Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8b0979f38d5d52131cf30311517781a7908f47da6e38bdd5c6daacba66caab82N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8b0979f38d5d52131cf30311517781a7908f47da6e38bdd5c6daacba66caab82N.exe
-
Size
455KB
-
MD5
15eedcebfe285625a31cdcaea7118ce0
-
SHA1
02d324c73da1207bdd11d73cea98c0c5fba4a040
-
SHA256
8b0979f38d5d52131cf30311517781a7908f47da6e38bdd5c6daacba66caab82
-
SHA512
989a346d803abc1518d5af44aa7e652de20983569f4d7af5cd1cad0e099167aefafc9e5d6ac65d1830affbb86a373b53934338f1badaf023785e8c12c541c9f5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 37 IoCs
resource yara_rule behavioral1/memory/2184-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-43-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2804-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/284-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-450-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1616-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-669-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2184-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-882-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1132-998-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2184 lxxfxfx.exe 2748 1btbht.exe 3064 7dppd.exe 2800 rrxflxl.exe 2804 hhbbhn.exe 2552 jddvj.exe 2480 5hhhbb.exe 2216 rrllxfx.exe 2848 bnbntb.exe 2032 jdjjp.exe 484 tthnbb.exe 572 jjdjp.exe 1768 tnnnbb.exe 2460 dpddj.exe 332 9lxrxlf.exe 1980 1bnnhh.exe 284 btthtb.exe 2412 ppjjd.exe 2052 1xrfrlx.exe 2012 ddvjd.exe 2024 hhnbnt.exe 896 jjdvj.exe 1544 btnhtb.exe 1532 1ppjp.exe 2060 3tbnht.exe 1672 bbbtbh.exe 1356 llffrxl.exe 2348 nthntt.exe 2276 pjddj.exe 868 xxrlxxf.exe 2392 pdjjp.exe 2692 bthhtb.exe 2772 jvdjj.exe 1572 xxlrxxl.exe 2816 xrlxlxr.exe 3064 ttbhhn.exe 2796 pdpvj.exe 2656 rrfffrx.exe 2560 ttnbnb.exe 2972 vvdpd.exe 1852 jdvvd.exe 1592 fxrfrfl.exe 548 3tnhbn.exe 2848 3tttbh.exe 2420 9jpvd.exe 700 ffxrflr.exe 1696 bbnnhh.exe 1628 jvvvj.exe 1692 ddvpv.exe 2076 xrlxlrx.exe 1264 nhnttb.exe 1976 dpjvp.exe 1344 xfxfxfr.exe 1816 xrlrflf.exe 348 bhbnbh.exe 1368 vpjpd.exe 2240 lfxlxff.exe 1964 bbbbhh.exe 1868 dddpj.exe 2024 jdvjv.exe 1724 lrlxxrf.exe 1992 3bhtbh.exe 1936 3jdjv.exe 1532 5lxflrx.exe -
resource yara_rule behavioral1/memory/2724-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-43-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2804-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-265-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2816-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-669-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2112-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-870-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2980-894-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1932-934-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-998-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-1049-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lflxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2184 