Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 22:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe
-
Size
454KB
-
MD5
e9d2fcb199de9aa37ac5a6a763b3db5d
-
SHA1
18caafcfc0a2881d2cfd896dd5fe7ba4a87f4643
-
SHA256
7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855
-
SHA512
d4e8656c7ae6f637e7ff0e05e833ce060d39caeb4c9648be0633c2b359e1b24928fa4cdd728bf42e7a52287c9533fb17aacfcfc3539accad6cd56e34e21dbd25
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 36 IoCs
resource yara_rule behavioral1/memory/2296-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-44-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/408-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-215-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/936-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/408-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-533-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2380-654-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1872-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-1067-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1340 nnbntb.exe 2188 bhtthn.exe 2848 rxfffxl.exe 2844 9jdpd.exe 408 hbntnt.exe 2868 1xlllll.exe 2736 3dpvj.exe 2732 xxlxflx.exe 2740 ppvdp.exe 1036 ddjdd.exe 2388 ttbbnt.exe 2444 1xxrxxf.exe 772 thhnnn.exe 1084 7lflrxr.exe 2612 bttbhh.exe 1868 hbhttb.exe 2780 9jdpj.exe 1744 hnbnbh.exe 1768 5vppv.exe 2348 3bttbh.exe 2164 djvvj.exe 2028 lxrfrxr.exe 2132 thtbnt.exe 936 vddjd.exe 2120 tthhbb.exe 1288 xxfrrrf.exe 732 bbntht.exe 2064 fxflxxl.exe 1676 pdjpp.exe 1784 dvpdj.exe 3052 ntbbbh.exe 2152 dvjjv.exe 2200 tbbhht.exe 3068 ppdjv.exe 2308 lrfflll.exe 108 nbbthb.exe 2800 jjvdv.exe 2380 rfxflrf.exe 2888 hhtnbb.exe 2880 htbntt.exe 2212 vpjjp.exe 2808 lrffrxl.exe 408 1bnbnb.exe 2944 nnhnbn.exe 2804 fflrlxl.exe 1732 xfxfxlx.exe 1276 bhtbhn.exe 1616 ddvvd.exe 956 lrffrxl.exe 2100 tbhhnb.exe 2012 pvpvj.exe 2032 jpdjp.exe 1960 xxrlxlx.exe 2984 7nhnnb.exe 856 vvjpp.exe 2588 5fxfxfl.exe 3044 3llrrrx.exe 2780 bhhhnt.exe 836 pvpdj.exe 1388 lxrrflf.exe 2096 htbhtn.exe 2672 hnhnth.exe 808 pvjvj.exe 2148 rxllxfl.exe -
resource yara_rule behavioral1/memory/2296-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-545-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2828-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-1036-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-1067-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-1178-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfflxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rllrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 1340 2296 