Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 21:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe
-
Size
454KB
-
MD5
0b078ebacccd07d787dbd40129f6ff72
-
SHA1
5a338e27970c3d7c9a47bd6a6ea281eee5e94e95
-
SHA256
4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3
-
SHA512
7be103f8ae92e0e721c948a00884d583a90481997d52856482dd184878c521e57f67433854d932a113b732cc08e541d037e4550cd9776202851db12b76f93a7f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2648-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-37-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2736-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1356-96-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/768-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-322-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2740-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1020-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-390-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1772-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-605-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2760-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-85-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1632-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-806-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1504-805-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/3060-885-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2760 hbthnb.exe 2676 dvjpv.exe 2736 xxlxfll.exe 1632 tnnnth.exe 2540 ddjvv.exe 2272 tnbhbh.exe 2816 9jjjd.exe 1252 rlfrffl.exe 1356 1htbnh.exe 2096 djvvj.exe 3000 rlxxllx.exe 768 bbnttb.exe 2880 ppvjv.exe 2948 fxlrxfr.exe 2944 bthnhh.exe 544 vdpjj.exe 2196 llxrxxl.exe 2232 nnbhtb.exe 2112 7pjpd.exe 884 xxrxxrf.exe 2020 btttbn.exe 1960 vvpvj.exe 1864 llflrrf.exe 328 3vjjp.exe 1228 ffrxlxr.exe 1920 hbnnbh.exe 2276 dvpdp.exe 2024 flflllf.exe 264 nnnbtt.exe 1504 jjdjv.exe 552 bhnbtn.exe 2960 7pjpj.exe 2812 pvjjd.exe 2772 hbnnhh.exe 2712 vppvj.exe 2740 pjpjv.exe 2904 fxflrxl.exe 1404 thbbnn.exe 2252 jpjpv.exe 1720 5xrxllx.exe 2052 lrlrfxf.exe 1020 hbhhbh.exe 2856 tnbnnb.exe 2644 ddvjv.exe 2932 rlxlrrx.exe 2724 rlfrflf.exe 528 bhbhht.exe 1784 9ppdv.exe 2160 rfrflxl.exe 3036 fxlffxf.exe 1248 bthhtb.exe 2420 tnhnhh.exe 444 vvvdv.exe 1320 xllfrff.exe 988 thhntb.exe 2848 nnbbbn.exe 1852 pjvdp.exe 1508 vvjdv.exe 1112 xrxxxlr.exe 2512 7lxxflr.exe 1212 hnthtb.exe 1920 pjjjv.exe 1436 pvpjj.exe 2756 xlfflrx.exe -