2724 8b0979f38d5d52131cf30311517781a7908f47da6e38bdd5c6daacba66caab82N.exe 31 PID 2724 wrote to memory of 2184 2724 8b0979f38d5d52131cf30311517781a7908f47da6e38bdd5c6daacba66caab82N.exe 31 PID 2724 wrote to memory of 2184 2724 8b0979f38d5d52131cf30311517781a7908f47da6e38bdd5c6daacba66caab82N.exe 31 PID 2724 wrote to memory of 2184 2724 8b0979f38d5d52131cf30311517781a7908f47da6e38bdd5c6daacba66caab82N.exe 31 PID 2184 wrote to memory of 2748 2184 lxxfxfx.exe 32 PID 2184 wrote to memory of 2748 2184 lxxfxfx.exe 32 PID 2184 wrote to memory of 2748 2184 lxxfxfx.exe 32 PID 2184 wrote to memory of 2748 2184 lxxfxfx.exe 32 PID 2748 wrote to memory of 3064 2748 1btbht.exe 33 PID 2748 wrote to memory of 3064 2748 1btbht.exe 33 PID 2748 wrote to memory of 3064 2748 1btbht.exe 33 PID 2748 wrote to memory of 3064 2748 1btbht.exe 33 PID 3064 wrote to memory of 2800 3064 7dppd.exe 34 PID 3064 wrote to memory of 2800 3064 7dppd.exe 34 PID 3064 wrote to memory of 2800 3064 7dppd.exe 34 PID 3064 wrote to memory of 2800 3064 7dppd.exe 34 PID 2800 wrote to memory of 2804 2800 rrxflxl.exe 35 PID 2800 wrote to memory of 2804 2800 rrxflxl.exe 35 PID 2800 wrote to memory of 2804 2800 rrxflxl.exe 35 PID 2800 wrote to memory of 2804 2800 rrxflxl.exe 35 PID 2804 wrote to memory of 2552 2804 hhbbhn.exe 36 PID 2804 wrote to memory of 2552 2804 hhbbhn.exe 36 PID 2804 wrote to memory of 2552 2804 hhbbhn.exe 36 PID 2804 wrote to memory of 2552 2804 hhbbhn.exe 36 PID 2552 wrote to memory of 2480 2552 jddvj.exe 37 PID 2552 wrote to memory of 2480 2552 jddvj.exe 37 PID 2552 wrote to memory of 2480 2552 jddvj.exe 37 PID 2552 wrote to memory of 2480 2552 jddvj.exe 37 PID 2480 wrote to memory of 2216 2480 5hhhbb.exe 38 PID 2480 wrote to memory of 2216 2480 5hhhbb.exe 38 PID 2480 wrote to memory of 2216 2480 5hhhbb.exe 38 PID 2480 wrote to memory of 2216 2480 5hhhbb.exe 38 PID 2216 wrote to memory of 2848 2216 rrllxfx.exe 39 PID 2216 wrote to memory of 2848 2216 rrllxfx.exe 39 PID 2216 wrote to memory of 2848 2216 rrllxfx.exe 39 PID 2216 wrote to memory of 2848 2216 rrllxfx.exe 39 PID 2848 wrote to memory of 2032 2848 bnbntb.exe 40 PID 2848 wrote to memory of 2032 2848 bnbntb.exe 40 PID 2848 wrote to memory of 2032 2848 bnbntb.exe 40 PID 2848 wrote to memory of 2032 2848 bnbntb.exe 40 PID 2032 wrote to memory of 484 2032 jdjjp.exe 41 PID 2032 wrote to memory of 484 2032 jdjjp.exe 41 PID 2032 wrote to memory of 484 2032 jdjjp.exe 41 PID 