7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe 30 PID 2296 wrote to memory of 1340 2296 7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe 30 PID 2296 wrote to memory of 1340 2296 7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe 30 PID 2296 wrote to memory of 1340 2296 7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe 30 PID 1340 wrote to memory of 2188 1340 nnbntb.exe 31 PID 1340 wrote to memory of 2188 1340 nnbntb.exe 31 PID 1340 wrote to memory of 2188 1340 nnbntb.exe 31 PID 1340 wrote to memory of 2188 1340 nnbntb.exe 31 PID 2188 wrote to memory of 2848 2188 bhtthn.exe 32 PID 2188 wrote to memory of 2848 2188 bhtthn.exe 32 PID 2188 wrote to memory of 2848 2188 bhtthn.exe 32 PID 2188 wrote to memory of 2848 2188 bhtthn.exe 32 PID 2848 wrote to memory of 2844 2848 rxfffxl.exe 33 PID 2848 wrote to memory of 2844 2848 rxfffxl.exe 33 PID 2848 wrote to memory of 2844 2848 rxfffxl.exe 33 PID 2848 wrote to memory of 2844 2848 rxfffxl.exe 33 PID 2844 wrote to memory of 408 2844 9jdpd.exe 34 PID 2844 wrote to memory of 408 2844 9jdpd.exe 34 PID 2844 wrote to memory of 408 2844 9jdpd.exe 34 PID 2844 wrote to memory of 408 2844 9jdpd.exe 34 PID 408 wrote to memory of 2868 408 hbntnt.exe 35 PID 408 wrote to memory of 2868 408 hbntnt.exe 35 PID 408 wrote to memory of 2868 408 hbntnt.exe 35 PID 408 wrote to memory of 2868 408 hbntnt.exe 35 PID 2868 wrote to memory of 2736 2868 1xlllll.exe 36 PID 2868 wrote to memory of 2736 2868 1xlllll.exe 36 PID 2868 wrote to memory of 2736 2868 1xlllll.exe 36 PID 2868 wrote to memory of 2736 2868 1xlllll.exe 36 PID 2736 wrote to memory of 2732 2736 3dpvj.exe 37 PID 2736 wrote to memory of 2732 2736 3dpvj.exe 37 PID 2736 wrote to memory of 2732 2736 3dpvj.exe 37 PID 2736 wrote to memory of 2732 2736 3dpvj.exe 37 PID 2732 wrote to memory of 2740 2732 xxlxflx.exe 38 PID 2732 wrote to memory of 2740 2732 xxlxflx.exe 38 PID 2732 wrote to memory of 2740 2732 xxlxflx.exe 38 PID 2732 wrote to memory of 2740 2732 xxlxflx.exe 38 PID 2740 wrote to memory of 1036 2740 ppvdp.exe 39 PID 2740 wrote to memory of 1036 2740 ppvdp.exe 39 PID 2740 wrote to memory of 1036 2740 ppvdp.exe 39 PID 2740 wrote to memory of 1036 2740 ppvdp.exe 39 PID 1036 wrote to memory of 2388 1036 ddjdd.exe 40 PID 1036 wrote to memory of 2388 1036 ddjdd.exe 40 PID 1036 wrote to memory of 2388 1036 ddjdd.exe 40 PID 1036 wrote to memory of 2388 1036 ddjdd.exe 40 PID 2388 wrote to memory of 2444 2388 ttbbnt.exe 41 PID 2388 wrote to memory of 2444 2388 ttbbnt.exe 41 PID 2388 wrote to memory of 2444 2388 ttbbnt.exe 41 PID 2388 wrote to memory of 2444 2388 ttbbnt.exe 41 PID 2444 wrote to memory of 772 2444 1xxrxxf.exe 