Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 00:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe
-
Size
456KB
-
MD5
96b5302905713cbc556dba40b2724fd6
-
SHA1
059cb0172902c0c0aa6bd56642b8d1003d36ec46
-
SHA256
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8
-
SHA512
d6130a9c5496181423b107f6177695ee1fbc0e7625d2c811de46da75f094bec476e14962137240e1e12b4dd010f37f4d8b9bbe1c987b05db2ae6dc3bf89a5403
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRg:q7Tc2NYHUrAwfMp3CDRg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2828-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1160-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1840-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-183-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2244-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-231-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1196-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-601-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2792-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/476-719-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2976-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-980-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2828 3hbbnn.exe 2556 htntnn.exe 2652 pjjpv.exe 2728 ppjpd.exe 2564 xrrlrll.exe 1056 jdpvd.exe 1240 lfxrxxf.exe 1160 hbnntb.exe 1840 pvjdd.exe 2976 tthhth.exe 1036 vpvjd.exe 2844 xxlrffr.exe 2908 tnbbbh.exe 2984 7jdjj.exe 1072 7thbnn.exe 1968 ppddv.exe 2152 xxrfxfx.exe 2120 hhbbtt.exe 2164 jjjpd.exe 2244 ffrllrf.exe 1836 bhhtnh.exe 1028 rlflxfr.exe 1884 tnbhnt.exe 1616 jdpjd.exe 2004 9fflxxl.exe 1732 hbttnt.exe 2632 pjdjv.exe 1196 llxflrr.exe 1564 1nhthn.exe 1984 fffxrrx.exe 2460 lflxfrf.exe 3000 jpdjv.exe 2836 lflxlrr.exe 2808 thbhtb.exe 2744 tnhthn.exe 2652 pdpvd.exe 2580 9lxflxl.exe 2672 bnhnbt.exe 2368 dpddv.exe 1304 xrflrxl.exe 1272 lflxlrx.exe 2084 ththbb.exe 2960 dvvdj.exe 2640 lllxffr.exe 2792 nhtthn.exe 2944 1ppvd.exe 1796 jdjdj.exe 2072 xrlrxxf.exe 2948 3nbtbb.exe 3020 jjvjp.exe 1008 ppppv.exe 2352 rffxrxl.exe 2016 bttthn.exe 2068 dvdpv.exe 2392 jpdjv.exe 444 lfxxlxl.exe 1148 lfrxllx.exe 1040 nnttbh.exe 1956 dvvjv.exe 2428 rrfllxx.exe 2496 fxlrffl.exe 1884 ttnthh.exe 944 nhbbtt.exe 1520 dddjv.exe -
