\c:\xxxfrrx.exec:\xxxfrrx.exe62⤵
- Executes dropped EXE
PID:1544 -
\??\c:\bthhnn.exec:\bthhnn.exe63⤵
- Executes dropped EXE
PID:1660 -
\??\c:\bbbbnn.exec:\bbbbnn.exe64⤵
- Executes dropped EXE
PID:1156 -
\??\c:\9pddj.exec:\9pddj.exe65⤵
- Executes dropped EXE
PID:2076 -
\??\c:\frrrrlr.exec:\frrrrlr.exe66⤵PID:560
-
\??\c:\7rffrrf.exec:\7rffrrf.exe67⤵PID:2448
-
\??\c:\htntbh.exec:\htntbh.exe68⤵PID:2316
-
\??\c:\hbnntt.exec:\hbnntt.exe69⤵PID:1108
-
\??\c:\dvppj.exec:\dvppj.exe70⤵PID:1532
-
\??\c:\lfrxffr.exec:\lfrxffr.exe71⤵PID:1964
-
\??\c:\fxllrrf.exec:\fxllrrf.exe72⤵PID:1868
-
\??\c:\5tbttb.exec:\5tbttb.exe73⤵PID:2372
-
\??\c:\3htnhh.exec:\3htnhh.exe74⤵PID:2416
-
\??\c:\1pddp.exec:\1pddp.exe75⤵PID:2760
-
\??\c:\dvpvd.exec:\dvpvd.exe76⤵PID:2384
-
\??\c:\5rxxllr.exec:\5rxxllr.exe77⤵PID:2676
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe78⤵PID:2152
-
\??\c:\hthhtt.exec:\hthhtt.exe79⤵PID:2796
-
\??\c:\vvppd.exec:\vvppd.exe80⤵PID:2256
-
\??\c:\jjvjv.exec:\jjvjv.exe81⤵PID:2828
-
\??\c:\flrrrfr.exec:\flrrrfr.exe82⤵PID:1048
-
\??\c:\rxfxrll.exec:\rxfxrll.exe83⤵PID:2116
-
\??\c:\hhtnbb.exec:\hhtnbb.exe84⤵PID:1984
-
\??\c:\hhttbh.exec:\hhttbh.exe85⤵PID:2980
-
\??\c:\dvppp.exec:\dvppp.exe86⤵PID:1932
-
\??\c:\jdjjv.exec:\jdjjv.exe87⤵PID:2928
-
\??\c:\3fxllrf.exec:\3fxllrf.exe88⤵PID:1652
-
\??\c:\llxxffl.exec:\llxxffl.exe89⤵PID:2068
-
\??\c:\nnthtt.exec:\nnthtt.exe90⤵PID:2896
-
\??\c:\bnbnbb.exec:\bnbnbb.exe91⤵PID:2900
-
\??\c:\dvppj.exec:\dvppj.exe92⤵PID:2956
-
\??\c:\dvdjp.exec:\dvdjp.exe93⤵PID:2856
-
\??\c:\fxrrfxx.exec:\fxrrfxx.exe94⤵PID:2968
-
\??\c:\xlfxxrx.exec:\xlfxxrx.exe95⤵PID:2884
-
\??\c:\bnthht.exec:\bnthht.exe96⤵PID:2508
-
\??\c:\hhthtn.exec:\hhthtn.exe97⤵PID:2236
-
\??\c:\jdppd.exec:\jdppd.exe98⤵PID:1928
-
\??\c:\ddppd.exec:\ddppd.exe99⤵PID:1856
-
\??\c:\frllrrx.exec:\frllrrx.exe100⤵PID:648
-
\??\c:\xllxrrx.exec:\xllxrrx.exe101⤵PID:2924
-
\??\c:\hthhtt.exec:\hthhtt.exe102⤵PID:708
-
\??\c:\hthbhb.exec:\hthbhb.exe103⤵PID:1436
-
\??\c:\vpjpv.exec:\vpjpv.exe104⤵PID:1544
-
\??\c:\xrflrrf.exec:\xrflrrf.exe105⤵PID:1660
-
\??\c:\nhtthh.exec:\nhtthh.exe106⤵PID:1676
-
\??\c:\nnbhtn.exec:\nnbhtn.exe107⤵PID:2076
-
\??\c:\5jddj.exec:\5jddj.exe108⤵PID:892
-
\??\c:\xlxrfrf.exec:\xlxrfrf.exe109⤵PID:1000
-
\??\c:\frxxfff.exec:\frxxfff.exe110⤵PID:2272
-
\??\c:\3ttntb.exec:\3ttntb.exe111⤵PID:952
-
\??\c:\djddp.exec:\djddp.exe112⤵PID:1736
-
\??\c:\rlxlfxf.exec:\rlxlfxf.exe113⤵PID:2992
-
\??\c:\7lxxxff.exec:\7lxxxff.exe114⤵PID:448
-
\??\c:\1jvpv.exec:\1jvpv.exe115⤵PID:2364
-
\??\c:\llffffl.exec:\llffffl.exe116⤵PID:2744
-
\??\c:\lfxfrlr.exec:\lfxfrlr.exe117⤵PID:3004
-
\??\c:\1hbhtt.exec:\1hbhtt.exe118⤵PID:2384
-
\??\c:\bnbhnn.exec:\bnbhnn.exe119⤵PID:2696
-
\??\c:\vppjp.exec:\vppjp.exe120⤵PID:2712
-
\??\c:\3tntnt.exec:\3tntnt.exe121⤵PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-