Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe
-
Size
454KB
-
MD5
f28ff665dc553e1c7fe1439ff331ebd0
-
SHA1
0e633892c6a6a94f01d16beae87b208b92dd3e08
-
SHA256
008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26
-
SHA512
0ce85b33f1de57b99607e253107459713a356bafc5f46bec82debe23f5f3b2b238e85ec521bd990f6bb71bab334129e0278b54fa5b88f02e6c4861cee4274055
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1C:q7Tc2NYHUrAwfMp3CD1C
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2056-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-37-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2580-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-58-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2580-56-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1312-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1380-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-256-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2016-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/376-1065-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-1085-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-1273-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/892-1308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2176 hhnbnb.exe 2744 3jvvp.exe 2668 xrrxlrx.exe 2568 ttnbnt.exe 2580 bbbtnt.exe 2548 dppdp.exe 2584 nhbnbn.exe 1312 vvjjd.exe 2864 btnbnt.exe 2980 5hbhnt.exe 2488 5ntbnn.exe 1256 thtbnh.exe 320 jdvdd.exe 1700 nhbtbb.exe 2636 dvjvp.exe 1048 7htttb.exe 1532 7tthhn.exe 2852 bnhntt.exe 1320 7hbbbb.exe 1856 frffflr.exe 1380 5nhhhh.exe 2496 pjppp.exe 1744 5tnntn.exe 1412 1lfrxfl.exe 2500 5thhnt.exe 1712 frllxfr.exe 2356 rflfllr.exe 1812 jjvpp.exe 2492 9lfxrxf.exe 992 pjpvd.exe 2016 lfrrxrx.exe 1800 tnhnbb.exe 2764 ddpvj.exe 2744 fxfrllr.exe 1588 tnbhtt.exe 2732 vvppp.exe 2540 1fxllll.exe 2672 tnnntt.exe 2700 bnhhtn.exe 2536 9vvvd.exe 340 xfxrfxf.exe 2040 nbnnhb.exe 1972 7vppj.exe 2880 3jvpv.exe 2972 lxllxxf.exe 3020 bbnntb.exe 2604 thtttb.exe 2244 dpvpp.exe 1820 llxxffl.exe 1240 hhnnbh.exe 780 htnttt.exe 2724 jvjpv.exe 2224 xrffrrf.exe 800 1fllxfl.exe 1016 5bntbb.exe 824 dvppj.exe 2004 rlfxfll.exe 1928 xrfxfxl.exe 444 hhbtth.exe 1600 dpjdj.exe 1672 5fffxfl.exe 1380 fxxfxxl.exe 1280 ttbhnn.exe 2388 vjddp.exe -
resource yara_rule behavioral1/memory/2056-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-801-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-929-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-1065-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-1066-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-1174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-1254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-1273-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1864-1295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-1308-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2176 