resource yara_rule behavioral1/memory/2760-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1112-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-862-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1124-876-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-903-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-901-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2760 2648 4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe 101 PID 2648 wrote to memory of 2760 2648 4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe 101 PID 2648 wrote to memory of 2760 2648 4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe 101 PID 2648 wrote to memory of 2760 2648 4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe 101 PID 2760 wrote to memory of 2676 2760 hbthnb.exe 32 PID 2760 wrote to memory of 2676 2760 hbthnb.exe 32 PID 2760 wrote to memory of 2676 2760 hbthnb.exe 32 PID 2760 wrote to memory of 2676 2760 hbthnb.exe 32 PID 2676 wrote to memory of 2736 2676 dvjpv.exe 33 PID 2676 wrote to memory of 2736 2676 dvjpv.exe 33 PID 2676 wrote to memory of 2736 2676 dvjpv.exe 33 PID 2676 wrote to memory of 2736 2676 dvjpv.exe 33 PID 2736 wrote to memory of 1632 2736 xxlxfll.exe 34 PID 2736 wrote to memory of 1632 2736 xxlxfll.exe 34 PID 2736 wrote to memory of 1632 2736 xxlxfll.exe 34 PID 2736 wrote to memory of 1632 2736 xxlxfll.exe 34 PID 1632 wrote to memory of 2540 1632 tnnnth.exe 35 PID 1632 wrote to memory of 2540 1632 tnnnth.exe 35 PID 1632 wrote to memory of 2540 1632 tnnnth.exe 35 PID 1632 wrote to memory of 2540 1632 tnnnth.exe 35 PID 2540 wrote to memory of 2272 2540 ddjvv.exe 36 PID 2540 wrote to memory of 2272 2540 ddjvv.exe 36 PID 2540 wrote to memory of 2272 2540 ddjvv.exe 36 PID 2540 wrote to memory of 2272 2540 ddjvv.exe 36 PID 2272 wrote to memory of 2816 2272 tnbhbh.exe 37 PID 2272 wrote to memory of 2816 2272 tnbhbh.exe 37 PID 2272 wrote to memory of 2816 2272 tnbhbh.exe 37 PID 2272 wrote to memory of 2816 2272 tnbhbh.exe 37 PID 2816 wrote to memory of 1252 2816 9jjjd.exe 38 PID 2816 wrote to memory of 1252 2816 9jjjd.exe 38 PID 2816 wrote to memory of 1252 2816 9jjjd.exe 38 PID 2816 wrote to memory of 1252 2816 9jjjd.exe 38 PID 1252 wrote to memory of 1356 1252 rlfrffl.exe 39 PID 1252 wrote to memory of 1356 1252 rlfrffl.exe 39 PID 1252 wrote to memory of 1356 1252 rlfrffl.exe 39 PID 1252 wrote to memory of 1356 1252 rlfrffl.exe 39 PID 1356 wrote to memory of 2096 1356 1htbnh.exe 40 PID 1356 wrote to memory of 2096 1356 1htbnh.exe 40 PID 1356 wrote to memory of 2096 1356 1htbnh.exe 40 PID 1356 wrote to memory of 2096 1356 1htbnh.exe 40 PID 2096 wrote to memory of 3000 2096 djvvj.exe 41 PID 2096 wrote to memory of 3000 2096 djvvj.exe 41 PID 2096 wrote to memory of 3000 2096 djvvj.exe 41 PID 2096 wrote to memory of 3000 2096 djvvj.exe 41 PID 3000 wrote to memory of 768 3000 rlxxllx.exe 42 PID 