Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe
-
Size
454KB
-
MD5
f22623451e3cd3d9dfb5f40ae0074b04
-
SHA1
830fb8dc24de69ae3f2918d0f06d51e10fb22ace
-
SHA256
bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5
-
SHA512
ab70cb57320d2590bc29da01fe11078cebb9bec47e3f703b5a48efce360a528b4ea4b8e48dd577afb2f267508835e81804dab91f85c8ebd5b2fc9a87d4ae5b45
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 34 IoCs
resource yara_rule behavioral1/memory/764-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/604-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-400-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2652-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-719-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2532-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-759-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/592-802-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2024 djdpj.exe 2944 rlllllf.exe 2928 thhhnn.exe 2852 jjvpv.exe 2724 frlrxfl.exe 2568 vvvdp.exe 3004 pdjjj.exe 1724 dvjpd.exe 2876 rlxrxfr.exe 3036 bnhntb.exe 1220 jjvvd.exe 1632 hthbnn.exe 548 dvjvd.exe 1900 hbthth.exe 1556 dvvvj.exe 584 7ttbhn.exe 604 ppdjv.exe 2816 tnbntt.exe 2304 bnhnhn.exe 2376 llfflrf.exe 268 tnbbht.exe 2516 nhhnhn.exe 1696 dvppp.exe 2212 hhbhtb.exe 2980 vvvjd.exe 1868 xlflxxl.exe 2100 tthhnn.exe 1664 lxllrxl.exe 1916 bbnbnt.exe 1944 rffrlxx.exe 896 hbnbnt.exe 2692 jjvdj.exe 2024 xrxrrxl.exe 2752 nttbhn.exe 1528 dvjpv.exe 2796 rlfxrrl.exe 2808 nnhntt.exe 2328 rrflfrx.exe 2584 7nbthh.exe 2572 dvjjp.exe 3000 ppjvp.exe 3004 rllrffl.exe 2892 7hnttb.exe 2592 ddjpv.exe 2128 xxxllrl.exe 2216 fxrrxff.exe 2348 7hbhbh.exe 2444 pdvdp.exe 1608 rfffrxf.exe 1752 btbhtb.exe 2860 nhthtt.exe 2652 pjddj.exe 576 5rxlrxx.exe 1700 9nhnbh.exe 2532 ppjvd.exe 1640 dvjpd.exe 2076 lfrrffr.exe 848 bbtbth.exe 2508 dvjpp.exe 268 llxxllf.exe 960 nnhnhn.exe 568 hnhttt.exe 1712 jjvdp.exe 1480 xrlrrxl.exe -
resource yara_rule behavioral1/memory/764-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-513-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1028-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-801-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhtb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 764 wrote to memory of 2024 764 bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe 31 PID 764 wrote to memory of 2024 764 bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe 31 PID 764 wrote to memory of 2024 764 bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe 31 PID 764 wrote to memory