2056 008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe 31 PID 2056 wrote to memory of 2176 2056 008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe 31 PID 2056 wrote to memory of 2176 2056 008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe 31 PID 2056 wrote to memory of 2176 2056 008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe 31 PID 2176 wrote to memory of 2744 2176 hhnbnb.exe 32 PID 2176 wrote to memory of 2744 2176 hhnbnb.exe 32 PID 2176 wrote to memory of 2744 2176 hhnbnb.exe 32 PID 2176 wrote to memory of 2744 2176 hhnbnb.exe 32 PID 2744 wrote to memory of 2668 2744 3jvvp.exe 33 PID 2744 wrote to memory of 2668 2744 3jvvp.exe 33 PID 2744 wrote to memory of 2668 2744 3jvvp.exe 33 PID 2744 wrote to memory of 2668 2744 3jvvp.exe 33 PID 2668 wrote to memory of 2568 2668 xrrxlrx.exe 34 PID 2668 wrote to memory of 2568 2668 xrrxlrx.exe 34 PID 2668 wrote to memory of 2568 2668 xrrxlrx.exe 34 PID 2668 wrote to memory of 2568 2668 xrrxlrx.exe 34 PID 2568 wrote to memory of 2580 2568 ttnbnt.exe 35 PID 2568 wrote to memory of 2580 2568 ttnbnt.exe 35 PID 2568 wrote to memory of 2580 2568 ttnbnt.exe 35 PID 2568 wrote to memory of 2580 2568 ttnbnt.exe 35 PID 2580 wrote to memory of 2548 2580 bbbtnt.exe 36 PID 2580 wrote to memory of 2548 2580 bbbtnt.exe 36 PID 2580 wrote to memory of 2548 2580 bbbtnt.exe 36 PID 2580 wrote to memory of 2548 2580 bbbtnt.exe 36 PID 2548 wrote to memory of 2584 2548 dppdp.exe 37 PID 2548 wrote to memory of 2584 2548 dppdp.exe 37 PID 2548 wrote to memory of 2584 2548 dppdp.exe 37 PID 2548 wrote to memory of 2584 2548 dppdp.exe 37 PID 2584 wrote to memory of 1312 2584 nhbnbn.exe 38 PID 2584 wrote to memory of 1312 2584 nhbnbn.exe 38 PID 2584 wrote to memory of 1312 2584 nhbnbn.exe 38 PID 2584 wrote to memory of 1312 2584 nhbnbn.exe 38 PID 1312 wrote to memory of 2864 1312 vvjjd.exe 39 PID 1312 wrote to memory of 2864 1312 vvjjd.exe 39 PID 1312 wrote to memory of 2864 1312 vvjjd.exe 39 PID 1312 wrote to memory of 2864 1312 vvjjd.exe 39 PID 2864 wrote to memory of 2980 2864 btnbnt.exe 40 PID 2864 wrote to memory of 2980 2864 btnbnt.exe 40 PID 2864 wrote to memory of 2980 2864 btnbnt.exe 40 PID 2864 wrote to memory of 2980 2864 btnbnt.exe 40 PID 2980 wrote to memory of 2488 2980 5hbhnt.exe 41 PID 2980 wrote to memory of 2488 2980 5hbhnt.exe 41 PID 2980 wrote to memory of 2488 2980 5hbhnt.exe 41 PID 2980 wrote to memory of 2488 2980 5hbhnt.exe 41 PID 2488 wrote to memory of 1256 2488 5ntbnn.exe 