2032 wrote to memory of 484 2032 jdjjp.exe 41 PID 484 wrote to memory of 572 484 tthnbb.exe 42 PID 484 wrote to memory of 572 484 tthnbb.exe 42 PID 484 wrote to memory of 572 484 tthnbb.exe 42 PID 484 wrote to memory of 572 484 tthnbb.exe 42 PID 572 wrote to memory of 1768 572 jjdjp.exe 43 PID 572 wrote to memory of 1768 572 jjdjp.exe 43 PID 572 wrote to memory of 1768 572 jjdjp.exe 43 PID 572 wrote to memory of 1768 572 jjdjp.exe 43 PID 1768 wrote to memory of 2460 1768 tnnnbb.exe 44 PID 1768 wrote to memory of 2460 1768 tnnnbb.exe 44 PID 1768 wrote to memory of 2460 1768 tnnnbb.exe 44 PID 1768 wrote to memory of 2460 1768 tnnnbb.exe 44 PID 2460 wrote to memory of 332 2460 dpddj.exe 45 PID 2460 wrote to memory of 332 2460 dpddj.exe 45 PID 2460 wrote to memory of 332 2460 dpddj.exe 45 PID 2460 wrote to memory of 332 2460 dpddj.exe 45 PID 332 wrote to memory of 1980 332 9lxrxlf.exe 46 PID 332 wrote to memory of 1980 332 9lxrxlf.exe 46 PID 332 wrote to memory of 1980 332 9lxrxlf.exe 46 PID 332 wrote to memory of 1980 332 9lxrxlf.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b0979f38d5d52131cf30311517781a7908f47da6e38bdd5c6daacba66caab82N.exe"C:\Users\Admin\AppData\Local\Temp\8b0979f38d5d52131cf30311517781a7908f47da6e38bdd5c6daacba66caab82N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\lxxfxfx.exec:\lxxfxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\1btbht.exec:\1btbht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\7dppd.exec:\7dppd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\rrxflxl.exec:\rrxflxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\hhbbhn.exec:\hhbbhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\jddvj.exec:\jddvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\5hhhbb.exec:\5hhhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\rrllxfx.exec:\rrllxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\bnbntb.exec:\bnbntb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\jdjjp.exec:\jdjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\tthnbb.exec:\tthnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
\??\c:\jjdjp.exec:\jjdjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\tnnnbb.exec:\tnnnbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\dpddj.exec:\dpddj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\9lxrxlf.exec:\9lxrxlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
\??\c:\1bnnhh.exec:\1bnnhh.exe17⤵
- Executes dropped EXE
PID:1980 -
\??\c:\btthtb.exec:\btthtb.exe18⤵
- Executes dropped EXE
PID:284 -
\??\c:\ppjjd.exec:\ppjjd.exe19⤵
- Executes dropped EXE
PID:2412 -
\??\c:\1xrfrlx.exec:\1xrfrlx.exe20⤵
- Executes dropped EXE
PID:2052 -
\??\c:\ddvjd.exec:\ddvjd.exe21⤵
- Executes dropped EXE
PID:2012 -
