Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe
-
Size
454KB
-
MD5
8e8fd5179b44e25bb63bd0849ac58685
-
SHA1
982feb66e0e0faa5ee498e443f44872c17da836c
-
SHA256
cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c
-
SHA512
2f3ef00dfab11468ba3c3fb9b514ecc5285ee8e88001e63a20be4cdb2e0c94a955367db6999668cb1b62faeec775d72b1accbd96a7588f79377bd22bb8092fa5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 35 IoCs
resource yara_rule behavioral1/memory/1740-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/576-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/108-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-442-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1504-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-780-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2624-874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-950-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2836 thnttt.exe 2668 fflfrlf.exe 2720 vjvpd.exe 2928 lfxllrf.exe 2880 5bbhhb.exe 2632 fxrxfxr.exe 2176 ntttbb.exe 3032 lxrxlrf.exe 2160 rfxxxxf.exe 2196 5djjp.exe 2056 pdvvd.exe 2756 nhttbb.exe 1308 lrxfxxr.exe 2740 hnnnhb.exe 1260 ddvvd.exe 772 lflrrlx.exe 2188 tthnhh.exe 2180 xrlrffl.exe 2420 ttnhth.exe 956 7vjdj.exe 1820 xlxfflr.exe 2512 htnntb.exe 780 1vjpp.exe 1756 bthntt.exe 1644 dvvvp.exe 3024 pjvvp.exe 576 tbbnnb.exe 3016 jjjpd.exe 876 ffxxlxr.exe 1696 5jvvv.exe 2832 xlflrrf.exe 2848 9httbh.exe 2668 9pjpd.exe 2320 7xrxflf.exe 108 hthhnh.exe 2732 9pjdd.exe 2576 1rxxffl.exe 3052 tbbbnh.exe 2204 btbbbh.exe 1556 ddppv.exe 3064 rfxxffr.exe 2144 fllfxfx.exe 1792 tbhhnn.exe 1488 jvjdj.exe 2916 xxrrlrf.exe 1052 lxfffxf.exe 988 1nhhnt.exe 2744 vvvpd.exe 2072 llrrrlf.exe 2364 lrrxflr.exe 588 hhbthh.exe 1456 3jddj.exe 2544 9rllrrf.exe 2400 nhbhtt.exe 2156 hbbhhh.exe 1932 pjjvd.exe 1048 xllfllx.exe 1448 xrlrllx.exe 840 nbhttb.exe 1356 9jddv.exe 704 vpddv.exe 2932 lrfrllx.exe 1704 nbnthb.exe 1160 hbhhnh.exe -
resource yara_rule behavioral1/memory/1740-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-442-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1932-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-950-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2024-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-970-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-977-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2836 1740 cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe 31 PID 1740 wrote to memory of 2836 1740 cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe 31 PID 1740 wrote to memory of 2836 1740 cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe 31 PID 1740 wrote to memory of 2836 1740 cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe 31 PID 2836 wrote to memory of 2668 2836 thnttt.exe 32 PID 2836 wrote to memory of 2668 2836 thnttt.exe 32 PID 2836 wrote to memory of 2668 2836 thnttt.exe 32 PID 2836 wrote to memory of 2668 2836 thnttt.exe 32 PID 2668 wrote to memory of 2720 2668 fflfrlf.exe 33 PID 2668 wrote to memory of 2720 2668 fflfrlf.exe 33 PID 2668 wrote to memory of 2720 2668 fflfrlf.exe 33 PID 2668 wrote to memory of 2720 2668 fflfrlf.exe 33 PID 2720 wrote to memory of 2928 2720 vjvpd.exe 34 PID 2720 wrote to memory of 2928 2720 vjvpd.exe 34 PID 2720 wrote to memory of 2928 2720 vjvpd.exe 34 PID 2720 wrote to memory of 2928 2720 vjvpd.exe 34 PID 2928 wrote to memory of 2880 2928 lfxllrf.exe 35 PID 2928 wrote to memory of 2880 2928 lfxllrf.exe 35 PID 2928 wrote to memory of 2880 2928 lfxllrf.exe 35 PID 2928 wrote to memory of 2880 2928 lfxllrf.exe 35 PID 2880 wrote to memory of 2632 2880 5bbhhb.exe 36 PID 2880 wrote to memory of 2632 2880 5bbhhb.exe 36 PID 2880 wrote to memory of 2632 2880 5bbhhb.exe 36 PID 2880 wrote to memory of 2632 2880 5bbhhb.exe 36 PID 2632 wrote to memory of 2176 2632 fxrxfxr.exe 37 PID 2632 wrote to memory of 2176 2632 fxrxfxr.exe 37 PID 2632 wrote to memory of 2176 2632 fxrxfxr.exe 37 PID 2632 wrote to memory of 2176 2632 fxrxfxr.exe 37 PID 2176 wrote to memory of 3032 2176 ntttbb.exe 38 PID 2176 wrote to memory of 3032 2176 ntttbb.exe 38 PID 2176 wrote to memory of 3032 2176 ntttbb.exe 38 PID 2176 wrote to memory of 3032 2176 ntttbb.exe 38 PID 3032 wrote to memory of 2160 3032 lxrxlrf.exe 39 PID 3032 wrote to memory of 2160 3032 lxrxlrf.exe 39 PID 3032 wrote to memory of 2160 3032 lxrxlrf.exe 39 PID 3032 wrote to memory of 2160 3032 lxrxlrf.exe 39 PID 2160 wrote to memory of 2196 2160 rfxxxxf.exe 40 PID 2160 wrote to memory of 2196 2160 rfxxxxf.exe 40 PID 2160 wrote to memory of 2196 2160 rfxxxxf.exe 40 PID 2160 wrote to memory of 2196 2160 rfxxxxf.exe 40 PID 2196 wrote to memory of 2056 2196 5djjp.exe 41 PID 2196 wrote to memory of 2056 2196 5djjp.exe 41 PID 2196 wrote to memory of 2056 2196 5djjp.exe 41 PID 2196 wrote to memory of 2056 2196 5djjp.exe 41 PID 2056 wrote to memory of 2756 2056 pdvvd.exe 42 PID 2056 wrote to memory of 2756 2056 pdvvd.exe 42 PID 2056 wrote to memory of 2756 2056 pdvvd.exe 42 PID 2056 wrote to memory of 2756 2056 pdvvd.exe 42 PID 2756 wrote to memory of 1308 2756 nhttbb.exe 43 PID 2756 wrote to memory of 1308 2756 nhttbb.exe 43 PID 2756 wrote to memory of 1308 2756 nhttbb.exe 