Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 18:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe
-
Size
454KB
-
MD5
e1473e5734be6a27bf7f719d14252403
-
SHA1
62da54c9ae9f7e2ff0073fbb5088f63fc1de5cd8
-
SHA256
7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98
-
SHA512
602791707ff71ea3a2463aae4f6fe030ecb0cdfdf0ea155506e0a92388b18a83fda4abae5f0c31f90ea83c3d77a293a7ae39ba4f9eb3d4cbac1e9f19f6dc170d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/1732-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-294-0x0000000077820000-0x000000007793F000-memory.dmp family_blackmoon behavioral1/memory/1028-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-229-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/948-220-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1488-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-416-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1408-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-675-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/1288-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-782-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2496-823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-908-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2124-1053-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2508-1097-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1748-1104-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2372 vjpdj.exe 2492 rlfflrf.exe 2180 9nbbhn.exe 2740 5vjpp.exe 2908 nnbbhn.exe 2824 jvjjj.exe 2956 frfxfrr.exe 2780 3rlrxfr.exe 2644 5btttn.exe 2220 dvdvd.exe 2804 rlffrrx.exe 2044 hthhhh.exe 1008 7lffrxx.exe 2860 thtbbb.exe 2948 pdpjj.exe 1960 1fxxxrx.exe 2020 nhtbnn.exe 2116 7pddv.exe 1488 ffrxffl.exe 1836 5tbttt.exe 2016 hbnbhb.exe 948 3xflxff.exe 2312 9btbbh.exe 1088 3pjdd.exe 3060 rfrlrll.exe 1028 1llllfr.exe 1756 9jvvd.exe 1148 fxrxfxl.exe 2540 bhtbbt.exe 2440 bthhnn.exe 2992 3hbhnn.exe 2448 pdpvp.exe 2464 xlxxffl.exe 2808 rlxxfxf.exe 1832 1jdpd.exe 2744 frffllx.exe 3008 9xfrfff.exe 2884 btnbtb.exe 2724 jjddv.exe 2240 fxrffxl.exe 2732 7frlllr.exe 2656 hbtbbb.exe 2220 jvdvv.exe 1100 pvpvj.exe 2184 rfxxffr.exe 2044 hhbnnn.exe 2224 bnbbbh.exe 2960 dvddj.exe 2708 tnbbbh.exe 2948 vjpvj.exe 2004 jdvdv.exe 1408 dvjdj.exe 2092 rxllxll.exe 2072 ffrfrlr.exe 776 vvdpd.exe 484 frxxxxx.exe 3024 nbnhht.exe 400 vvjdd.exe 320 7rxxrlr.exe 2200 nhbhhh.exe 2312 3dvdj.exe 1504 pjjvj.exe 3060 3rfflrr.exe 2008 3hnthh.exe -