\??\c:\hhnbnt.exec:\hhnbnt.exe22⤵
- Executes dropped EXE
PID:2024 -
\??\c:\jjdvj.exec:\jjdvj.exe23⤵
- Executes dropped EXE
PID:896 -
\??\c:\btnhtb.exec:\btnhtb.exe24⤵
- Executes dropped EXE
PID:1544 -
\??\c:\1ppjp.exec:\1ppjp.exe25⤵
- Executes dropped EXE
PID:1532 -
\??\c:\3tbnht.exec:\3tbnht.exe26⤵
- Executes dropped EXE
PID:2060 -
\??\c:\bbbtbh.exec:\bbbtbh.exe27⤵
- Executes dropped EXE
PID:1672 -
\??\c:\llffrxl.exec:\llffrxl.exe28⤵
- Executes dropped EXE
PID:1356 -
\??\c:\nthntt.exec:\nthntt.exe29⤵
- Executes dropped EXE
PID:2348 -
\??\c:\pjddj.exec:\pjddj.exe30⤵
- Executes dropped EXE
PID:2276 -
\??\c:\xxrlxxf.exec:\xxrlxxf.exe31⤵
- Executes dropped EXE
PID:868 -
\??\c:\pdjjp.exec:\pdjjp.exe32⤵
- Executes dropped EXE
PID:2392 -
\??\c:\bthhtb.exec:\bthhtb.exe33⤵
- Executes dropped EXE
PID:2692 -
\??\c:\jvdjj.exec:\jvdjj.exe34⤵
- Executes dropped EXE
PID:2772 -
\??\c:\xxlrxxl.exec:\xxlrxxl.exe35⤵
- Executes dropped EXE
PID:1572 -
\??\c:\xrlxlxr.exec:\xrlxlxr.exe36⤵
- Executes dropped EXE
PID:2816 -
\??\c:\ttbhhn.exec:\ttbhhn.exe37⤵
- Executes dropped EXE
PID:3064 -
\??\c:\pdpvj.exec:\pdpvj.exe38⤵
- Executes dropped EXE
PID:2796 -
\??\c:\rrfffrx.exec:\rrfffrx.exe39⤵
- Executes dropped EXE
PID:2656 -
\??\c:\ttnbnb.exec:\ttnbnb.exe40⤵
- Executes dropped EXE
PID:2560 -
\??\c:\vvdpd.exec:\vvdpd.exe41⤵
- Executes dropped EXE
PID:2972 -
\??\c:\jdvvd.exec:\jdvvd.exe42⤵
- Executes dropped EXE
PID:1852 -
\??\c:\fxrfrfl.exec:\fxrfrfl.exe43⤵
- Executes dropped EXE
PID:1592 -
\??\c:\3tnhbn.exec:\3tnhbn.exe44⤵
- Executes dropped EXE
PID:548 -
\??\c:\3tttbh.exec:\3tttbh.exe45⤵
- Executes dropped EXE
PID:2848 -
\??\c:\9jpvd.exec:\9jpvd.exe46⤵
- Executes dropped EXE
PID:2420 -
\??\c:\ffxrflr.exec:\ffxrflr.exe47⤵
- Executes dropped EXE
PID:700 -
\??\c:\bbnnhh.exec:\bbnnhh.exe48⤵
- Executes dropped EXE
PID:1696 -
\??\c:\jvvvj.exec:\jvvvj.exe49⤵
- Executes dropped EXE
PID:1628 -
\??\c:\ddvpv.exec:\ddvpv.exe50⤵
- Executes dropped EXE
PID:1692 -
\??\c:\xrlxlrx.exec:\xrlxlrx.exe51⤵
- Executes dropped EXE
PID:2076 -
\??\c:\nhnttb.exec:\nhnttb.exe52⤵
- Executes dropped EXE
PID:1264 -
\??\c:\dpjvp.exec:\dpjvp.exe53⤵
- Executes dropped EXE
PID:1976 -
\??\c:\xfxfxfr.exec:\xfxfxfr.exe54⤵
- Executes dropped EXE
PID:1344 -
\??\c:\xrlrflf.exec:\xrlrflf.exe55⤵
- Executes dropped EXE
PID:1816 -
\??\c:\bhbnbh.exec:\bhbnbh.exe56⤵
- Executes dropped EXE
PID:348 -
\??\c:\vpjpd.exec:\vpjpd.exe57⤵
- Executes dropped EXE
PID:1368 -
\??\c:\lfxlxff.exec:\lfxlxff.exe58⤵
- Executes dropped EXE
PID:2240 -
\??\c:\bbbbhh.exec:\bbbbhh.exe59⤵
- Executes dropped EXE
PID:1964 -
\??\c:\dddpj.exec:\dddpj.exe60⤵
- Executes dropped EXE
PID:1868 -
\??\c:\jdvjv.exec:\jdvjv.exe61⤵
- Executes dropped EXE
PID:2024 -
\??\c:\lrlxxrf.exec:\lrlxxrf.exe62⤵
- Executes dropped EXE