42 PID 2488 wrote to memory of 1256 2488 5ntbnn.exe 42 PID 2488 wrote to memory of 1256 2488 5ntbnn.exe 42 PID 2488 wrote to memory of 1256 2488 5ntbnn.exe 42 PID 1256 wrote to memory of 320 1256 thtbnh.exe 43 PID 1256 wrote to memory of 320 1256 thtbnh.exe 43 PID 1256 wrote to memory of 320 1256 thtbnh.exe 43 PID 1256 wrote to memory of 320 1256 thtbnh.exe 43 PID 320 wrote to memory of 1700 320 jdvdd.exe 44 PID 320 wrote to memory of 1700 320 jdvdd.exe 44 PID 320 wrote to memory of 1700 320 jdvdd.exe 44 PID 320 wrote to memory of 1700 320 jdvdd.exe 44 PID 1700 wrote to memory of 2636 1700 nhbtbb.exe 45 PID 1700 wrote to memory of 2636 1700 nhbtbb.exe 45 PID 1700 wrote to memory of 2636 1700 nhbtbb.exe 45 PID 1700 wrote to memory of 2636 1700 nhbtbb.exe 45 PID 2636 wrote to memory of 1048 2636 dvjvp.exe 46 PID 2636 wrote to memory of 1048 2636 dvjvp.exe 46 PID 2636 wrote to memory of 1048 2636 dvjvp.exe 46 PID 2636 wrote to memory of 1048 2636 dvjvp.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe"C:\Users\Admin\AppData\Local\Temp\008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\hhnbnb.exec:\hhnbnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\3jvvp.exec:\3jvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\xrrxlrx.exec:\xrrxlrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\ttnbnt.exec:\ttnbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\bbbtnt.exec:\bbbtnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\dppdp.exec:\dppdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\nhbnbn.exec:\nhbnbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\vvjjd.exec:\vvjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\btnbnt.exec:\btnbnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\5hbhnt.exec:\5hbhnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\5ntbnn.exec:\5ntbnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\thtbnh.exec:\thtbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\jdvdd.exec:\jdvdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\nhbtbb.exec:\nhbtbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\dvjvp.exec:\dvjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\7htttb.exec:\7htttb.exe17⤵
- Executes dropped EXE
PID:1048 -
\??\c:\7tthhn.exec:\7tthhn.exe18⤵
- Executes dropped EXE
PID:1532 -
\??\c:\bnhntt.exec:\bnhntt.exe19⤵
- Executes dropped EXE
PID:2852 -
\??\c:\7hbbbb.exec:\7hbbbb.exe20⤵
- Executes dropped EXE
PID:1320 -
\??\c:\frffflr.exec:\frffflr.exe21⤵
- Executes dropped EXE
PID:1856 -
\??\c:\5nhhhh.exec:\5nhhhh.exe22⤵
- Executes dropped EXE
PID:1380 -
\??\c:\pjppp.exec:\pjppp.exe23⤵
- Executes dropped EXE
PID:2496 -
\??\c:\5tnntn.exec:\5tnntn.exe24⤵
- Executes dropped EXE