resource yara_rule behavioral1/memory/1732-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-294-0x0000000077820000-0x000000007793F000-memory.dmp upx behavioral1/memory/2992-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-782-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2496-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-1053-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrffl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2372 1732 7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe 30 PID 1732 wrote to memory of 2372 1732 7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe 30 PID 1732 wrote to memory of 2372 1732 7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe 30 PID 1732 wrote to memory of 2372 1732 7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe 30 PID 2372 wrote to memory of 2492 2372 vjpdj.exe 31 PID 2372 wrote to memory of 2492 2372 vjpdj.exe 31 PID 2372 wrote to memory of 2492 2372 vjpdj.exe 31 PID 2372 wrote to memory of 2492 2372 vjpdj.exe 31 PID 2492 wrote to memory of 2180 2492 rlfflrf.exe 32 PID 2492 wrote to memory of 2180 2492 rlfflrf.exe 32 PID 2492 wrote to memory of 2180 2492 rlfflrf.exe 32 PID 2492 wrote to memory of 2180 2492 rlfflrf.exe 32 PID 2180 wrote to memory of 2740 2180 9nbbhn.exe 33 PID 2180 wrote to memory of 2740 2180 9nbbhn.exe 33 PID 2180 wrote to memory of 2740 2180 9nbbhn.exe 33 PID 2180 wrote to memory of 2740 2180 9nbbhn.exe 33 PID 2740 wrote to memory of 2908 2740 5vjpp.exe 34 PID 2740 wrote to memory of 2908 2740 5vjpp.exe 34 PID 2740 wrote to memory of 2908 2740 5vjpp.exe 34 PID 2740 wrote to memory of 2908 2740 5vjpp.exe 34 PID 2908 wrote to memory of 2824 2908 nnbbhn.exe 35 PID 2908 wrote to memory of 2824 2908 nnbbhn.exe 35 PID 2908 wrote to memory of 2824 2908 nnbbhn.exe 35 PID 2908 wrote to memory of 2824 2908 nnbbhn.exe 35 PID 2824 wrote to memory of 2956 2824 jvjjj.exe 36 PID 2824 wrote to memory of 2956 2824 jvjjj.exe 36 PID 2824 wrote to memory of 2956 2824 jvjjj.exe 36 PID 2824 wrote to memory of 2956 2824 jvjjj.exe 36 PID 2956 wrote to memory of 2780 2956 frfxfrr.exe 37 PID 2956 wrote to memory of 2780 2956 frfxfrr.exe 37 PID 2956 wrote to memory of 2780 2956 frfxfrr.exe 37 PID 2956 wrote to memory of 2780 2956 frfxfrr.exe 37 PID 2780 wrote to memory of 2644 2780 3rlrxfr.exe 38 PID 2780 wrote to memory of 2644 2780 3rlrxfr.exe 38 PID 2780 wrote to memory of 2644 2780 3rlrxfr.exe 38 PID 2780 wrote to memory of 2644 2780 3rlrxfr.exe 38 PID 2644 wrote to memory of 2220 2644 5btttn.exe 73 PID 2644 wrote to memory of 2220 2644 5btttn.exe 73 PID 2644 wrote to memory of 2220 2644 5btttn.exe 73 PID 2644 wrote to memory of 2220 2644 5btttn.exe 73 PID 2220 wrote to memory of 2804 2220 dvdvd.exe 40 PID 2220 wrote to memory of 2804 2220 dvdvd.exe 40 PID 2220 wrote to memory of 2804 2220 dvdvd.exe 40 PID 2220 wrote to memory of 2804 2220 dvdvd.exe 40 PID 2804 wrote to