43 PID 2756 wrote to memory of 1308 2756 nhttbb.exe 43 PID 1308 wrote to memory of 2740 1308 lrxfxxr.exe 44 PID 1308 wrote to memory of 2740 1308 lrxfxxr.exe 44 PID 1308 wrote to memory of 2740 1308 lrxfxxr.exe 44 PID 1308 wrote to memory of 2740 1308 lrxfxxr.exe 44 PID 2740 wrote to memory of 1260 2740 hnnnhb.exe 45 PID 2740 wrote to memory of 1260 2740 hnnnhb.exe 45 PID 2740 wrote to memory of 1260 2740 hnnnhb.exe 45 PID 2740 wrote to memory of 1260 2740 hnnnhb.exe 45 PID 1260 wrote to memory of 772 1260 ddvvd.exe 46 PID 1260 wrote to memory of 772 1260 ddvvd.exe 46 PID 1260 wrote to memory of 772 1260 ddvvd.exe 46 PID 1260 wrote to memory of 772 1260 ddvvd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe"C:\Users\Admin\AppData\Local\Temp\cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\thnttt.exec:\thnttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\fflfrlf.exec:\fflfrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\vjvpd.exec:\vjvpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\lfxllrf.exec:\lfxllrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\5bbhhb.exec:\5bbhhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\fxrxfxr.exec:\fxrxfxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\ntttbb.exec:\ntttbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\lxrxlrf.exec:\lxrxlrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\rfxxxxf.exec:\rfxxxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\5djjp.exec:\5djjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\pdvvd.exec:\pdvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\nhttbb.exec:\nhttbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\lrxfxxr.exec:\lrxfxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\hnnnhb.exec:\hnnnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\ddvvd.exec:\ddvvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\lflrrlx.exec:\lflrrlx.exe17⤵
- Executes dropped EXE
PID:772 -
\??\c:\tthnhh.exec:\tthnhh.exe18⤵
- Executes dropped EXE
PID:2188 -
\??\c:\xrlrffl.exec:\xrlrffl.exe19⤵
- Executes dropped EXE
PID:2180 -
\??\c:\ttnhth.exec:\ttnhth.exe20⤵
- Executes dropped EXE
PID:2420 -
\??\c:\7vjdj.exec:\7vjdj.exe21⤵
- Executes dropped EXE
PID:956 -
\??\c:\xlxfflr.exec:\xlxfflr.exe22⤵
- Executes dropped EXE
PID:1820 -
\??\c:\htnntb.exec:\htnntb.exe23⤵
- Executes dropped EXE
PID:2512 -
\??\c:\1vjpp.exec:\1vjpp.exe24⤵
- Executes dropped EXE
PID:780 -
\??\c:\bthntt.exec:\bthntt.exe25⤵
- Executes dropped EXE
PID:1756 -
\??\c:\dvvvp.exec:\dvvvp.exe26⤵
- Executes dropped EXE
PID:1644 -
\??\c:\pjvvp.exec:\pjvvp.exe27⤵