3000 wrote to memory of 768 3000 rlxxllx.exe 42 PID 3000 wrote to memory of 768 3000 rlxxllx.exe 42 PID 3000 wrote to memory of 768 3000 rlxxllx.exe 42 PID 768 wrote to memory of 2880 768 bbnttb.exe 43 PID 768 wrote to memory of 2880 768 bbnttb.exe 43 PID 768 wrote to memory of 2880 768 bbnttb.exe 43 PID 768 wrote to memory of 2880 768 bbnttb.exe 43 PID 2880 wrote to memory of 2948 2880 ppvjv.exe 44 PID 2880 wrote to memory of 2948 2880 ppvjv.exe 44 PID 2880 wrote to memory of 2948 2880 ppvjv.exe 44 PID 2880 wrote to memory of 2948 2880 ppvjv.exe 44 PID 2948 wrote to memory of 2944 2948 fxlrxfr.exe 45 PID 2948 wrote to memory of 2944 2948 fxlrxfr.exe 45 PID 2948 wrote to memory of 2944 2948 fxlrxfr.exe 45 PID 2948 wrote to memory of 2944 2948 fxlrxfr.exe 45 PID 2944 wrote to memory of 544 2944 bthnhh.exe 46 PID 2944 wrote to memory of 544 2944 bthnhh.exe 46 PID 2944 wrote to memory of 544 2944 bthnhh.exe 46 PID 2944 wrote to memory of 544 2944 bthnhh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe"C:\Users\Admin\AppData\Local\Temp\4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\hbthnb.exec:\hbthnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\dvjpv.exec:\dvjpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\xxlxfll.exec:\xxlxfll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\tnnnth.exec:\tnnnth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\ddjvv.exec:\ddjvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\tnbhbh.exec:\tnbhbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\9jjjd.exec:\9jjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\rlfrffl.exec:\rlfrffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\1htbnh.exec:\1htbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\djvvj.exec:\djvvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\rlxxllx.exec:\rlxxllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\bbnttb.exec:\bbnttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\ppvjv.exec:\ppvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\fxlrxfr.exec:\fxlrxfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\bthnhh.exec:\bthnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\vdpjj.exec:\vdpjj.exe17⤵
- Executes dropped EXE
PID:544 -
\??\c:\llxrxxl.exec:\llxrxxl.exe18⤵
- Executes dropped EXE
PID:2196 -
\??\c:\nnbhtb.exec:\nnbhtb.exe19⤵
- Executes dropped EXE
PID:2232 -
\??\c:\7pjpd.exec:\7pjpd.exe20⤵
- Executes dropped EXE
PID:2112 -
\??\c:\xxrxxrf.exec:\xxrxxrf.exe21⤵
- Executes dropped EXE
PID:884 -
\??\c:\btttbn.exec:\btttbn.exe22⤵
- Executes dropped EXE
PID:2020 -
\??\c:\vvpvj.exec:\vvpvj.exe23⤵
- Executes dropped EXE
PID:1960 -
\??\c:\llflrrf.exec:\llflrrf.exe24⤵