of 2024 764 bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe 31 PID 2024 wrote to memory of 2944 2024 djdpj.exe 32 PID 2024 wrote to memory of 2944 2024 djdpj.exe 32 PID 2024 wrote to memory of 2944 2024 djdpj.exe 32 PID 2024 wrote to memory of 2944 2024 djdpj.exe 32 PID 2944 wrote to memory of 2928 2944 rlllllf.exe 33 PID 2944 wrote to memory of 2928 2944 rlllllf.exe 33 PID 2944 wrote to memory of 2928 2944 rlllllf.exe 33 PID 2944 wrote to memory of 2928 2944 rlllllf.exe 33 PID 2928 wrote to memory of 2852 2928 thhhnn.exe 34 PID 2928 wrote to memory of 2852 2928 thhhnn.exe 34 PID 2928 wrote to memory of 2852 2928 thhhnn.exe 34 PID 2928 wrote to memory of 2852 2928 thhhnn.exe 34 PID 2852 wrote to memory of 2724 2852 jjvpv.exe 35 PID 2852 wrote to memory of 2724 2852 jjvpv.exe 35 PID 2852 wrote to memory of 2724 2852 jjvpv.exe 35 PID 2852 wrote to memory of 2724 2852 jjvpv.exe 35 PID 2724 wrote to memory of 2568 2724 frlrxfl.exe 36 PID 2724 wrote to memory of 2568 2724 frlrxfl.exe 36 PID 2724 wrote to memory of 2568 2724 frlrxfl.exe 36 PID 2724 wrote to memory of 2568 2724 frlrxfl.exe 36 PID 2568 wrote to memory of 3004 2568 vvvdp.exe 37 PID 2568 wrote to memory of 3004 2568 vvvdp.exe 37 PID 2568 wrote to memory of 3004 2568 vvvdp.exe 37 PID 2568 wrote to memory of 3004 2568 vvvdp.exe 37 PID 3004 wrote to memory of 1724 3004 pdjjj.exe 38 PID 3004 wrote to memory of 1724 3004 pdjjj.exe 38 PID 3004 wrote to memory of 1724 3004 pdjjj.exe 38 PID 3004 wrote to memory of 1724 3004 pdjjj.exe 38 PID 1724 wrote to memory of 2876 1724 dvjpd.exe 39 PID 1724 wrote to memory of 2876 1724 dvjpd.exe 39 PID 1724 wrote to memory of 2876 1724 dvjpd.exe 39 PID 1724 wrote to memory of 2876 1724 dvjpd.exe 39 PID 2876 wrote to memory of 3036 2876 rlxrxfr.exe 40 PID 2876 wrote to memory of 3036 2876 rlxrxfr.exe 40 PID 2876 wrote to memory of 3036 2876 rlxrxfr.exe 40 PID 2876 wrote to memory of 3036 2876 rlxrxfr.exe 40 PID 3036 wrote to memory of 1220 3036 bnhntb.exe 41 PID 3036 wrote to memory of 1220 3036 bnhntb.exe 41 PID 3036 wrote to memory of 1220 3036 bnhntb.exe 41 PID 3036 wrote to memory of 1220 3036 bnhntb.exe 41 PID 1220 wrote to memory of 1632 1220 jjvvd.exe 42 PID 1220 wrote to memory of 1632 1220 jjvvd.exe 42 PID 1220 wrote to memory of 1632 1220 jjvvd.exe 42 PID 1220 wrote to memory of 1632 1220 jjvvd.exe 42 PID 1632 wrote to memory of 548 1632 hthbnn.exe 43 PID 1632 wrote to memory of 548 1632 hthbnn.exe 43 PID 1632 wrote to memory of 548 1632 hthbnn.exe 43 PID 1632 wrote to memory of 548 1632 hthbnn.exe 43 PID 548 wrote to