memory of 2044 2804 rlffrrx.exe 76 PID 2804 wrote to memory of 2044 2804 rlffrrx.exe 76 PID 2804 wrote to memory of 2044 2804 rlffrrx.exe 76 PID 2804 wrote to memory of 2044 2804 rlffrrx.exe 76 PID 2044 wrote to memory of 1008 2044 hthhhh.exe 42 PID 2044 wrote to memory of 1008 2044 hthhhh.exe 42 PID 2044 wrote to memory of 1008 2044 hthhhh.exe 42 PID 2044 wrote to memory of 1008 2044 hthhhh.exe 42 PID 1008 wrote to memory of 2860 1008 7lffrxx.exe 43 PID 1008 wrote to memory of 2860 1008 7lffrxx.exe 43 PID 1008 wrote to memory of 2860 1008 7lffrxx.exe 43 PID 1008 wrote to memory of 2860 1008 7lffrxx.exe 43 PID 2860 wrote to memory of 2948 2860 thtbbb.exe 80 PID 2860 wrote to memory of 2948 2860 thtbbb.exe 80 PID 2860 wrote to memory of 2948 2860 thtbbb.exe 80 PID 2860 wrote to memory of 2948 2860 thtbbb.exe 80 PID 2948 wrote to memory of 1960 2948 pdpjj.exe 45 PID 2948 wrote to memory of 1960 2948 pdpjj.exe 45 PID 2948 wrote to memory of 1960 2948 pdpjj.exe 45 PID 2948 wrote to memory of 1960 2948 pdpjj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe"C:\Users\Admin\AppData\Local\Temp\7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\vjpdj.exec:\vjpdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\rlfflrf.exec:\rlfflrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\9nbbhn.exec:\9nbbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\5vjpp.exec:\5vjpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\nnbbhn.exec:\nnbbhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\jvjjj.exec:\jvjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\frfxfrr.exec:\frfxfrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\3rlrxfr.exec:\3rlrxfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\5btttn.exec:\5btttn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\dvdvd.exec:\dvdvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\rlffrrx.exec:\rlffrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\hthhhh.exec:\hthhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\7lffrxx.exec:\7lffrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\thtbbb.exec:\thtbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\pdpjj.exec:\pdpjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\1fxxxrx.exec:\1fxxxrx.exe17⤵
- Executes dropped EXE
PID:1960 -
\??\c:\nhtbnn.exec:\nhtbnn.exe18⤵
- Executes dropped EXE
PID:2020 -
\??\c:\7pddv.exec:\7pddv.exe19⤵
- Executes dropped EXE
PID:2116 -
\??\c:\ffrxffl.exec:\ffrxffl.exe20⤵
- Executes dropped EXE
PID:1488 -
\??\c:\5tbttt.exec:\5tbttt.exe21⤵
- Executes dropped EXE
PID:1836 -
\??\c:\hbnbhb.exec:\hbnbhb.exe22⤵
- Executes dropped EXE
PID:2016 -
\??\c:\3xflxff.exec:\3xflxff.exe23⤵
- Executes dropped EXE