resource yara_rule behavioral1/memory/2828-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/476-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-917-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-1005-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-1019-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-1032-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fllllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2828 2772 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 30 PID 2772 wrote to memory of 2828 2772 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 30 PID 2772 wrote to memory of 2828 2772 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 30 PID 2772 wrote to memory of 2828 2772 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 30 PID 2828 wrote to memory of 2556 2828 3hbbnn.exe 31 PID 2828 wrote to memory of 2556 2828 3hbbnn.exe 31 PID 2828 wrote to memory of 2556 2828 3hbbnn.exe 31 PID 2828 wrote to memory of 2556 2828 3hbbnn.exe 31 PID 2556 wrote to memory of 2652 2556 htntnn.exe 32 PID 2556 wrote to memory of 2652 2556 htntnn.exe 32 PID 2556 wrote to memory of 2652 2556 htntnn.exe 32 PID 2556 wrote to memory of 2652 2556 htntnn.exe 32 PID 2652 wrote to memory of 2728 2652 pjjpv.exe 33 PID 2652 wrote to memory of 2728 2652 pjjpv.exe 33 PID 2652 wrote to memory of 2728 2652 pjjpv.exe 33 PID 2652 wrote to memory of 2728 2652 pjjpv.exe 33 PID 2728 wrote to memory of 2564 2728 ppjpd.exe 34 PID 2728 wrote to memory of 2564 2728 ppjpd.exe 34 PID 2728 wrote to memory of 2564 2728 ppjpd.exe 34 PID 2728 wrote to memory of 2564 2728 ppjpd.exe 34 PID 2564 wrote to memory of 1056 2564 xrrlrll.exe 35 PID 2564 wrote to memory of 1056 2564 xrrlrll.exe 35 PID 2564 wrote to memory of 1056 2564 xrrlrll.exe 35 PID 2564 wrote to memory of 1056 2564 xrrlrll.exe 35 PID 1056 wrote to memory of 1240 1056 jdpvd.exe 36 PID 1056 wrote to memory of 1240 1056 jdpvd.exe 36 PID 1056 wrote to memory of 1240 1056 jdpvd.exe 36 PID 1056 wrote to memory of 1240 1056 jdpvd.exe 36 PID 1240 wrote to memory of 1160 1240 lfxrxxf.exe 37 PID 1240 wrote to memory of 1160 1240 lfxrxxf.exe 37 PID 1240 wrote to memory of 1160 1240 lfxrxxf.exe 37 PID 1240 wrote to memory of 1160 1240 lfxrxxf.exe 37 PID 1160 wrote to memory of 1840 1160 hbnntb.exe 38 PID 1160 wrote to memory of 1840 1160 hbnntb.exe 38 PID 1160 wrote to memory of 1840 1160 hbnntb.exe 38 PID 1160 wrote to memory of 1840 1160 hbnntb.exe 38 PID 1840 wrote to memory of 2976 1840 pvjdd.exe 39 PID 1840 wrote to memory of 2976 1840 pvjdd.exe 39 PID 1840 wrote to memory of 2976 1840 pvjdd.exe 39 PID 1840 wrote to memory of 2976 1840 pvjdd.exe 39 PID 2976 wrote to memory of 1036 2976 tthhth.exe 40 PID 2976 wrote to memory of 1036 2976 tthhth.exe 40 PID 2976 wrote to memory of 1036 2976 tthhth.exe 40 PID 2976 wrote to memory of 1036 2976 tthhth.exe 40 PID 1036 wrote to memory of 2844 1036 vpvjd.exe 41 PID 1036 wrote to memory of 2844 1036 vpvjd.exe 41 PID 1036 wrote to memory of 2844 1036 vpvjd.exe 41 PID 1036 wrote to memory of 2844 1036 