memory of 1900 548 dvjvd.exe 44 PID 548 wrote to memory of 1900 548 dvjvd.exe 44 PID 548 wrote to memory of 1900 548 dvjvd.exe 44 PID 548 wrote to memory of 1900 548 dvjvd.exe 44 PID 1900 wrote to memory of 1556 1900 hbthth.exe 45 PID 1900 wrote to memory of 1556 1900 hbthth.exe 45 PID 1900 wrote to memory of 1556 1900 hbthth.exe 45 PID 1900 wrote to memory of 1556 1900 hbthth.exe 45 PID 1556 wrote to memory of 584 1556 dvvvj.exe 46 PID 1556 wrote to memory of 584 1556 dvvvj.exe 46 PID 1556 wrote to memory of 584 1556 dvvvj.exe 46 PID 1556 wrote to memory of 584 1556 dvvvj.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe"C:\Users\Admin\AppData\Local\Temp\bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\djdpj.exec:\djdpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\rlllllf.exec:\rlllllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\thhhnn.exec:\thhhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\jjvpv.exec:\jjvpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\frlrxfl.exec:\frlrxfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\vvvdp.exec:\vvvdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\pdjjj.exec:\pdjjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\dvjpd.exec:\dvjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\rlxrxfr.exec:\rlxrxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\bnhntb.exec:\bnhntb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\jjvvd.exec:\jjvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\hthbnn.exec:\hthbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\dvjvd.exec:\dvjvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\hbthth.exec:\hbthth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\dvvvj.exec:\dvvvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\7ttbhn.exec:\7ttbhn.exe17⤵
- Executes dropped EXE
PID:584 -
\??\c:\ppdjv.exec:\ppdjv.exe18⤵
- Executes dropped EXE
PID:604 -
\??\c:\tnbntt.exec:\tnbntt.exe19⤵
- Executes dropped EXE
PID:2816 -
\??\c:\bnhnhn.exec:\bnhnhn.exe20⤵
- Executes dropped EXE
PID:2304 -
\??\c:\llfflrf.exec:\llfflrf.exe21⤵
- Executes dropped EXE
PID:2376 -
\??\c:\tnbbht.exec:\tnbbht.exe22⤵
- Executes dropped EXE
PID:268 -
\??\c:\nhhnhn.exec:\nhhnhn.exe23⤵
- Executes dropped EXE
PID:2516 -
\??\c:\dvppp.exec:\dvppp.exe24⤵
- Executes dropped EXE
PID:1696 -
\??\c:\hhbhtb.exec:\hhbhtb.exe25⤵
- Executes dropped EXE
PID:2212 -
\??\c:\vvvjd.exec:\vvvjd.exe26⤵
- Executes dropped EXE
PID:2980 -
\??\c:\xlflxxl.exec:\xlflxxl.exe27⤵
- Executes dropped EXE
PID:1868 -
\??\c:\tthhnn.exec:\tthhnn.exe28⤵