PID:948 -
\??\c:\9btbbh.exec:\9btbbh.exe24⤵
- Executes dropped EXE
PID:2312 -
\??\c:\3pjdd.exec:\3pjdd.exe25⤵
- Executes dropped EXE
PID:1088 -
\??\c:\rfrlrll.exec:\rfrlrll.exe26⤵
- Executes dropped EXE
PID:3060 -
\??\c:\1llllfr.exec:\1llllfr.exe27⤵
- Executes dropped EXE
PID:1028 -
\??\c:\9jvvd.exec:\9jvvd.exe28⤵
- Executes dropped EXE
PID:1756 -
\??\c:\fxrxfxl.exec:\fxrxfxl.exe29⤵
- Executes dropped EXE
PID:1148 -
\??\c:\bhtbbt.exec:\bhtbbt.exe30⤵
- Executes dropped EXE
PID:2540 -
\??\c:\bthhnn.exec:\bthhnn.exe31⤵
- Executes dropped EXE
PID:2440 -
\??\c:\3hbhnn.exec:\3hbhnn.exe32⤵
- Executes dropped EXE
PID:2992 -
\??\c:\7nnntt.exec:\7nnntt.exe33⤵PID:1788
-
\??\c:\pdpvp.exec:\pdpvp.exe34⤵
- Executes dropped EXE
PID:2448 -
\??\c:\xlxxffl.exec:\xlxxffl.exe35⤵
- Executes dropped EXE
PID:2464 -
\??\c:\rlxxfxf.exec:\rlxxfxf.exe36⤵
- Executes dropped EXE
PID:2808 -
\??\c:\1jdpd.exec:\1jdpd.exe37⤵
- Executes dropped EXE
PID:1832 -
\??\c:\frffllx.exec:\frffllx.exe38⤵
- Executes dropped EXE
PID:2744 -
\??\c:\9xfrfff.exec:\9xfrfff.exe39⤵
- Executes dropped EXE
PID:3008 -
\??\c:\btnbtb.exec:\btnbtb.exe40⤵
- Executes dropped EXE
PID:2884 -
\??\c:\jjddv.exec:\jjddv.exe41⤵
- Executes dropped EXE
PID:2724 -
\??\c:\fxrffxl.exec:\fxrffxl.exe42⤵
- Executes dropped EXE
PID:2240 -
\??\c:\7frlllr.exec:\7frlllr.exe43⤵
- Executes dropped EXE
PID:2732 -
\??\c:\hbtbbb.exec:\hbtbbb.exe44⤵
- Executes dropped EXE
PID:2656 -
\??\c:\jvdvv.exec:\jvdvv.exe45⤵
- Executes dropped EXE
PID:2220 -
\??\c:\pvpvj.exec:\pvpvj.exe46⤵
- Executes dropped EXE
PID:1100 -
\??\c:\rfxxffr.exec:\rfxxffr.exe47⤵
- Executes dropped EXE
PID:2184 -
\??\c:\hhbnnn.exec:\hhbnnn.exe48⤵
- Executes dropped EXE
PID:2044 -
\??\c:\bnbbbh.exec:\bnbbbh.exe49⤵
- Executes dropped EXE
PID:2224 -
\??\c:\dvddj.exec:\dvddj.exe50⤵
- Executes dropped EXE
PID:2960 -
\??\c:\tnbbbh.exec:\tnbbbh.exe51⤵
- Executes dropped EXE
PID:2708 -
\??\c:\vjpvj.exec:\vjpvj.exe52⤵
- Executes dropped EXE
PID:2948 -
\??\c:\jdvdv.exec:\jdvdv.exe53⤵
- Executes dropped EXE
PID:2004 -
\??\c:\dvjdj.exec:\dvjdj.exe54⤵
- Executes dropped EXE
PID:1408 -
\??\c:\rxllxll.exec:\rxllxll.exe55⤵
- Executes dropped EXE
PID:2092 -
\??\c:\ffrfrlr.exec:\ffrfrlr.exe56⤵
- Executes dropped EXE
PID:2072 -
\??\c:\vvdpd.exec:\vvdpd.exe57⤵
- Executes dropped EXE
PID:776 -
\??\c:\frxxxxx.exec:\frxxxxx.exe58⤵
- Executes dropped EXE
PID:484 -
\??\c:\nbnhht.exec:\nbnhht.exe59⤵
- Executes dropped EXE
PID:3024 -
\??\c:\vvjdd.exec:\vvjdd.exe60⤵
- Executes dropped EXE
PID:400 -
\??\c:\7rxxrlr.exec:\7rxxrlr.exe61⤵
- Executes dropped EXE
PID:320 -
\??\c:\nhbhhh.exec:\nhbhhh.exe62⤵
- Executes dropped EXE
PID:2200 -
\??\c:\3dvdj.exec:\3dvdj.exe63⤵
- Executes dropped EXE
PID:2312 -