vpvjd.exe 41 PID 2844 wrote to memory of 2908 2844 xxlrffr.exe 42 PID 2844 wrote to memory of 2908 2844 xxlrffr.exe 42 PID 2844 wrote to memory of 2908 2844 xxlrffr.exe 42 PID 2844 wrote to memory of 2908 2844 xxlrffr.exe 42 PID 2908 wrote to memory of 2984 2908 tnbbbh.exe 43 PID 2908 wrote to memory of 2984 2908 tnbbbh.exe 43 PID 2908 wrote to memory of 2984 2908 tnbbbh.exe 43 PID 2908 wrote to memory of 2984 2908 tnbbbh.exe 43 PID 2984 wrote to memory of 1072 2984 7jdjj.exe 44 PID 2984 wrote to memory of 1072 2984 7jdjj.exe 44 PID 2984 wrote to memory of 1072 2984 7jdjj.exe 44 PID 2984 wrote to memory of 1072 2984 7jdjj.exe 44 PID 1072 wrote to memory of 1968 1072 7thbnn.exe 45 PID 1072 wrote to memory of 1968 1072 7thbnn.exe 45 PID 1072 wrote to memory of 1968 1072 7thbnn.exe 45 PID 1072 wrote to memory of 1968 1072 7thbnn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe"C:\Users\Admin\AppData\Local\Temp\ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\3hbbnn.exec:\3hbbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\htntnn.exec:\htntnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\pjjpv.exec:\pjjpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\ppjpd.exec:\ppjpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\xrrlrll.exec:\xrrlrll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\jdpvd.exec:\jdpvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\lfxrxxf.exec:\lfxrxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\hbnntb.exec:\hbnntb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\pvjdd.exec:\pvjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\tthhth.exec:\tthhth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\vpvjd.exec:\vpvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\xxlrffr.exec:\xxlrffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\tnbbbh.exec:\tnbbbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\7jdjj.exec:\7jdjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\7thbnn.exec:\7thbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\ppddv.exec:\ppddv.exe17⤵
- Executes dropped EXE
PID:1968 -
\??\c:\xxrfxfx.exec:\xxrfxfx.exe18⤵
- Executes dropped EXE
PID:2152 -
\??\c:\hhbbtt.exec:\hhbbtt.exe19⤵
- Executes dropped EXE
PID:2120 -
\??\c:\jjjpd.exec:\jjjpd.exe20⤵
- Executes dropped EXE
PID:2164 -
\??\c:\ffrllrf.exec:\ffrllrf.exe21⤵
- Executes dropped EXE
PID:2244 -
\??\c:\bhhtnh.exec:\bhhtnh.exe22⤵
- Executes dropped EXE
PID:1836 -
\??\c:\rlflxfr.exec:\rlflxfr.exe23⤵
- Executes dropped EXE
PID:1028 -
\??\c:\tnbhnt.exec:\tnbhnt.exe24⤵
- Executes dropped EXE
PID:1884 -
\??\c:\jdpjd.exec:\jdpjd.exe25⤵
- Executes dropped EXE
PID:1616 -