42 PID 2444 wrote to memory of 772 2444 1xxrxxf.exe 42 PID 2444 wrote to memory of 772 2444 1xxrxxf.exe 42 PID 2444 wrote to memory of 772 2444 1xxrxxf.exe 42 PID 772 wrote to memory of 1084 772 thhnnn.exe 43 PID 772 wrote to memory of 1084 772 thhnnn.exe 43 PID 772 wrote to memory of 1084 772 thhnnn.exe 43 PID 772 wrote to memory of 1084 772 thhnnn.exe 43 PID 1084 wrote to memory of 2612 1084 7lflrxr.exe 44 PID 1084 wrote to memory of 2612 1084 7lflrxr.exe 44 PID 1084 wrote to memory of 2612 1084 7lflrxr.exe 44 PID 1084 wrote to memory of 2612 1084 7lflrxr.exe 44 PID 2612 wrote to memory of 1868 2612 bttbhh.exe 45 PID 2612 wrote to memory of 1868 2612 bttbhh.exe 45 PID 2612 wrote to memory of 1868 2612 bttbhh.exe 45 PID 2612 wrote to memory of 1868 2612 bttbhh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe"C:\Users\Admin\AppData\Local\Temp\7a7a672064c0cb2c6c83277c7c12d76833c8d1c7a331fc04a06ce22cc030b855.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\nnbntb.exec:\nnbntb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\bhtthn.exec:\bhtthn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\rxfffxl.exec:\rxfffxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\9jdpd.exec:\9jdpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\hbntnt.exec:\hbntnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\1xlllll.exec:\1xlllll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\3dpvj.exec:\3dpvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\xxlxflx.exec:\xxlxflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\ppvdp.exec:\ppvdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\ddjdd.exec:\ddjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\ttbbnt.exec:\ttbbnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\1xxrxxf.exec:\1xxrxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\thhnnn.exec:\thhnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\7lflrxr.exec:\7lflrxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\bttbhh.exec:\bttbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\hbhttb.exec:\hbhttb.exe17⤵
- Executes dropped EXE
PID:1868 -
\??\c:\9jdpj.exec:\9jdpj.exe18⤵
- Executes dropped EXE
PID:2780 -
\??\c:\hnbnbh.exec:\hnbnbh.exe19⤵
- Executes dropped EXE
PID:1744 -
\??\c:\5vppv.exec:\5vppv.exe20⤵
- Executes dropped EXE
PID:1768 -
\??\c:\3bttbh.exec:\3bttbh.exe21⤵
- Executes dropped EXE
PID:2348 -
\??\c:\djvvj.exec:\djvvj.exe22⤵
- Executes dropped EXE
PID:2164 -
\??\c:\lxrfrxr.exec:\lxrfrxr.exe23⤵
- Executes dropped EXE
PID:2028 -
\??\c:\thtbnt.exec:\thtbnt.exe24⤵
- Executes dropped EXE
PID:2132 -
\??\c:\vddjd.exec:\vddjd.exe25⤵
- Executes dropped EXE