- Executes dropped EXE
PID:3024 -
\??\c:\tbbnnb.exec:\tbbnnb.exe28⤵
- Executes dropped EXE
PID:576 -
\??\c:\jjjpd.exec:\jjjpd.exe29⤵
- Executes dropped EXE
PID:3016 -
\??\c:\ffxxlxr.exec:\ffxxlxr.exe30⤵
- Executes dropped EXE
PID:876 -
\??\c:\5jvvv.exec:\5jvvv.exe31⤵
- Executes dropped EXE
PID:1696 -
\??\c:\xlflrrf.exec:\xlflrrf.exe32⤵
- Executes dropped EXE
PID:2832 -
\??\c:\9httbh.exec:\9httbh.exe33⤵
- Executes dropped EXE
PID:2848 -
\??\c:\9pjpd.exec:\9pjpd.exe34⤵
- Executes dropped EXE
PID:2668 -
\??\c:\7xrxflf.exec:\7xrxflf.exe35⤵
- Executes dropped EXE
PID:2320 -
\??\c:\hthhnh.exec:\hthhnh.exe36⤵
- Executes dropped EXE
PID:108 -
\??\c:\9pjdd.exec:\9pjdd.exe37⤵
- Executes dropped EXE
PID:2732 -
\??\c:\1rxxffl.exec:\1rxxffl.exe38⤵
- Executes dropped EXE
PID:2576 -
\??\c:\tbbbnh.exec:\tbbbnh.exe39⤵
- Executes dropped EXE
PID:3052 -
\??\c:\btbbbh.exec:\btbbbh.exe40⤵
- Executes dropped EXE
PID:2204 -
\??\c:\ddppv.exec:\ddppv.exe41⤵
- Executes dropped EXE
PID:1556 -
\??\c:\rfxxffr.exec:\rfxxffr.exe42⤵
- Executes dropped EXE
PID:3064 -
\??\c:\fllfxfx.exec:\fllfxfx.exe43⤵
- Executes dropped EXE
PID:2144 -
\??\c:\tbhhnn.exec:\tbhhnn.exe44⤵
- Executes dropped EXE
PID:1792 -
\??\c:\jvjdj.exec:\jvjdj.exe45⤵
- Executes dropped EXE
PID:1488 -
\??\c:\xxrrlrf.exec:\xxrrlrf.exe46⤵
- Executes dropped EXE
PID:2916 -
\??\c:\lxfffxf.exec:\lxfffxf.exe47⤵
- Executes dropped EXE
PID:1052 -
\??\c:\1nhhnt.exec:\1nhhnt.exe48⤵
- Executes dropped EXE
PID:988 -
\??\c:\vvvpd.exec:\vvvpd.exe49⤵
- Executes dropped EXE
PID:2744 -
\??\c:\llrrrlf.exec:\llrrrlf.exe50⤵
- Executes dropped EXE
PID:2072 -
\??\c:\lrrxflr.exec:\lrrxflr.exe51⤵
- Executes dropped EXE
PID:2364 -
\??\c:\hhbthh.exec:\hhbthh.exe52⤵
- Executes dropped EXE
PID:588 -
\??\c:\3jddj.exec:\3jddj.exe53⤵
- Executes dropped EXE
PID:1456 -
\??\c:\9rllrrf.exec:\9rllrrf.exe54⤵
- Executes dropped EXE
PID:2544 -
\??\c:\nhbhtt.exec:\nhbhtt.exe55⤵
- Executes dropped EXE
PID:2400 -
\??\c:\hbbhhh.exec:\hbbhhh.exe56⤵
- Executes dropped EXE
PID:2156 -
\??\c:\pjjvd.exec:\pjjvd.exe57⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xllfllx.exec:\xllfllx.exe58⤵
- Executes dropped EXE
PID:1048 -
\??\c:\xrlrllx.exec:\xrlrllx.exe59⤵
- Executes dropped EXE
PID:1448 -
\??\c:\nbhttb.exec:\nbhttb.exe60⤵
- Executes dropped EXE
PID:840 -
\??\c:\9jddv.exec:\9jddv.exe61⤵
- Executes dropped EXE
PID:1356 -
\??\c:\vpddv.exec:\vpddv.exe62⤵
- Executes dropped EXE
PID:704 -
\??\c:\lrfrllx.exec:\lrfrllx.exe63⤵
- Executes dropped EXE
PID:2932 -
\??\c:\nbnthb.exec:\nbnthb.exe64⤵
- Executes dropped EXE
PID:1704 -
\??\c:\hbhhnh.exec:\hbhhnh.exe65⤵
- Executes dropped EXE