- Executes dropped EXE
PID:1864 -
\??\c:\3vjjp.exec:\3vjjp.exe25⤵
- Executes dropped EXE
PID:328 -
\??\c:\ffrxlxr.exec:\ffrxlxr.exe26⤵
- Executes dropped EXE
PID:1228 -
\??\c:\hbnnbh.exec:\hbnnbh.exe27⤵
- Executes dropped EXE
PID:1920 -
\??\c:\dvpdp.exec:\dvpdp.exe28⤵
- Executes dropped EXE
PID:2276 -
\??\c:\flflllf.exec:\flflllf.exe29⤵
- Executes dropped EXE
PID:2024 -
\??\c:\nnnbtt.exec:\nnnbtt.exe30⤵
- Executes dropped EXE
PID:264 -
\??\c:\jjdjv.exec:\jjdjv.exe31⤵
- Executes dropped EXE
PID:1504 -
\??\c:\bhnbtn.exec:\bhnbtn.exe32⤵
- Executes dropped EXE
PID:552 -
\??\c:\7pjpj.exec:\7pjpj.exe33⤵
- Executes dropped EXE
PID:2960 -
\??\c:\pvjjd.exec:\pvjjd.exe34⤵
- Executes dropped EXE
PID:2812 -
\??\c:\hbnnhh.exec:\hbnnhh.exe35⤵
- Executes dropped EXE
PID:2772 -
\??\c:\vppvj.exec:\vppvj.exe36⤵
- Executes dropped EXE
PID:2712 -
\??\c:\pjpjv.exec:\pjpjv.exe37⤵
- Executes dropped EXE
PID:2740 -
\??\c:\fxflrxl.exec:\fxflrxl.exe38⤵
- Executes dropped EXE
PID:2904 -
\??\c:\thbbnn.exec:\thbbnn.exe39⤵
- Executes dropped EXE
PID:1404 -
\??\c:\jpjpv.exec:\jpjpv.exe40⤵
- Executes dropped EXE
PID:2252 -
\??\c:\5xrxllx.exec:\5xrxllx.exe41⤵
- Executes dropped EXE
PID:1720 -
\??\c:\lrlrfxf.exec:\lrlrfxf.exe42⤵
- Executes dropped EXE
PID:2052 -
\??\c:\hbhhbh.exec:\hbhhbh.exe43⤵
- Executes dropped EXE
PID:1020 -
\??\c:\tnbnnb.exec:\tnbnnb.exe44⤵
- Executes dropped EXE
PID:2856 -
\??\c:\ddvjv.exec:\ddvjv.exe45⤵
- Executes dropped EXE
PID:2644 -
\??\c:\rlxlrrx.exec:\rlxlrrx.exe46⤵
- Executes dropped EXE
PID:2932 -
\??\c:\rlfrflf.exec:\rlfrflf.exe47⤵
- Executes dropped EXE
PID:2724 -
\??\c:\bhbhht.exec:\bhbhht.exe48⤵
- Executes dropped EXE
PID:528 -
\??\c:\9ppdv.exec:\9ppdv.exe49⤵
- Executes dropped EXE
PID:1784 -
\??\c:\rfrflxl.exec:\rfrflxl.exe50⤵
- Executes dropped EXE
PID:2160 -
\??\c:\fxlffxf.exec:\fxlffxf.exe51⤵
- Executes dropped EXE
PID:3036 -
\??\c:\bthhtb.exec:\bthhtb.exe52⤵
- Executes dropped EXE
PID:1248 -
\??\c:\tnhnhh.exec:\tnhnhh.exe53⤵
- Executes dropped EXE
PID:2420 -
\??\c:\vvvdv.exec:\vvvdv.exe54⤵
- Executes dropped EXE
PID:444 -
\??\c:\xllfrff.exec:\xllfrff.exe55⤵
- Executes dropped EXE
PID:1320 -
\??\c:\thhntb.exec:\thhntb.exe56⤵
- Executes dropped EXE
PID:988 -
\??\c:\nnbbbn.exec:\nnbbbn.exe57⤵
- Executes dropped EXE
PID:2848 -
\??\c:\pjvdp.exec:\pjvdp.exe58⤵
- Executes dropped EXE
PID:1852 -
\??\c:\vvjdv.exec:\vvjdv.exe59⤵
- Executes dropped EXE
PID:1508 -
\??\c:\xrxxxlr.exec:\xrxxxlr.exe60⤵
- Executes dropped EXE
PID:1112 -
\??\c:\7lxxflr.exec:\7lxxflr.exe61⤵
- Executes dropped EXE
PID:2512 -
\??\c:\hnthtb.exec:\hnthtb.exe62⤵
- Executes dropped EXE
PID:1212 -
\??\c:\pjjjv.exec:\pjjjv.exe63⤵
- Executes dropped EXE
PID:1920 -