PID:936 -
\??\c:\tthhbb.exec:\tthhbb.exe26⤵
- Executes dropped EXE
PID:2120 -
\??\c:\xxfrrrf.exec:\xxfrrrf.exe27⤵
- Executes dropped EXE
PID:1288 -
\??\c:\bbntht.exec:\bbntht.exe28⤵
- Executes dropped EXE
PID:732 -
\??\c:\fxflxxl.exec:\fxflxxl.exe29⤵
- Executes dropped EXE
PID:2064 -
\??\c:\pdjpp.exec:\pdjpp.exe30⤵
- Executes dropped EXE
PID:1676 -
\??\c:\dvpdj.exec:\dvpdj.exe31⤵
- Executes dropped EXE
PID:1784 -
\??\c:\ntbbbh.exec:\ntbbbh.exe32⤵
- Executes dropped EXE
PID:3052 -
\??\c:\dvjjv.exec:\dvjjv.exe33⤵
- Executes dropped EXE
PID:2152 -
\??\c:\tbbhht.exec:\tbbhht.exe34⤵
- Executes dropped EXE
PID:2200 -
\??\c:\ppdjv.exec:\ppdjv.exe35⤵
- Executes dropped EXE
PID:3068 -
\??\c:\lrfflll.exec:\lrfflll.exe36⤵
- Executes dropped EXE
PID:2308 -
\??\c:\nbbthb.exec:\nbbthb.exe37⤵
- Executes dropped EXE
PID:108 -
\??\c:\jjvdv.exec:\jjvdv.exe38⤵
- Executes dropped EXE
PID:2800 -
\??\c:\rfxflrf.exec:\rfxflrf.exe39⤵
- Executes dropped EXE
PID:2380 -
\??\c:\hhtnbb.exec:\hhtnbb.exe40⤵
- Executes dropped EXE
PID:2888 -
\??\c:\htbntt.exec:\htbntt.exe41⤵
- Executes dropped EXE
PID:2880 -
\??\c:\vpjjp.exec:\vpjjp.exe42⤵
- Executes dropped EXE
PID:2212 -
\??\c:\lrffrxl.exec:\lrffrxl.exe43⤵
- Executes dropped EXE
PID:2808 -
\??\c:\1bnbnb.exec:\1bnbnb.exe44⤵
- Executes dropped EXE
PID:408 -
\??\c:\nnhnbn.exec:\nnhnbn.exe45⤵
- Executes dropped EXE
PID:2944 -
\??\c:\fflrlxl.exec:\fflrlxl.exe46⤵
- Executes dropped EXE
PID:2804 -
\??\c:\xfxfxlx.exec:\xfxfxlx.exe47⤵
- Executes dropped EXE
PID:1732 -
\??\c:\bhtbhn.exec:\bhtbhn.exe48⤵
- Executes dropped EXE
PID:1276 -
\??\c:\ddvvd.exec:\ddvvd.exe49⤵
- Executes dropped EXE
PID:1616 -
\??\c:\lrffrxl.exec:\lrffrxl.exe50⤵
- Executes dropped EXE
PID:956 -
\??\c:\tbhhnb.exec:\tbhhnb.exe51⤵
- Executes dropped EXE
PID:2100 -
\??\c:\pvpvj.exec:\pvpvj.exe52⤵
- Executes dropped EXE
PID:2012 -
\??\c:\jpdjp.exec:\jpdjp.exe53⤵
- Executes dropped EXE
PID:2032 -
\??\c:\xxrlxlx.exec:\xxrlxlx.exe54⤵
- Executes dropped EXE
PID:1960 -
\??\c:\7nhnnb.exec:\7nhnnb.exe55⤵
- Executes dropped EXE
PID:2984 -
\??\c:\vvjpp.exec:\vvjpp.exe56⤵
- Executes dropped EXE
PID:856 -
\??\c:\5fxfxfl.exec:\5fxfxfl.exe57⤵
- Executes dropped EXE
PID:2588 -
\??\c:\3llrrrx.exec:\3llrrrx.exe58⤵
- Executes dropped EXE
PID:3044 -
\??\c:\bhhhnt.exec:\bhhhnt.exe59⤵
- Executes dropped EXE
PID:2780 -
\??\c:\pvpdj.exec:\pvpdj.exe60⤵
- Executes dropped EXE
PID:836 -
\??\c:\lxrrflf.exec:\lxrrflf.exe61⤵
- Executes dropped EXE
PID:1388 -
\??\c:\htbhtn.exec:\htbhtn.exe62⤵
- Executes dropped EXE
PID:2096 -
\??\c:\hnhnth.exec:\hnhnth.exe63⤵
- Executes dropped EXE
PID:2672 -
\??\c:\pvjvj.exec:\pvjvj.exe64⤵
- Executes dropped EXE
PID:808 -