PID:1744 -
\??\c:\1lfrxfl.exec:\1lfrxfl.exe25⤵
- Executes dropped EXE
PID:1412 -
\??\c:\5thhnt.exec:\5thhnt.exe26⤵
- Executes dropped EXE
PID:2500 -
\??\c:\frllxfr.exec:\frllxfr.exe27⤵
- Executes dropped EXE
PID:1712 -
\??\c:\rflfllr.exec:\rflfllr.exe28⤵
- Executes dropped EXE
PID:2356 -
\??\c:\jjvpp.exec:\jjvpp.exe29⤵
- Executes dropped EXE
PID:1812 -
\??\c:\9lfxrxf.exec:\9lfxrxf.exe30⤵
- Executes dropped EXE
PID:2492 -
\??\c:\pjpvd.exec:\pjpvd.exe31⤵
- Executes dropped EXE
PID:992 -
\??\c:\lfrrxrx.exec:\lfrrxrx.exe32⤵
- Executes dropped EXE
PID:2016 -
\??\c:\tnhnbb.exec:\tnhnbb.exe33⤵
- Executes dropped EXE
PID:1800 -
\??\c:\ddpvj.exec:\ddpvj.exe34⤵
- Executes dropped EXE
PID:2764 -
\??\c:\fxfrllr.exec:\fxfrllr.exe35⤵
- Executes dropped EXE
PID:2744 -
\??\c:\tnbhtt.exec:\tnbhtt.exe36⤵
- Executes dropped EXE
PID:1588 -
\??\c:\vvppp.exec:\vvppp.exe37⤵
- Executes dropped EXE
PID:2732 -
\??\c:\1fxllll.exec:\1fxllll.exe38⤵
- Executes dropped EXE
PID:2540 -
\??\c:\tnnntt.exec:\tnnntt.exe39⤵
- Executes dropped EXE
PID:2672 -
\??\c:\bnhhtn.exec:\bnhhtn.exe40⤵
- Executes dropped EXE
PID:2700 -
\??\c:\9vvvd.exec:\9vvvd.exe41⤵
- Executes dropped EXE
PID:2536 -
\??\c:\xfxrfxf.exec:\xfxrfxf.exe42⤵
- Executes dropped EXE
PID:340 -
\??\c:\nbnnhb.exec:\nbnnhb.exe43⤵
- Executes dropped EXE
PID:2040 -
\??\c:\7vppj.exec:\7vppj.exe44⤵
- Executes dropped EXE
PID:1972 -
\??\c:\3jvpv.exec:\3jvpv.exe45⤵
- Executes dropped EXE
PID:2880 -
\??\c:\lxllxxf.exec:\lxllxxf.exe46⤵
- Executes dropped EXE
PID:2972 -
\??\c:\bbnntb.exec:\bbnntb.exe47⤵
- Executes dropped EXE
PID:3020 -
\??\c:\thtttb.exec:\thtttb.exe48⤵
- Executes dropped EXE
PID:2604 -
\??\c:\dpvpp.exec:\dpvpp.exe49⤵
- Executes dropped EXE
PID:2244 -
\??\c:\llxxffl.exec:\llxxffl.exe50⤵
- Executes dropped EXE
PID:1820 -
\??\c:\hhnnbh.exec:\hhnnbh.exe51⤵
- Executes dropped EXE
PID:1240 -
\??\c:\htnttt.exec:\htnttt.exe52⤵
- Executes dropped EXE
PID:780 -
\??\c:\jvjpv.exec:\jvjpv.exe53⤵
- Executes dropped EXE
PID:2724 -
\??\c:\xrffrrf.exec:\xrffrrf.exe54⤵
- Executes dropped EXE
PID:2224 -
\??\c:\1fllxfl.exec:\1fllxfl.exe55⤵
- Executes dropped EXE
PID:800 -
\??\c:\5bntbb.exec:\5bntbb.exe56⤵
- Executes dropped EXE
PID:1016 -
\??\c:\dvppj.exec:\dvppj.exe57⤵
- Executes dropped EXE
PID:824 -
\??\c:\rlfxfll.exec:\rlfxfll.exe58⤵
- Executes dropped EXE
PID:2004 -
\??\c:\xrfxfxl.exec:\xrfxfxl.exe59⤵
- Executes dropped EXE
PID:1928 -
\??\c:\hhbtth.exec:\hhbtth.exe60⤵
- Executes dropped EXE
PID:444 -
\??\c:\dpjdj.exec:\dpjdj.exe61⤵
- Executes dropped EXE
PID:1600 -
\??\c:\5fffxfl.exec:\5fffxfl.exe62⤵
- Executes dropped EXE
PID:1672 -
\??\c:\fxxfxxl.exec:\fxxfxxl.exe63⤵
- Executes dropped EXE
PID:1380 -
\??\c:\ttbhnn.exec:\ttbhnn.exe64⤵