- Executes dropped EXE
PID:2100 -
\??\c:\lxllrxl.exec:\lxllrxl.exe29⤵
- Executes dropped EXE
PID:1664 -
\??\c:\bbnbnt.exec:\bbnbnt.exe30⤵
- Executes dropped EXE
PID:1916 -
\??\c:\rffrlxx.exec:\rffrlxx.exe31⤵
- Executes dropped EXE
PID:1944 -
\??\c:\hbnbnt.exec:\hbnbnt.exe32⤵
- Executes dropped EXE
PID:896 -
\??\c:\jjvdj.exec:\jjvdj.exe33⤵
- Executes dropped EXE
PID:2692 -
\??\c:\xrxrrxl.exec:\xrxrrxl.exe34⤵
- Executes dropped EXE
PID:2024 -
\??\c:\nttbhn.exec:\nttbhn.exe35⤵
- Executes dropped EXE
PID:2752 -
\??\c:\dvjpv.exec:\dvjpv.exe36⤵
- Executes dropped EXE
PID:1528 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe37⤵
- Executes dropped EXE
PID:2796 -
\??\c:\nnhntt.exec:\nnhntt.exe38⤵
- Executes dropped EXE
PID:2808 -
\??\c:\rrflfrx.exec:\rrflfrx.exe39⤵
- Executes dropped EXE
PID:2328 -
\??\c:\7nbthh.exec:\7nbthh.exe40⤵
- Executes dropped EXE
PID:2584 -
\??\c:\dvjjp.exec:\dvjjp.exe41⤵
- Executes dropped EXE
PID:2572 -
\??\c:\ppjvp.exec:\ppjvp.exe42⤵
- Executes dropped EXE
PID:3000 -
\??\c:\rllrffl.exec:\rllrffl.exe43⤵
- Executes dropped EXE
PID:3004 -
\??\c:\7hnttb.exec:\7hnttb.exe44⤵
- Executes dropped EXE
PID:2892 -
\??\c:\ddjpv.exec:\ddjpv.exe45⤵
- Executes dropped EXE
PID:2592 -
\??\c:\xxxllrl.exec:\xxxllrl.exe46⤵
- Executes dropped EXE
PID:2128 -
\??\c:\fxrrxff.exec:\fxrrxff.exe47⤵
- Executes dropped EXE
PID:2216 -
\??\c:\7hbhbh.exec:\7hbhbh.exe48⤵
- Executes dropped EXE
PID:2348 -
\??\c:\pdvdp.exec:\pdvdp.exe49⤵
- Executes dropped EXE
PID:2444 -
\??\c:\rfffrxf.exec:\rfffrxf.exe50⤵
- Executes dropped EXE
PID:1608 -
\??\c:\btbhtb.exec:\btbhtb.exe51⤵
- Executes dropped EXE
PID:1752 -
\??\c:\nhthtt.exec:\nhthtt.exe52⤵
- Executes dropped EXE
PID:2860 -
\??\c:\pjddj.exec:\pjddj.exe53⤵
- Executes dropped EXE
PID:2652 -
\??\c:\5rxlrxx.exec:\5rxlrxx.exe54⤵
- Executes dropped EXE
PID:576 -
\??\c:\9nhnbh.exec:\9nhnbh.exe55⤵
- Executes dropped EXE
PID:1700 -
\??\c:\ppjvd.exec:\ppjvd.exe56⤵
- Executes dropped EXE
PID:2532 -
\??\c:\dvjpd.exec:\dvjpd.exe57⤵
- Executes dropped EXE
PID:1640 -
\??\c:\lfrrffr.exec:\lfrrffr.exe58⤵
- Executes dropped EXE
PID:2076 -
\??\c:\bbtbth.exec:\bbtbth.exe59⤵
- Executes dropped EXE
PID:848 -
\??\c:\dvjpp.exec:\dvjpp.exe60⤵
- Executes dropped EXE
PID:2508 -
\??\c:\llxxllf.exec:\llxxllf.exe61⤵
- Executes dropped EXE
PID:268 -
\??\c:\nnhnhn.exec:\nnhnhn.exe62⤵
- Executes dropped EXE
PID:960 -
\??\c:\hnhttt.exec:\hnhttt.exe63⤵
- Executes dropped EXE
PID:568 -
\??\c:\jjvdp.exec:\jjvdp.exe64⤵
- Executes dropped EXE
PID:1712 -
\??\c:\xrlrrxl.exec:\xrlrrxl.exe65⤵
- Executes dropped EXE
PID:1480 -