\??\c:\pjjvj.exec:\pjjvj.exe64⤵
- Executes dropped EXE
PID:1504 -
\??\c:\3rfflrr.exec:\3rfflrr.exe65⤵
- Executes dropped EXE
PID:3060 -
\??\c:\3hnthh.exec:\3hnthh.exe66⤵
- Executes dropped EXE
PID:2008 -
\??\c:\jpppv.exec:\jpppv.exe67⤵PID:2484
-
\??\c:\rfrllfl.exec:\rfrllfl.exe68⤵PID:3056
-
\??\c:\1flxlfl.exec:\1flxlfl.exe69⤵PID:796
-
\??\c:\nhthtt.exec:\nhthtt.exe70⤵PID:2576
-
\??\c:\1jddd.exec:\1jddd.exe71⤵PID:2552
-
\??\c:\ffrrxxf.exec:\ffrrxxf.exe72⤵PID:1748
-
\??\c:\llrxllf.exec:\llrxllf.exe73⤵PID:2280
-
\??\c:\nntnht.exec:\nntnht.exe74⤵PID:3052
-
\??\c:\3jdjj.exec:\3jdjj.exe75⤵PID:1720
-
\??\c:\rrfflfl.exec:\rrfflfl.exe76⤵PID:2500
-
\??\c:\xrffrlr.exec:\xrffrlr.exe77⤵PID:612
-
\??\c:\1ntttb.exec:\1ntttb.exe78⤵PID:2808
-
\??\c:\pdddd.exec:\pdddd.exe79⤵PID:2492
-
\??\c:\pjvvv.exec:\pjvvv.exe80⤵PID:1668
-
\??\c:\lfxflfl.exec:\lfxflfl.exe81⤵PID:2928
-
\??\c:\hnbtbb.exec:\hnbtbb.exe82⤵PID:2776
-
\??\c:\5hhhhn.exec:\5hhhhn.exe83⤵PID:2612
-
\??\c:\3jjpv.exec:\3jjpv.exe84⤵PID:2660
-
\??\c:\1rfflrf.exec:\1rfflrf.exe85⤵PID:2688
-
\??\c:\9frxflr.exec:\9frxflr.exe86⤵PID:808
-
\??\c:\nbhtth.exec:\nbhtth.exe87⤵PID:2624
-
\??\c:\dvppv.exec:\dvppv.exe88⤵PID:2220
-
\??\c:\frxrrll.exec:\frxrrll.exe89⤵PID:2296
-
\??\c:\bbtttb.exec:\bbtttb.exe90⤵PID:2208
-
\??\c:\vpjpj.exec:\vpjpj.exe91⤵PID:1472
-
\??\c:\5ddjd.exec:\5ddjd.exe92⤵PID:1008
-
\??\c:\fxlrrrf.exec:\fxlrrrf.exe93⤵PID:2860
-
\??\c:\nhtthn.exec:\nhtthn.exe94⤵PID:2056
-
\??\c:\jjvpj.exec:\jjvpj.exe95⤵PID:2972
-
\??\c:\dvjdd.exec:\dvjdd.exe96⤵PID:1708
-
\??\c:\rfrlllx.exec:\rfrlllx.exe97⤵PID:2076
-
\??\c:\nbnntn.exec:\nbnntn.exe98⤵PID:2996
-
\??\c:\ttnthn.exec:\ttnthn.exe99⤵PID:1644
-
\??\c:\3pdvd.exec:\3pdvd.exe100⤵PID:388
-
\??\c:\llrlfrr.exec:\llrlfrr.exe101⤵PID:1728
-
\??\c:\3nbbbt.exec:\3nbbbt.exe102⤵PID:2100
-
\??\c:\bttthb.exec:\bttthb.exe103⤵PID:276
-
\??\c:\ppdjj.exec:\ppdjj.exe104⤵PID:1288
-
\??\c:\xrxfrlr.exec:\xrxfrlr.exe105⤵PID:2264
-
\??\c:\lfxxrfr.exec:\lfxxrfr.exe106⤵PID:1888
-
\??\c:\thnnnn.exec:\thnnnn.exe107⤵PID:2064
-
\??\c:\jvdjj.exec:\jvdjj.exe108⤵PID:1504
-
\??\c:\dvvdp.exec:\dvvdp.exe109⤵PID:2512
-
\??\c:\fxxxffx.exec:\fxxxffx.exe110⤵PID:1828
-
\??\c:\1bnntt.exec:\1bnntt.exe111⤵PID:1936
-
\??\c:\tnhntt.exec:\tnhntt.exe112⤵PID:3056
-
\??\c:\vpvvj.exec:\vpvvj.exe113⤵PID:796
-
\??\c:\rrxxxff.exec:\rrxxxff.exe114⤵PID:2576
-
\??\c:\hbbnhn.exec:\hbbnhn.exe115⤵PID:2496
-
\??\c:\tnbnbh.exec:\tnbnbh.exe116⤵PID:2440
-
\??\c:\7jdjj.exec:\7jdjj.exe117⤵PID:2280
-
\??\c:\rrlrrrr.exec:\rrlrrrr.exe118⤵PID:2704
-
\??\c:\rfflrxf.exec:\rfflrxf.exe119⤵PID:2464
-
\??\c:\hbnhtb.exec:\hbnhtb.exe120⤵PID:1844
-
\??\c:\ddpvj.exec:\ddpvj.exe121⤵PID:2352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-