PID:1724 -
\??\c:\3bhtbh.exec:\3bhtbh.exe63⤵
- Executes dropped EXE
PID:1992 -
\??\c:\3jdjv.exec:\3jdjv.exe64⤵
- Executes dropped EXE
PID:1936 -
\??\c:\5lxflrx.exec:\5lxflrx.exe65⤵
- Executes dropped EXE
PID:1532 -
\??\c:\llfxlrl.exec:\llfxlrl.exe66⤵PID:1616
-
\??\c:\7nbhnt.exec:\7nbhnt.exe67⤵PID:1564
-
\??\c:\1jdjp.exec:\1jdjp.exe68⤵PID:2308
-
\??\c:\7xllrxf.exec:\7xllrxf.exe69⤵PID:1292
-
\??\c:\hntbnn.exec:\hntbnn.exe70⤵PID:2348
-
\??\c:\jdvjv.exec:\jdvjv.exe71⤵PID:2452
-
\??\c:\5pdvd.exec:\5pdvd.exe72⤵PID:2472
-
\??\c:\rrlrfrf.exec:\rrlrfrf.exe73⤵PID:2192
-
\??\c:\nnntbb.exec:\nnntbb.exe74⤵PID:2392
-
\??\c:\9vdvv.exec:\9vdvv.exe75⤵PID:2740
-
\??\c:\vdvvj.exec:\vdvvj.exe76⤵PID:2248
-
\??\c:\flfllxx.exec:\flfllxx.exe77⤵PID:2660
-
\??\c:\bttntb.exec:\bttntb.exe78⤵PID:2880
-
\??\c:\jjdjp.exec:\jjdjp.exe79⤵PID:3064
-
\??\c:\pvjdp.exec:\pvjdp.exe80⤵PID:2796
-
\??\c:\rlflrfl.exec:\rlflrfl.exe81⤵PID:2656
-
\??\c:\nnnhnt.exec:\nnnhnt.exe82⤵PID:2584
-
\??\c:\vppdj.exec:\vppdj.exe83⤵PID:2556
-
\??\c:\3vppp.exec:\3vppp.exe84⤵PID:1852
-
\??\c:\lrlfxlx.exec:\lrlfxlx.exe85⤵PID:2580
-
\??\c:\nbhhnn.exec:\nbhhnn.exe86⤵PID:2216
-
\??\c:\pjjjv.exec:\pjjjv.exe87⤵PID:2188
-
\??\c:\vvvdv.exec:\vvvdv.exe88⤵PID:2424
-
\??\c:\1xlrxfr.exec:\1xlrxfr.exe89⤵PID:700
-
\??\c:\tbtbtb.exec:\tbtbtb.exe90⤵PID:2272
-
\??\c:\3bthtb.exec:\3bthtb.exe91⤵PID:1628
-
\??\c:\vvvjp.exec:\vvvjp.exe92⤵PID:2056
-
\??\c:\xxrfrxl.exec:\xxrfrxl.exe93⤵PID:2076
-
\??\c:\9bntbh.exec:\9bntbh.exe94⤵PID:2064
-
\??\c:\jdvjp.exec:\jdvjp.exe95⤵PID:1828
-
\??\c:\1ffrflx.exec:\1ffrflx.exe96⤵PID:2524
-
\??\c:\ththhh.exec:\ththhh.exe97⤵PID:2904
-
\??\c:\5nhnbn.exec:\5nhnbn.exe98⤵PID:1644
-
\??\c:\vdpjd.exec:\vdpjd.exe99⤵PID:2416
-
\??\c:\7rflrxf.exec:\7rflrxf.exe100⤵PID:960
-
\??\c:\ttntnn.exec:\ttntnn.exe101⤵PID:1608
-
\??\c:\vpjpv.exec:\vpjpv.exe102⤵PID:300
-
\??\c:\rrlfrxr.exec:\rrlfrxr.exe103⤵PID:1568
-
\??\c:\1lxfflx.exec:\1lxfflx.exe104⤵PID:2112
-
\??\c:\3nnbhn.exec:\3nnbhn.exe105⤵PID:692
-
\??\c:\5pjjv.exec:\5pjjv.exe106⤵PID:1504
-
\??\c:\lrlrffl.exec:\lrlrffl.exe107⤵PID:1280
-
\??\c:\hhhnbb.exec:\hhhnbb.exe108⤵PID:1304
-
\??\c:\7pjvd.exec:\7pjvd.exe109⤵PID:860
-
\??\c:\lfxxlrl.exec:\lfxxlrl.exe110⤵PID:2936
-
\??\c:\lllrxlf.exec:\lllrxlf.exe111⤵PID:1736
-
\??\c:\3vpdv.exec:\3vpdv.exe112⤵PID:2000
-
\??\c:\3fxlrxl.exec:\3fxlrxl.exe113⤵PID:2320
-
\??\c:\hhbbhh.exec:\hhbbhh.exe114⤵PID:2312
-
\??\c:\1vjpd.exec:\1vjpd.exe115⤵PID:2744
-
\??\c:\rrflxfr.exec:\rrflxfr.exe116⤵PID:2184
-
\??\c:\lfrrflx.exec:\lfrrflx.exe117⤵PID:2692
-
\??\c:\ttbtbb.exec:\ttbtbb.exe118⤵PID:2548
-
\??\c:\jppvj.exec:\jppvj.exe119⤵PID:1572
-
\??\c:\fxrxrrr.exec:\fxrxrrr.exe120⤵PID:2700
-
\??\c:\nnthnb.exec:\nnthnb.exe121⤵PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-