PID:1160 -
\??\c:\vpddv.exec:\vpddv.exe66⤵PID:1504
-
\??\c:\xrflxrf.exec:\xrflxrf.exe67⤵PID:1952
-
\??\c:\bhbbhh.exec:\bhbbhh.exe68⤵PID:764
-
\??\c:\ppjpd.exec:\ppjpd.exe69⤵PID:3008
-
\??\c:\pvjjj.exec:\pvjjj.exe70⤵PID:1324
-
\??\c:\xrrxflr.exec:\xrrxflr.exe71⤵PID:1276
-
\??\c:\fxrxfxf.exec:\fxrxfxf.exe72⤵PID:1332
-
\??\c:\tnhnbh.exec:\tnhnbh.exe73⤵PID:2872
-
\??\c:\dvjvd.exec:\dvjvd.exe74⤵PID:2832
-
\??\c:\vpddv.exec:\vpddv.exe75⤵PID:2300
-
\??\c:\xrffffr.exec:\xrffffr.exe76⤵PID:2820
-
\??\c:\nbnnnt.exec:\nbnnnt.exe77⤵PID:2720
-
\??\c:\bhbbnn.exec:\bhbbnn.exe78⤵PID:2824
-
\??\c:\5jjvd.exec:\5jjvd.exe79⤵PID:2672
-
\??\c:\1lffffr.exec:\1lffffr.exe80⤵PID:2076
-
\??\c:\rlxfllr.exec:\rlxfllr.exe81⤵PID:2052
-
\??\c:\tnttbh.exec:\tnttbh.exe82⤵PID:2296
-
\??\c:\jdppj.exec:\jdppj.exe83⤵PID:2628
-
\??\c:\9xxxffl.exec:\9xxxffl.exe84⤵PID:2656
-
\??\c:\3lrrxfl.exec:\3lrrxfl.exe85⤵PID:2308
-
\??\c:\ttntht.exec:\ttntht.exe86⤵PID:2108
-
\??\c:\1vjjj.exec:\1vjjj.exe87⤵PID:2196
-
\??\c:\jvjjv.exec:\jvjjv.exe88⤵PID:828
-
\??\c:\1xrlffl.exec:\1xrlffl.exe89⤵PID:2764
-
\??\c:\nnhnbb.exec:\nnhnbb.exe90⤵PID:2648
-
\??\c:\5nbbhn.exec:\5nbbhn.exe91⤵PID:2784
-
\??\c:\7dvvd.exec:\7dvvd.exe92⤵PID:2224
-
\??\c:\rlxfllf.exec:\rlxfllf.exe93⤵PID:380
-
\??\c:\llxxxfl.exec:\llxxxfl.exe94⤵PID:536
-
\??\c:\nbhhhn.exec:\nbhhhn.exe95⤵PID:880
-
\??\c:\1hbttt.exec:\1hbttt.exe96⤵PID:2976
-
\??\c:\9vppp.exec:\9vppp.exe97⤵PID:2260
-
\??\c:\frlrxxf.exec:\frlrxxf.exe98⤵PID:2400
-
\??\c:\nhntbb.exec:\nhntbb.exe99⤵PID:2380
-
\??\c:\9bnnnt.exec:\9bnnnt.exe100⤵PID:1932
-
\??\c:\7ppjj.exec:\7ppjj.exe101⤵PID:1796
-
\??\c:\5llllrx.exec:\5llllrx.exe102⤵PID:1984
-
\??\c:\5tbbnt.exec:\5tbbnt.exe103⤵PID:1872
-
\??\c:\bhbtbb.exec:\bhbtbb.exe104⤵PID:1356
-
\??\c:\dvjjp.exec:\dvjjp.exe105⤵PID:1544
-
\??\c:\xlrrffr.exec:\xlrrffr.exe106⤵PID:2020
-
\??\c:\tnbbnt.exec:\tnbbnt.exe107⤵PID:1644
-
\??\c:\nnbnbh.exec:\nnbnbh.exe108⤵PID:3024
-
\??\c:\3pdjp.exec:\3pdjp.exe109⤵PID:1492
-
\??\c:\7xlllrx.exec:\7xlllrx.exe110⤵PID:3004
-
\??\c:\rxxxrrf.exec:\rxxxrrf.exe111⤵PID:3016
-
\??\c:\nbhhnn.exec:\nbhhnn.exe112⤵PID:2368
-
\??\c:\jjvjp.exec:\jjvjp.exe113⤵PID:2664
-
\??\c:\9pddj.exec:\9pddj.exe114⤵PID:1596
-
\??\c:\xlxxflr.exec:\xlxxflr.exe115⤵PID:1712
-
\??\c:\hbtbhh.exec:\hbtbhh.exe116⤵PID:2848
-
\??\c:\nnnthn.exec:\nnnthn.exe117⤵PID:2676
-
\??\c:\1jjjj.exec:\1jjjj.exe118⤵PID:2856
-
\??\c:\1lxxflr.exec:\1lxxflr.exe119⤵PID:2616
-
\??\c:\lfxxlrf.exec:\lfxxlrf.exe120⤵PID:2892
-
\??\c:\nhbbhn.exec:\nhbbhn.exe121⤵PID:2624
-
\??\c:\jdvvj.exec:\jdvvj.exe122⤵PID:2576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-