\??\c:\9fflxxl.exec:\9fflxxl.exe26⤵
- Executes dropped EXE
PID:2004 -
\??\c:\hbttnt.exec:\hbttnt.exe27⤵
- Executes dropped EXE
PID:1732 -
\??\c:\pjdjv.exec:\pjdjv.exe28⤵
- Executes dropped EXE
PID:2632 -
\??\c:\llxflrr.exec:\llxflrr.exe29⤵
- Executes dropped EXE
PID:1196 -
\??\c:\1nhthn.exec:\1nhthn.exe30⤵
- Executes dropped EXE
PID:1564 -
\??\c:\fffxrrx.exec:\fffxrrx.exe31⤵
- Executes dropped EXE
PID:1984 -
\??\c:\lflxfrf.exec:\lflxfrf.exe32⤵
- Executes dropped EXE
PID:2460 -
\??\c:\jpdjv.exec:\jpdjv.exe33⤵
- Executes dropped EXE
PID:3000 -
\??\c:\lflxlrr.exec:\lflxlrr.exe34⤵
- Executes dropped EXE
PID:2836 -
\??\c:\thbhtb.exec:\thbhtb.exe35⤵
- Executes dropped EXE
PID:2808 -
\??\c:\tnhthn.exec:\tnhthn.exe36⤵
- Executes dropped EXE
PID:2744 -
\??\c:\pdpvd.exec:\pdpvd.exe37⤵
- Executes dropped EXE
PID:2652 -
\??\c:\9lxflxl.exec:\9lxflxl.exe38⤵
- Executes dropped EXE
PID:2580 -
\??\c:\bnhnbt.exec:\bnhnbt.exe39⤵
- Executes dropped EXE
PID:2672 -
\??\c:\dpddv.exec:\dpddv.exe40⤵
- Executes dropped EXE
PID:2368 -
\??\c:\xrflrxl.exec:\xrflrxl.exe41⤵
- Executes dropped EXE
PID:1304 -
\??\c:\lflxlrx.exec:\lflxlrx.exe42⤵
- Executes dropped EXE
PID:1272 -
\??\c:\ththbb.exec:\ththbb.exe43⤵
- Executes dropped EXE
PID:2084 -
\??\c:\dvvdj.exec:\dvvdj.exe44⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lllxffr.exec:\lllxffr.exe45⤵
- Executes dropped EXE
PID:2640 -
\??\c:\nhtthn.exec:\nhtthn.exe46⤵
- Executes dropped EXE
PID:2792 -
\??\c:\1ppvd.exec:\1ppvd.exe47⤵
- Executes dropped EXE
PID:2944 -
\??\c:\jdjdj.exec:\jdjdj.exe48⤵
- Executes dropped EXE
PID:1796 -
\??\c:\xrlrxxf.exec:\xrlrxxf.exe49⤵
- Executes dropped EXE
PID:2072 -
\??\c:\3nbtbb.exec:\3nbtbb.exe50⤵
- Executes dropped EXE
PID:2948 -
\??\c:\jjvjp.exec:\jjvjp.exe51⤵
- Executes dropped EXE
PID:3020 -
\??\c:\ppppv.exec:\ppppv.exe52⤵
- Executes dropped EXE
PID:1008 -
\??\c:\rffxrxl.exec:\rffxrxl.exe53⤵
- Executes dropped EXE
PID:2352 -
\??\c:\bttthn.exec:\bttthn.exe54⤵
- Executes dropped EXE
PID:2016 -
\??\c:\dvdpv.exec:\dvdpv.exe55⤵
- Executes dropped EXE
PID:2068 -
\??\c:\jpdjv.exec:\jpdjv.exe56⤵
- Executes dropped EXE
PID:2392 -
\??\c:\lfxxlxl.exec:\lfxxlxl.exe57⤵
- Executes dropped EXE
PID:444 -
\??\c:\lfrxllx.exec:\lfrxllx.exe58⤵
- Executes dropped EXE
PID:1148 -
\??\c:\nnttbh.exec:\nnttbh.exe59⤵
- Executes dropped EXE
PID:1040 -
\??\c:\dvvjv.exec:\dvvjv.exe60⤵
- Executes dropped EXE
PID:1956 -
\??\c:\rrfllxx.exec:\rrfllxx.exe61⤵
- Executes dropped EXE
PID:2428 -
\??\c:\fxlrffl.exec:\fxlrffl.exe62⤵
- Executes dropped EXE
PID:2496 -
\??\c:\ttnthh.exec:\ttnthh.exe63⤵
- Executes dropped EXE
PID:1884 -
\??\c:\nhbbtt.exec:\nhbbtt.exe64⤵
- Executes dropped EXE
PID:944 -