- Executes dropped EXE
PID:1280 -
\??\c:\vjddp.exec:\vjddp.exe65⤵
- Executes dropped EXE
PID:2388 -
\??\c:\xxlrxfx.exec:\xxlrxfx.exe66⤵PID:2060
-
\??\c:\9lfxlrx.exec:\9lfxlrx.exe67⤵PID:1716
-
\??\c:\5nhbbt.exec:\5nhbbt.exe68⤵PID:1032
-
\??\c:\vpvdd.exec:\vpvdd.exe69⤵PID:1936
-
\??\c:\fxllrrx.exec:\fxllrrx.exe70⤵PID:2368
-
\??\c:\tntnnh.exec:\tntnnh.exe71⤵PID:1736
-
\??\c:\tnbhhh.exec:\tnbhhh.exe72⤵PID:2412
-
\??\c:\1jjpv.exec:\1jjpv.exe73⤵PID:688
-
\??\c:\pdvpp.exec:\pdvpp.exe74⤵PID:2952
-
\??\c:\xlxflff.exec:\xlxflff.exe75⤵PID:2236
-
\??\c:\bnbbhb.exec:\bnbbhb.exe76⤵PID:2384
-
\??\c:\3pjjj.exec:\3pjjj.exe77⤵PID:2736
-
\??\c:\vjvpv.exec:\vjvpv.exe78⤵PID:1584
-
\??\c:\1llfrfx.exec:\1llfrfx.exe79⤵PID:2896
-
\??\c:\bnbhbt.exec:\bnbhbt.exe80⤵PID:2768
-
\??\c:\nhhtnt.exec:\nhhtnt.exe81⤵PID:2720
-
\??\c:\dvjjp.exec:\dvjjp.exe82⤵PID:2540
-
\??\c:\lfflrfr.exec:\lfflrfr.exe83⤵PID:2672
-
\??\c:\9tnnbb.exec:\9tnnbb.exe84⤵PID:2700
-
\??\c:\btntnt.exec:\btntnt.exe85⤵PID:2344
-
\??\c:\dvppv.exec:\dvppv.exe86⤵PID:340
-
\??\c:\lfffllx.exec:\lfffllx.exe87⤵PID:3048
-
\??\c:\hnbhtb.exec:\hnbhtb.exe88⤵PID:2984
-
\??\c:\htnnbh.exec:\htnnbh.exe89⤵PID:2872
-
\??\c:\ddddv.exec:\ddddv.exe90⤵PID:2216
-
\??\c:\5rlflrx.exec:\5rlflrx.exe91⤵PID:2520
-
\??\c:\3xllrxl.exec:\3xllrxl.exe92⤵PID:2488
-
\??\c:\btnhtb.exec:\btnhtb.exe93⤵PID:1256
-
\??\c:\jddjv.exec:\jddjv.exe94⤵PID:1820
-
\??\c:\llflrfl.exec:\llflrfl.exe95⤵PID:2824
-
\??\c:\7fllrxf.exec:\7fllrxf.exe96⤵PID:780
-
\??\c:\1btbnt.exec:\1btbnt.exe97⤵PID:2100
-
\??\c:\5dpvj.exec:\5dpvj.exe98⤵PID:2224
-
\??\c:\1lflfrl.exec:\1lflfrl.exe99⤵PID:2924
-
\??\c:\llfrxlf.exec:\llfrxlf.exe100⤵PID:1532
-
\??\c:\tbnbnb.exec:\tbnbnb.exe101⤵PID:1984
-
\??\c:\9pdjj.exec:\9pdjj.exe102⤵PID:1392
-
\??\c:\xrflrxr.exec:\xrflrxr.exe103⤵PID:2076
-
\??\c:\hbtbhh.exec:\hbtbhh.exe104⤵PID:2480
-
\??\c:\7bntbh.exec:\7bntbh.exe105⤵PID:876
-
\??\c:\vpdvj.exec:\vpdvj.exe106⤵PID:2476
-
\??\c:\rrllrrx.exec:\rrllrrx.exe107⤵PID:1020
-
\??\c:\hbtbhh.exec:\hbtbhh.exe108⤵PID:1816
-
\??\c:\nntbtt.exec:\nntbtt.exe109⤵PID:632
-
\??\c:\5ppdp.exec:\5ppdp.exe110⤵PID:2060
-
\??\c:\rxrffrl.exec:\rxrffrl.exe111⤵PID:1704
-
\??\c:\btntnn.exec:\btntnn.exe112⤵PID:1032
-
\??\c:\3btbbb.exec:\3btbbb.exe113⤵PID:2356
-
\??\c:\jdvjp.exec:\jdvjp.exe114⤵PID:1632
-
\??\c:\ffxfrfr.exec:\ffxfrfr.exe115⤵PID:2024
-
\??\c:\1thbhn.exec:\1thbhn.exe116⤵PID:980
-
\??\c:\djvjp.exec:\djvjp.exe117⤵PID:2460
-
\??\c:\xlxxxfl.exec:\xlxxxfl.exe118⤵PID:2644
-
\??\c:\hhhnbh.exec:\hhhnbh.exe119⤵PID:2444
-
\??\c:\5jjvj.exec:\5jjvj.exe120⤵PID:2780
-
\??\c:\xfflxff.exec:\xfflxff.exe121⤵PID:1692
-
\??\c:\7tnnbh.exec:\7tnnbh.exe122⤵PID:2900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-