\??\c:\rxllxfl.exec:\rxllxfl.exe65⤵
- Executes dropped EXE
PID:2148 -
\??\c:\9nhhnb.exec:\9nhhnb.exe66⤵PID:908
-
\??\c:\jvjpp.exec:\jvjpp.exe67⤵PID:2540
-
\??\c:\5xlxfrf.exec:\5xlxfrf.exe68⤵PID:2016
-
\??\c:\llllrxl.exec:\llllrxl.exe69⤵PID:876
-
\??\c:\tbtbtb.exec:\tbtbtb.exe70⤵PID:1556
-
\??\c:\9djjv.exec:\9djjv.exe71⤵PID:1760
-
\??\c:\lxfrxfl.exec:\lxfrxfl.exe72⤵PID:732
-
\??\c:\3llrlrx.exec:\3llrlrx.exe73⤵PID:1712
-
\??\c:\bhthnt.exec:\bhthnt.exe74⤵PID:1332
-
\??\c:\ppvjp.exec:\ppvjp.exe75⤵PID:1516
-
\??\c:\pdpvj.exec:\pdpvj.exe76⤵PID:584
-
\??\c:\lfrrlrx.exec:\lfrrlrx.exe77⤵PID:1156
-
\??\c:\tbhtbb.exec:\tbhtbb.exe78⤵PID:2152
-
\??\c:\tthhnb.exec:\tthhnb.exe79⤵PID:1500
-
\??\c:\ddppp.exec:\ddppp.exe80⤵PID:1604
-
\??\c:\xfxxlrx.exec:\xfxxlrx.exe81⤵PID:2976
-
\??\c:\xfrxlxx.exec:\xfrxlxx.exe82⤵PID:108
-
\??\c:\hhtbnh.exec:\hhtbnh.exe83⤵PID:2884
-
\??\c:\9dvpd.exec:\9dvpd.exe84⤵PID:2380
-
\??\c:\7ddvv.exec:\7ddvv.exe85⤵PID:2936
-
\??\c:\ffxllrl.exec:\ffxllrl.exe86⤵PID:2932
-
\??\c:\hhtbnb.exec:\hhtbnb.exe87⤵PID:2792
-
\??\c:\vvvjp.exec:\vvvjp.exe88⤵PID:2828
-
\??\c:\xflflrf.exec:\xflflrf.exe89⤵PID:2684
-
\??\c:\fllrflr.exec:\fllrflr.exe90⤵PID:2720
-
\??\c:\3nhnth.exec:\3nhnth.exe91⤵PID:2368
-
\??\c:\3dpdd.exec:\3dpdd.exe92⤵PID:1344
-
\??\c:\3flrffr.exec:\3flrffr.exe93⤵PID:2056
-
\??\c:\llrlrff.exec:\llrlrff.exe94⤵PID:2060
-
\??\c:\9nbhtb.exec:\9nbhtb.exe95⤵PID:1520
-
\??\c:\3vpdj.exec:\3vpdj.exe96⤵PID:2444
-
\??\c:\9vpvj.exec:\9vpvj.exe97⤵PID:2980
-
\??\c:\xlxrfrx.exec:\xlxrfrx.exe98⤵PID:2032
-
\??\c:\ntntnb.exec:\ntntnb.exe99⤵PID:3004
-
\??\c:\7nhntb.exec:\7nhntb.exe100⤵PID:2984
-
\??\c:\dddjp.exec:\dddjp.exe101⤵PID:3028
-
\??\c:\rxflrxf.exec:\rxflrxf.exe102⤵PID:2588
-
\??\c:\lrfrxlr.exec:\lrfrxlr.exe103⤵PID:3044
-
\??\c:\hhbhth.exec:\hhbhth.exe104⤵PID:888
-
\??\c:\jjvvj.exec:\jjvvj.exe105⤵PID:2404
-
\??\c:\rxlrxlr.exec:\rxlrxlr.exe106⤵PID:2088
-
\??\c:\fxflfrf.exec:\fxflfrf.exe107⤵PID:2636
-
\??\c:\7httbb.exec:\7httbb.exe108⤵PID:2196
-
\??\c:\ppvdp.exec:\ppvdp.exe109⤵PID:2216
-
\??\c:\3jvdj.exec:\3jvdj.exe110⤵PID:2144
-
\??\c:\llxflfl.exec:\llxflfl.exe111⤵PID:1192
-
\??\c:\hhnhnt.exec:\hhnhnt.exe112⤵PID:2540
-
\??\c:\7vpvj.exec:\7vpvj.exe113⤵PID:2352
-
\??\c:\frrxxff.exec:\frrxxff.exe114⤵PID:1668
-
\??\c:\lfrfrfr.exec:\lfrfrfr.exe115⤵PID:1816
-
\??\c:\nbhtbt.exec:\nbhtbt.exe116⤵PID:2616
-
\??\c:\vdjjd.exec:\vdjjd.exe117⤵PID:1872
-
\??\c:\ppdpd.exec:\ppdpd.exe118⤵PID:1952
-
\??\c:\ffxfrxf.exec:\ffxfrxf.exe119⤵PID:1676
-
\??\c:\nnhnbh.exec:\nnhnbh.exe120⤵PID:1216
-
\??\c:\1dvdp.exec:\1dvdp.exe121⤵PID:2624
-
\??\c:\vdppv.exec:\vdppv.exe122⤵PID:1100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-