\??\c:\dddjv.exec:\dddjv.exe65⤵
- Executes dropped EXE
PID:1520 -
\??\c:\9vddv.exec:\9vddv.exe66⤵PID:2476
-
\??\c:\xrffxfr.exec:\xrffxfr.exe67⤵PID:1684
-
\??\c:\thtthb.exec:\thtthb.exe68⤵PID:3032
-
\??\c:\bthhnn.exec:\bthhnn.exe69⤵PID:1512
-
\??\c:\jdvdp.exec:\jdvdp.exe70⤵PID:2456
-
\??\c:\rxrxlrx.exec:\rxrxlrx.exe71⤵PID:908
-
\??\c:\lfflxfr.exec:\lfflxfr.exe72⤵PID:2824
-
\??\c:\nhbnhh.exec:\nhbnhh.exe73⤵PID:1776
-
\??\c:\dpvvd.exec:\dpvvd.exe74⤵PID:1580
-
\??\c:\frllrrf.exec:\frllrrf.exe75⤵PID:3004
-
\??\c:\lfxxrrx.exec:\lfxxrrx.exe76⤵PID:1604
-
\??\c:\9hhbhb.exec:\9hhbhb.exe77⤵PID:2808
-
\??\c:\dvdjp.exec:\dvdjp.exe78⤵PID:2664
-
\??\c:\xrfflxf.exec:\xrfflxf.exe79⤵PID:2652
-
\??\c:\xlxxlrf.exec:\xlxxlrf.exe80⤵PID:2612
-
\??\c:\9tttbb.exec:\9tttbb.exe81⤵PID:2248
-
\??\c:\ddpjv.exec:\ddpjv.exe82⤵PID:2236
-
\??\c:\xrfffxx.exec:\xrfffxx.exe83⤵PID:1240
-
\??\c:\rlllxlf.exec:\rlllxlf.exe84⤵PID:2872
-
\??\c:\9bbbnt.exec:\9bbbnt.exe85⤵PID:2184
-
\??\c:\jddjd.exec:\jddjd.exe86⤵PID:1504
-
\??\c:\llrxxlx.exec:\llrxxlx.exe87⤵PID:2888
-
\??\c:\rlxflrf.exec:\rlxflrf.exe88⤵PID:2884
-
\??\c:\bhhttn.exec:\bhhttn.exe89⤵PID:2792
-
\??\c:\9vpvp.exec:\9vpvp.exe90⤵PID:2944
-
\??\c:\lfrxffx.exec:\lfrxffx.exe91⤵PID:2968
-
\??\c:\hbtbht.exec:\hbtbht.exe92⤵PID:2440
-
\??\c:\nhbtbh.exec:\nhbtbh.exe93⤵PID:476
-
\??\c:\5vppj.exec:\5vppj.exe94⤵PID:1980
-
\??\c:\rffrrxr.exec:\rffrrxr.exe95⤵PID:320
-
\??\c:\ttnbnt.exec:\ttnbnt.exe96⤵PID:2076
-
\??\c:\bbthnn.exec:\bbthnn.exe97⤵PID:2816
-
\??\c:\7ppdv.exec:\7ppdv.exe98⤵PID:2380
-
\??\c:\ffxlllx.exec:\ffxlllx.exe99⤵PID:2164
-
\??\c:\5xlrxxl.exec:\5xlrxxl.exe100⤵PID:2244
-
\??\c:\3hhntt.exec:\3hhntt.exe101⤵PID:1692
-
\??\c:\5pjjd.exec:\5pjjd.exe102⤵PID:616
-
\??\c:\1ppdj.exec:\1ppdj.exe103⤵PID:1044
-
\??\c:\xllrllr.exec:\xllrllr.exe104⤵PID:696
-
\??\c:\7tnnbb.exec:\7tnnbb.exe105⤵PID:1000
-
\??\c:\3hnnbn.exec:\3hnnbn.exe106⤵PID:2268
-
\??\c:\7dvdp.exec:\7dvdp.exe107⤵PID:2004
-
\??\c:\lrllxxf.exec:\lrllxxf.exe108⤵PID:2432
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe109⤵PID:2328
-
\??\c:\hbbhtb.exec:\hbbhtb.exe110⤵PID:1624
-
\??\c:\1bttbh.exec:\1bttbh.exe111⤵PID:2276
-
\??\c:\pjdjd.exec:\pjdjd.exe112⤵PID:1996
-
\??\c:\3xxxflf.exec:\3xxxflf.exe113⤵PID:1960
-
\??\c:\fxrfllr.exec:\fxrfllr.exe114⤵PID:1752
-
\??\c:\7nnhbb.exec:\7nnhbb.exe115⤵PID:2780
-
\??\c:\vpjjd.exec:\vpjjd.exe116⤵PID:2684
-
\??\c:\ddpvd.exec:\ddpvd.exe117⤵PID:860
-
\??\c:\fxrrffl.exec:\fxrrffl.exe118⤵PID:2732
-
\??\c:\hbttnb.exec:\hbttnb.exe119⤵PID:2760
-
\??\c:\9hhnbh.exec:\9hhnbh.exe120⤵PID:2744
-
\??\c:\jdvvj.exec:\jdvvj.exe121⤵PID:288
-
\??\c:\lxxrffl.exec:\lxxrffl.exe122⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-