\??\c:\pvpjj.exec:\pvpjj.exe64⤵
- Executes dropped EXE
PID:1436 -
\??\c:\xlfflrx.exec:\xlfflrx.exe65⤵
- Executes dropped EXE
PID:2756 -
\??\c:\nnnthb.exec:\nnnthb.exe66⤵PID:1192
-
\??\c:\nnhbhn.exec:\nnhbhn.exe67⤵PID:2072
-
\??\c:\jdvvp.exec:\jdvvp.exe68⤵PID:2820
-
\??\c:\vvpjd.exec:\vvpjd.exe69⤵PID:900
-
\??\c:\xlfxxll.exec:\xlfxxll.exe70⤵PID:2780
-
\??\c:\nhtthn.exec:\nhtthn.exe71⤵PID:1740
-
\??\c:\jvvpj.exec:\jvvpj.exe72⤵PID:2760
-
\??\c:\ppjvp.exec:\ppjvp.exe73⤵PID:2560
-
\??\c:\rxrlxlf.exec:\rxrlxlf.exe74⤵PID:2156
-
\??\c:\nhhhbb.exec:\nhhhbb.exe75⤵PID:1612
-
\??\c:\hbtbhn.exec:\hbtbhn.exe76⤵PID:3004
-
\??\c:\jjvdj.exec:\jjvdj.exe77⤵PID:1408
-
\??\c:\ddvjd.exec:\ddvjd.exe78⤵PID:2696
-
\??\c:\llflxxl.exec:\llflxxl.exe79⤵PID:1124
-
\??\c:\btnthh.exec:\btnthh.exe80⤵PID:1700
-
\??\c:\hhbntb.exec:\hhbntb.exe81⤵PID:2280
-
\??\c:\vpdpv.exec:\vpdpv.exe82⤵PID:2920
-
\??\c:\dvpvj.exec:\dvpvj.exe83⤵PID:472
-
\??\c:\llllfrx.exec:\llllfrx.exe84⤵PID:2852
-
\??\c:\7bthth.exec:\7bthth.exe85⤵PID:2640
-
\??\c:\1tnbtt.exec:\1tnbtt.exe86⤵PID:992
-
\??\c:\pvvpp.exec:\pvvpp.exe87⤵PID:344
-
\??\c:\ppjpd.exec:\ppjpd.exe88⤵PID:1972
-
\??\c:\rrflxxl.exec:\rrflxxl.exe89⤵PID:544
-
\??\c:\fxrxflx.exec:\fxrxflx.exe90⤵PID:2784
-
\??\c:\ttnttb.exec:\ttnttb.exe91⤵PID:1896
-
\??\c:\nhthbn.exec:\nhthbn.exe92⤵PID:1884
-
\??\c:\9vvvd.exec:\9vvvd.exe93⤵PID:1688
-
\??\c:\rlxfrxf.exec:\rlxfrxf.exe94⤵PID:1880
-
\??\c:\5ffrlxf.exec:\5ffrlxf.exe95⤵PID:324
-
\??\c:\9tntbn.exec:\9tntbn.exe96⤵PID:1584
-
\??\c:\nnnbnb.exec:\nnnbnb.exe97⤵PID:1544
-
\??\c:\1ddjv.exec:\1ddjv.exe98⤵PID:2380
-
\??\c:\1ddpd.exec:\1ddpd.exe99⤵PID:956
-
\??\c:\rlfllxl.exec:\rlfllxl.exe100⤵PID:1480
-
\??\c:\3fffrrf.exec:\3fffrrf.exe101⤵PID:2176
-
\??\c:\1hnhnh.exec:\1hnhnh.exe102⤵PID:1464
-
\??\c:\3ppvj.exec:\3ppvj.exe103⤵PID:1000
-
\??\c:\djdpv.exec:\djdpv.exe104⤵PID:1772
-
\??\c:\7fffrxl.exec:\7fffrxl.exe105⤵PID:2276
-
\??\c:\ffrrxxx.exec:\ffrrxxx.exe106⤵PID:2024
-
\??\c:\3hhhtt.exec:\3hhhtt.exe107⤵PID:1836
-
\??\c:\nhbhtn.exec:\nhbhtn.exe108⤵PID:2744
-
\??\c:\djvvj.exec:\djvvj.exe109⤵PID:1504
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe110⤵PID:3040
-
\??\c:\3dvdp.exec:\3dvdp.exe111⤵PID:2656
-
\??\c:\7dvdj.exec:\7dvdj.exe112⤵PID:1324
-
\??\c:\llfrlrr.exec:\llfrlrr.exe113⤵PID:2400
-
\??\c:\7tbttb.exec:\7tbttb.exe114⤵PID:2768
-
\??\c:\7dppv.exec:\7dppv.exe115⤵PID:1260
-
\??\c:\rffrxfl.exec:\rffrxfl.exe116⤵PID:2272
-
\??\c:\9bnbtb.exec:\9bnbtb.exe117⤵PID:2692
-
\??\c:\3vpjv.exec:\3vpjv.exe118⤵PID:2620
-
\??\c:\lfrrflr.exec:\lfrrflr.exe119⤵PID:2704
-
\??\c:\9nhtnt.exec:\9nhtnt.exe120⤵PID:648
-
\??\c:\7ddpj.exec:\7ddpj.exe121⤵PID:1124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-