\??\c:\hbhhtt.exec:\hbhhtt.exe66⤵PID:2980
-
\??\c:\pvpvp.exec:\pvpvp.exe67⤵PID:1028
-
\??\c:\7rxxxrx.exec:\7rxxxrx.exe68⤵PID:1672
-
\??\c:\7rllxxl.exec:\7rllxxl.exe69⤵PID:2008
-
\??\c:\nhbhtt.exec:\nhbhtt.exe70⤵PID:1936
-
\??\c:\1dvjd.exec:\1dvjd.exe71⤵PID:1916
-
\??\c:\fxxfxfr.exec:\fxxfxfr.exe72⤵PID:2924
-
\??\c:\bhhbtb.exec:\bhhbtb.exe73⤵PID:2424
-
\??\c:\djjdv.exec:\djjdv.exe74⤵PID:2396
-
\??\c:\1rffllr.exec:\1rffllr.exe75⤵PID:2756
-
\??\c:\hhbhth.exec:\hhbhth.exe76⤵PID:2932
-
\??\c:\hhhbbh.exec:\hhhbbh.exe77⤵PID:2248
-
\??\c:\jjvdv.exec:\jjvdv.exe78⤵PID:2588
-
\??\c:\llxxflx.exec:\llxxflx.exe79⤵PID:2872
-
\??\c:\7tbtbh.exec:\7tbtbh.exe80⤵PID:2788
-
\??\c:\nnhnbb.exec:\nnhnbb.exe81⤵PID:2724
-
\??\c:\pdvpj.exec:\pdvpj.exe82⤵PID:2600
-
\??\c:\5xxrfrr.exec:\5xxrfrr.exe83⤵PID:468
-
\??\c:\tbtbhh.exec:\tbtbhh.exe84⤵PID:3016
-
\??\c:\jdvjp.exec:\jdvjp.exe85⤵PID:1724
-
\??\c:\dvjpv.exec:\dvjpv.exe86⤵PID:3032
-
\??\c:\rrfrlrf.exec:\rrfrlrf.exe87⤵PID:2192
-
\??\c:\bnnbbt.exec:\bnnbbt.exe88⤵PID:860
-
\??\c:\bbtnbb.exec:\bbtnbb.exe89⤵PID:112
-
\??\c:\jjjpv.exec:\jjjpv.exe90⤵PID:2352
-
\??\c:\1flrflx.exec:\1flrflx.exe91⤵PID:2444
-
\??\c:\1rrrrfr.exec:\1rrrrfr.exe92⤵PID:264
-
\??\c:\9bthbh.exec:\9bthbh.exe93⤵PID:2728
-
\??\c:\vpjjj.exec:\vpjjj.exe94⤵PID:1224
-
\??\c:\5lrrrxf.exec:\5lrrrxf.exe95⤵PID:1848
-
\??\c:\3rllrxl.exec:\3rllrxl.exe96⤵PID:1748
-
\??\c:\7tnbhn.exec:\7tnbhn.exe97⤵PID:1700
-
\??\c:\1ppjj.exec:\1ppjj.exe98⤵PID:2532
-
\??\c:\fffllxl.exec:\fffllxl.exe99⤵PID:2208
-
\??\c:\ntntbh.exec:\ntntbh.exe100⤵PID:2076
-
\??\c:\hnntht.exec:\hnntht.exe101⤵PID:716
-
\??\c:\vvjdj.exec:\vvjdj.exe102⤵PID:2392
-
\??\c:\llflfxl.exec:\llflfxl.exe103⤵PID:1000
-
\??\c:\xlfxrfr.exec:\xlfxrfr.exe104⤵PID:1004
-
\??\c:\hhhnbh.exec:\hhhnbh.exe105⤵PID:592
-
\??\c:\jddvj.exec:\jddvj.exe106⤵PID:376
-
\??\c:\flffxrr.exec:\flffxrr.exe107⤵PID:828
-
\??\c:\7hhhnb.exec:\7hhhnb.exe108⤵PID:2452
-
\??\c:\btntnt.exec:\btntnt.exe109⤵PID:2100
-
\??\c:\pvdjd.exec:\pvdjd.exe110⤵PID:3060
-
\??\c:\ffxfxlf.exec:\ffxfxlf.exe111⤵PID:1940
-
\??\c:\hhbhbh.exec:\hhbhbh.exe112⤵PID:900
-
\??\c:\1rrfflr.exec:\1rrfflr.exe113⤵PID:2472
-
\??\c:\1tnbbh.exec:\1tnbbh.exe114⤵PID:2120
-
\??\c:\nnhthn.exec:\nnhthn.exe115⤵PID:2396
-
\??\c:\jdvjp.exec:\jdvjp.exe116⤵PID:2812
-
\??\c:\bttbnt.exec:\bttbnt.exe117⤵PID:2932
-
\??\c:\dvpvj.exec:\dvpvj.exe118⤵PID:2684
-
\??\c:\xffrflx.exec:\xffrflx.exe119⤵PID:2796
-
\??\c:\fxlllrl.exec:\fxlllrl.exe120⤵PID:2848
-
\??\c:\1ttnhb.exec:\1ttnhb.exe121⤵PID:2564
-
\??\c:\1jpvp.exec:\1jpvp.exe122⤵PID:3008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-